Software Engineering Institute

One major new and often not welcome source of Internet traffic is P2P file sharing traffic. Banning P2P usage is not always possible or enforceable, especially in a university environment. A more restrained approach allows P2P usage but limits the available bandwidth. This approach fails when users start to use non-default ports for the client software. The PeerTracker algorithm, presented in this paper, allows detection of running P2P clients from NetFlow data in near real-time. The algorithm is especially suitable to identify clients that generate large amounts of traffic. A prototype system based on the PeerTracker algorithm is currently used by the network operations staff at the Swiss Federal Institute of Technology Zurich. We present measurements done on a medium-sized Internet backbone and discuss accuracy issues, as well as possibilities and results from the validation of the detection algorithm by direct polling in real-time.