Skip to Main Content
Communication networks, including the Internet, support a wide range of packet-based applications. It is often necessary to know what applications are in use. Traditionally, applications were readily identified by inspection of data held in the packet header such as the destination port number. However, newer and real-time applications cannot always be detected by such a simple investigation and hence other techniques such as packet classification or deep packet analysis have been developed. Deep packet analysis however has significant problems such as its inability to operate on encrypted data packets, and its need to capture specific packets from the traffic stream. The paper considers an alternative approach to the detection of real-time applications. A search was made for a statistical fingerprint derivable from the observable traffic streams generated by such applications. This has been found to be the packet size distribution of the application, and the paper considers this statistic for a range of such applications and network conditions. A detector, based on the described approach, is presented and evaluated using real network traffic.