[netsa-tools-discuss] Layer 7 Application Identification
Mark Thomas
mthomas at cert.org
Wed Oct 14 09:44:47 EDT 2020
Shane-
Thank you for your interesting question.
If you only have NetFlow or IPFIX records, I am not familiar with a way to identify Layer 7 applications other than knowing the IP addresses associated with the service.
I would expect that some sites have distinctive flow timing and size patterns that could be used to identify that traffic, but I am not familiar with any work along those lines. The results of a web search for
identifying network flow via size and timing patterns
produces some links to research papers that look interesting, but nothing that is an exact recipe of how to do what you want.
Good luck.
-Mark
-----Original Message-----
From: SHANE ARENDSE <arendseshane5 at gmail.com>
Date: Wed, 7 Oct 2020 05:53:22 -0400
To: "netsa-tools-discuss at cert.org" <netsa-tools-discuss at cert.org>
Subject: [netsa-tools-discuss] Layer 7 Application Identification
Good Morning Team,
Hope all is well with you.
I just wanted to know, if it is possible to get Layer 7 applications
identified(like Facebook, Youtube, INstagram) from netflow logs using
Silk as a collector.
In this case, we do not have any ability to perform port mirror to read directly as a PCAP?
regards
Shane
More information about the netsa-tools-discuss
mailing list