How to detect the IPs of users who are using IM and P2P programs

December 1, 2005

Dear All,

Is there any tool/method that allow me to detect the IPs of users who are using IM (Instant Messaging i.e. MSN messenger, Yahoo messenger, ICQ, etc) and P2P (Peer-2-Peer programs such Kazaa) in our network?

Thanks

* Try any Forward Proxy (you can try squid!!!).With that you can put
access controls based on the user network,user,ports to block the users
or getting logs.

* Hello Nabeel
You can always use QoS devices such as ALLOT to detect the traffic and analyze it in a way to show you P2P / Games / IM and more, but If you
Wish to use a freeware and such you can use ethereal to sniff the data
And then to analyze it, to implement ethereal you will need a port monitor
On a switched network to see all traffic passing in the segment you wish to
Monitor, if you wish a solution that’s not freeware, try Sniffer Pro, there are much more tools but those the ones I use.

Thanks

* Hi,

I find spanning/port monitoring switch port to internet router and having NTop http://www.ntop.org/ listening on this port works quite well.

* Or you could use an IDS (such as SNORT) with signatures for the
protocols in use, removing some of the manual work from the sniffing.

* For fully automated operation, try Snort. Be careful, though, it is not
without bugs.

* Snort has signatures for all of the above.

http://www.snort.org/

Regards,
Jim Halfpenny

* Since no one else has answered yet, I will give it a shot… If I am way off
base, someone correct me!

I think the answer depends on the level of information that you want. If
you want just a quick snapshot, you could put an ethereal box in line (using
a hub, not a switch) with your router interface (or uplink interface on a
larger network, where you just want to look at traffic on one switch or
group of switches) and capture all of the packets over a certain period of
time, and then sort them out. However, for a more long term approach, you
would have to use some kind of information gathering device. We use a
product (non-freeware) to capture, sort, and report on all of the traffic
that our Cisco routers are routing. Using a method like this will allow you
to create or determine a “baseline” of your normal traffic, so that you can
not only figure out who is using what kind of service, but also allow you to
notice drastic changes in the traffic patterns in your network, giving you a
warning that something (DDOS, virus, spam, etc) is going on… The software
that we use utilizes Cisco’s netflow information.

Alex Moen
Operations Technology Specialist
NDTC

* Analysis should not stop or even start with just a protocol anaylzer
(say Ethereal). You can apply NSM (Network Security Monitoring)
principles using a reference implementation like SGUIL
(http://www.sguil.net) for a more robust architecture. To get an idea
/ example take a look at Structured Traffic Analysis available as a
PDF here:

http://www.insecuremagazine.com/INSECURE-Mag-4.pdf

and NSM

http://www.taosecurity.com/nsm_ws_aost.pdf

Cheers,

_Raju

Posted in Q & A