In this article the author proposes the new method of detecting P2P the users, based at the analysis of the behavior of traffic, which makes it possible to determine even type utilized P2P application.

Standard methods
At present there are two basic methods of the identification of users P2P: the presence of the open ports and the analysis of traffic. Their brief survey further follows.

Analysis of the open ports
Checking to the presence of the open ports the simplest and extended from the methods of detecting the use P2P of applications. It is based on what majority P2P of applications works on the ports assigned on silence. For example:

Limewire 6346/6347 tcp/udp
Morpheus 6346/6347 tcp/udp
BearShare default 6346 tcp/udp
Edonkey YA''2/.TCHP
EMule YA''2/.TCHP YA'"2/.udp
Bittorrent 6881-6889 tcp/udp
WinMx ''99/.TCHP '2SHCH"/.udp

For detecting P2P the users by the data by method, it is necessary to analyze net traffic to the presence of the connections, which use these ports. If correspondence is discovered, this can be indicator P2P of activity. Analysis of the open ports - practically only method, accessible to net administrators, not having special software or hardware (such as the intrusion detecting systems) for monitoring of traffic.

The described method is very simple in the realization, but its deficiencies are obvious. Majorities P2P of applications make it possible to change the numbers of ports on silence to any. In addition to this, many contemporary applications prefer to use random numbers of ports. Also there is a tendency of the use of numbers of the ports of the known applications, such as 80 ports. All these facts decrease the effectiveness of this method.

Analysis of the traffic
Besides checking to the presence of the open ports the administrators have one additional method of detecting the use P2P of applications - analysis of traffic of the protocols of applied level.

Essence of this method in monitoring of the traffic, passing through the network, to the object of the detection of the specific signatures, specific for P2P applications, in the payload of packets. Many contemporary commercial and freely extended solutions for detecting P2P the traffic are based on this method. Into their number enter L7-filter, Cisco's PDML,

Juniper's netscreen-IDP, Alteon Application Switches, the signatures of the basic applications Microsoft and NetScout. Each of these applications with the aid of the regular expressions analyzes the data, passing through the applied level, attempting to determine the fact of use P2P of application.

Since in the described method it is produced the analysis of the payload of packets, any tricks, such as the use of random ports, they do not have sense. This method is usually more precise and plausible; however, he has deficiencies. Here that that it is necessary to remember, using the method of the analysis of the traffic:

P2P application constantly they are developed and respectively change their signatures. So that the analysis of traffic would be effective, a constant renovation of the base of signatures is required.

Behavior of the traffic
Information about the net traffic can be easily obtained from different net devices without the serious action on productivity and system availability. In the small and average networks the administrators can use ravines of net equipment. In the large networks it is possible to use function Netflow on routers for retaining the lairs of net traffic.
Despite the fact that obtained data several "are somewhat damp", in them nevertheless there is the useful information, which can be verified to the correspondence to the specific templates. Good results it can bring analysis UDP of sessions.