How to download

Prerequisite

You need a Tap driver to get the traffic quickly. For Windows, install Winpcap. For Linux, use Libpcap. Both are lightweighted opensource packages. Both are used in virtually any traffic analysis tool.
 

Windows users - Binaries

Downlad this zip file and uncompress it anywhere. It contains the necessary files and dependencies, as well as two executables, "TrafficTapDemo.exe" and "traffic_classifier.exe". They are ready to launch.

Linux users - Source and Binaries

Downlad this tar file. It contains all the necessary libraries, as well as one executable, "TrafficTapDemo", and one Python file, "traffic_classifier.py".
However, to actually classify traffic, you'll have to feed the database with training data. We don't provide the database file on Linux, as most of the development is carried on Windows boxes. You can get training data from the Windows package above though.

How to use

Windows

The traffic identifier is made of two distinct processes.
First "TrafficTapDemo.exe", is the actual "Tap" program. It will record the network traffic in an in-memory database.
As you launch it, it will prompt you for a network device. Choose the device where you intend to tap the traffic from. For example, it can be attached to the switch connecting your organization to the Internet to listen to all outgoing traffic.

TrafficTapDemo.exe

Then the program "interface.exe" will do the actual traffic analysis and protocol identification reports.

interface.exe

Close both processes anytime when you're finished.

*Nux/nix

Same as above. You'll need the Python 2.5 runtime. Then launch:

#./TrafficTapDemo
# python interface.py

Now, open your Skype, EDonkey, Limewire or SIP softphone and look how the traffic is detected.

How it works

Lynanda's asynchronous filter is based on supervised/unsupervised machine learning.
The main idea behind the classification methodology is that if packet payload is not a reliable indicator of application identification, packet timestamp is. In fact, it is very difficult for an application to control its response times. Therefore, most application leave specific correlations in the packet timestamp serie related to a given flow. These correlations are recorded into general bayesian networks and compared with flows taped on the wire. While the learning process is fairly slow, actual identification is very fast, accurate and universal, in the sense that it's not application dependent.
At the time of writing, no application is known to hide its packet timestamp correlations. Clever analysis can actually show that it is pretty difficult, if possible, to hide these patterns on current processor architectures. It is thought to change however when CPU architectures will move towards instruction parallelization.
Such method can be used for any application flow. The accuracy of the filter can be improved by more learning. Though depending on what you do on the flow after detection, a 99% detection rate is usually sufficient. The process can be iterated to reduce false positives probability.

Technical limitations

This is a demonstration version.
It's not intended to be scalable, nor is it intended to address failover issues. Users have reported to have it working under full Gbit/s loads, or approximately 500 000 packets/s. As most backbones are made of 1Gbit pipes, you may not need more than that. However please not that the demo will not handle higher throughputs.
To address 10 GBit/s throughputs, Lynanda relies on clustering for the in-memory database and on parallelizating for the calculation side.
The Tap and Von Neumann bottlenecks are handled by dedicated hardware. Lynanda supports and encourages the use of Endace DAG network cards, which are the industry standard for traffic analysis on high-end throughputs.


If you want more information about the techniques involved in Lynanda Asynchronous Filter, please leave a message.