本文通过对OmniPeek配置文件pspecs.xml的修改，实现非常用协议在OmniPeek中的自动识别，包括对基于TCP/UDP端口号网络协议的识别，以及对P2P协议的识别。
    抛砖引玉，不足之处敬请指正。

OmniPeek 真不错，去下载一个玩玩

哈哈,正需要这个东东,先谢了!!

哈哈,俺也学会了

不错 写的很好
vader手快 早加精了!

以下摘自网站上的解决方法.  

How do I add a custom protocol to OmniPeek?
  1.Exit OmniPeek.
  2.First, make a backup copy of the pspecs.xml file. OmniPeek will not load if the pspecs.xml file is missing or corrupted.
Note: By default the pspecs.xml file is located in "C:\Program Files\WildPackets\OmniPeek\1033" for the English-localized version. For other languages, the final subdirectory ("1033" will be equal to the language code for the OmniPeek's localized language.
  3.Open the pspecs.xml file in your favorite text or XML editor.
Note: Please make sure you add the protocols in the right section (TCP/UDP) and that the higher port numbers go further down in the file.
  4.Create a new entry (see example below).

<PSpec Name="MyProtocol">
<PSpecID>1483</PSpecID>
<LName>MyProtocol - Long Name</LName>
<SName>MyProtocol - Short Name</SName>
<Desc>This is my protocol.</Desc>
<Color>color_2</Color>
<CondSwitch>1234</CondSwitch>
</PSpec>

Quick Notes:

The PSpecID is a numerical identifier for the protocol. It must be unique-that is, no two protocols are allowed to have the same PSpecID. You must choose a PSpecID that is not used anywhere else in the file.

The <CondSwitch> tag will define a port number. The example is using port number 1234. You can add additional ports by adding additional <CondSwitch></CondSwitch> tags. See example below.

<CondSwitch>1234</CondSwitch>
<CondSwitch>1235</CondSwitch>
<CondSwitch>1236</CondSwitch>

The PSpec Name will be displayed in the Protocol column of the Packets tab.

The LName will be displayed in the Protocol Info dialog box (accessed by right-clicking the protocol and choosing Protocol Info).

The SName will be displayed in the Protocol statistics.

The Desc will be displayed in the Protocol Info box (Desc is optional. You can delete it if you don't want to write a description for your protocol).

Color will be the color used for the protocol. Colors are defined at the beginning of the document. Color is optional. You can delete it and OmniPeek will choose a color for the protocol.

CondSwitch tells OmniPeek how to recognize the protocol. For now, all you have to do is edit the "SrcPort ==" and "DestPort ==" entries to contain the port number that your protocol uses. These two entries should be the same.

For more information on ProtoSpecs, please visit our The WildPackets Developer's Network (WPDN) and under the documentation section take a look at the ProtoSpecs XML Writing Guidelines.

https://wpdn.wildpackets.com/

DDDDDDDDDDDDDd

俺用BT的应用签名做了一个~~

但是数据传输的特征找了一晚上,没找着,有没有哪们朋友有现成的?

[ 本帖最后由 jingshne 于 2006-11-2 10:41 编辑 ]

1.常用端口,（包括tcp和udp）有1881～1889；4661，4662，4665，4672，4711；6881～6999；77771～7999；8881～8999；16881～16999；18881～18999

2.利用“BitTorrent protocol”字符串

两者结合会更准确,国内很多产品号称能够识别bt
其实过滤不是十分严格!

引用:

原帖由 haiwanxue 于 2006-11-2 11:44 发表
1.常用端口,（包括tcp和udp）有1881～1889；4661，4662，4665，4672，4711；6881～6999；77771～7999；8881～8999；16881～16999；18881～18999

2.利用“BitTorrent protocol”字符串

两者结合会更准确,国 ...

感谢,俺用的就是你说的第二种方式,因为,默认情况下,3.1版本的omni就已经定义端口的识别了~~

但是俺感觉,如果用端口,肯定就不准确了,而如果用“BitTorrent protocol”字符串,则只能识别出会话,对整个数据流就没有办法识别了．

就俺测试过的产品来看，它们对ＢＴ等Ｐ２Ｐ的识别倒是非常精确，基本上限流在多少就很少有超过的，改天找开发问问看，就怕人家不肯说～～

[ 本帖最后由 jingshne 于 2006-11-2 20:25 编辑 ]

引用:

原帖由 jingshne 于 2006-11-2 20:23 发表



感谢,俺用的就是你说的第二种方式,因为,默认情况下,3.1版本的omni就已经定义端口的识别了~~

但是俺感觉,如果用端口,肯定就不准确了,而如果用“BitTorrent protocol”字符串,则只能识别出会话,对整个数 ...

bt的特征描述可以参考以下描述.
# Bittorrent - P2P filesharing / publishing tool - http://www.bittorrent.com
# Pattern attributes: good veryfast undermatch
# Protocol groups: p2p open_source
# This pattern has been tested and is believed to work well.
# It will, however, not work on bittorrent streams that are encrypted, since
# it's impossible to match encrypted data (unless the encryption is extremely
# weak, like rot13 or something...).

bittorrent

# Does not attempt to match the HTTP download of the tracker
# 0x13 is the length of "bittorrent protocol"
# Second two bits match UDP wierdness
# Next bit matches something Azureus does
# Ditto on the next bit.  Could also match on "user-agent: azureus", but that's in the next
# packet and perhaps this will match multiple clients.
\x13bittorrent protocol|d1:ad2:id20:|\x08'7P\)[RP]|^azver\x01$|^get /scrape?info_hash=

谢谢，我正在学习使用OmniPeek，刚好可以学习以下，深表感谢。。。

引用:

原帖由 1259 于 2006-11-4 13:25 发表



bt的特征描述可以参考以下描述.
# Bittorrent - P2P filesharing / publishing tool - http://www.bittorrent.com
# Pattern attributes: good veryfast undermatch
# Protocol groups: p2p ...

感谢1259兄~
不过部分内容好像对不上号啊?

最近1259兄是不是挺忙啊,很少见你了在论坛~

引用:

原帖由 jingshne 于 2006-11-6 11:17 发表



感谢1259兄~
不过部分内容好像对不上号啊?

最近1259兄是不是挺忙啊,很少见你了在论坛~

呵呵,一直都在关注咱们论坛,现在高手太多,不敢乱说话了.

谢谢楼主

感谢楼主！

学习ing。。。。，没接触过OmniPeek

用flash做教程有创意

俺也有自己的qq协议喽

引用:

原帖由 1259 于 2007-2-9 15:28 发表
俺也有自己的qq协议喽

小样，快告诉我们怎么做！是不是定义下UDP4000就可以了，不要行成技术壁垒！


[ 本帖最后由 xiaotian 于 2007-2-9 16:40 编辑 ]