options ls=132 nocenter; libname mystuff base '.'; libname library base '.'; data mystuff.atla2; length type $ 16; set mystuff.atla; /* assume we don't know what each flow may be by default */ type='not classified'; /* we want the first octet for things like identifying IP multicast address ranges */ firstoctsrc=1*substr(srcaddr,1,3); firstoctdst=1*substr(dstaddr,1,3); /* work through the protocols */ if (prot=1) then type='icmp (prot=1)'; else if (prot=4) then type='ip-encap (prot=4)'; else if (prot=41) then type='IPv6 (prot=41)'; else if (prot=46) then type='RSVP (prot=46)'; else if (prot=47) then type='gre tunnel (prot=47)'; else if (prot=112) then type='VRRP (prot=112)'; /* UDP */ else if (prot=17) then do; if (dstport=123) then type='ntp'; else if (dstport=53) then type='dns(udp)'; else if (firstoctdst=232) then type='ssm'; else if (224<=firstoctdst<=239) then type='mcast'; else if (dstport=388) then type='unidata-ldm(udp)'; else if (dstport=1863) then type='msn messenger(udp)'; else if (dstport=4444) then type='torrent tracker (udp)'; else if (4661<=dstport<=4665) then type='edonkey(udp)'; else if (dstport=4900) then type='talkshoe/mute'; else if (dstport=500) then type='ipsec-ike'; else if ((dstport=0) and (srcport=0)) then type='udp frag (src/dstprt=0)'; else if ((srcport=135) or (dstport=135) or (137<=srcport<=139) or (137<=dstport<=139) or (srcport=445) or (dstport=445) or (568<=srcport<=569) or (568<=dstport<=569) or (srcport=1512) or (dstport=1512)) then type='ms-windows-app(udp)'; else if ((6970<=srcport<=6973) or (6970<=dstport<=6973) or (7070<=srcport<=7071) or (7070<=dstport<=7071) or (srcport=554) or (dstport=554)) then type='realplayer(udp)'; else if ((7000<=srcport<=7006) or (7000<=dstport<=7006)) then type='afs(udp)'; else if ((srcport=1755) or (dstport=1755) or (srcport=7007) or (dstport=7007) or (srcport=135) or (dstport=135)) then type='winmedia(udp)'; else if ((srcport=1558) or (dstport=1558)) then type='streamworks(udp)'; else if ((srcport=41170) or (dstport=41170)) then type='blubster'; else if ((srcport=6699) or (dstport=6699) or (srcport=6257) or (dstport=6257)) then type='winmx(udp)'; else if ((8000<=srcport<=8005) or (8000<=dstport<=8005)) then type='shoutcast(udp)'; else if ((5500<=srcport<=5503) or (5500<=dstport<=5503)) then type='hotline(udp)'; else if ((srcport=161) or (dstport=161)) then type='snmp(udp)'; else if ((dstport=3128) or (srcport=3128)) then type='squid(udp)'; else if ((srcport=4000) or (dstport=4000) or (6112<=srcport<=6119) or (6112<=dstport<=6119)) then type='battlenet(udp)'; else if ((srcport=26000) or (dstport=26000) or (27910<=srcport<=27961) or (27910<=dstport<=27961)) then type='quake(udp)'; else if ((28000<=srcport<=28008) or (28000<=dstport<=28008)) then type='starsiege(udp)'; else if ((6700<=srcport<=6702) or (6700<=dstport<=6702)) then type='carracho(udp)'; else if ((srcport=27005) or (dstport=27005) or (srcport=27015) or (dstport=27015)) then type='halflife(udp)'; else if ((srcport=5190) or (dstport=5190)) then type='aim(udp)'; else if ((412<=srcport<=413) or (412<=dstport<=413)) then type='neomodus(udp)'; else if ((srcport=2050) or (dstport=2050)) then type='backbone-radio(udp)'; else if ((2047<=srcport<=2048) or (2047<=dstport<=2048) or (srcport=1972) or (dstport=1972)) then type='camarades'; else if ((srcport=27900) or (dstport=27900) or (srcport=28900) or (dstport=28900) or (29900<=srcport<=29901) or (29900<=dstport<=29901) or (srcport=13193) or (dstport=13193) or (srcport=6515) or (dstport=6515)) then type='gamespyarcade'; else if ((srcport=771) or (dstport=771)) then type='rtip(udp)'; else if ((srcport=111) or (dstport=111)) then type='portmapper(udp)'; else if ((49606<=srcport<=49609) or (49606<=dstport<=49609)) then type='voip'; else if ((srcport=112) or (dstport=112)) then type='mcidas(udp)'; else if ((srcport=9000) or (dstport=9000)) then type='asheron'; else if ((srcport=6073) or (dstport=6073) or (2300<=srcport<=2400) or (2300<=dstport<=2400)) then type='directx(udp)'; else if (dst_as=0) then type='non-multicast udp/dst_as=0'; else if (dstport=2000) then type='udp/dstport=2000'; else if (dstport=2002) then type='udp/dstport=2002'; else if (dstport=4443) then type='udp/dstport=4443'; else if (dstport=4500) then type='udp/dstport=4500'; else if (dstport=10000) then type='udp/dstport=10000'; else if (dstport=12557) then type='udp/dstport=12557'; else if (dstport=16384) then type='udp/dstport=16384'; else if (dstport=46011) then type='udp/dstport=46001'; else if (dstport=46014) then type='udp/dstport=46014'; end; /* TCP */ else if (prot=6) then do; if ((srcport=5500) or (dstport=5500)) then type='VNC or hotline 5500/tcp'; else if ((5500<=srcport<=5503) or (5500<=dstport<=5503)) then type='hotline(tcp)'; else if ((srcport =1214) or (dstport =1214)) then type='fasttrack'; else if ((6881<=dstport<=6889) or (6881<=srcport<=6889)) then type='bittorrent'; else if ((6346<=dstport<=6350) or (6346<=srcport<=6350)) then type='gnutella'; else if ((srcport=20) or (dstport=20) or (srcport=21) or (dstport=21)) then type='ftp'; else if ((dstport=80) or (srcport=80) or (dstport=81) or (srcport=81) or (dstport=8080) or (srcport=8080)) then type='http'; else if ((dstport=119) or (srcport=119) or (dstport=563) or (srcport=563)) then type='nntp'; else if ((dstport=443) or (srcport=443)) then type='https'; else if ((dstport=2049) or (srcport=2049) or (dstport=1110) or (srcport=1110)) then type='nfs'; else if ((dstport=25) or (srcport=25) or (109<=dstport<=110) or (109<=srcport<=110) or (dstport=143) or (srcport=143) or (dstport=220) or (srcport=220) or (dstport=465) or (srcport=465) or (dstport=585) or (srcport=585) or (dstport=587) or (srcport=587) or (dstport=993) or (srcport=993)) then type='mail'; else if ((dstport=22) or (srcport=22)) then type='ssh'; else if ((srcport=23) or (dstport=23)) then type='telnet'; else if ((dstport=53) or (srcport=53)) then type='dns(tcp)'; else if ((4661<=dstport<=4665) or (4661<=srcport<=4665)) then type='edonkey(tcp)'; else if ((srcport=6690) or (dstport=6690) or (srcport=19114) or (dstport=19114)) then type='freenet'; else if ((srcport=2811) or (dstport=2811)) then type='gsiftp'; else if ((5020<=srcport<=5022) or (5020<=dstport<=5022)) then type='bbftp'; else if ((5031<=srcport<=5033) or (5031<=dstport<=5033)) then type='bbcp'; else if ((5001<=dstport<=5009) or (5001<=srcport<=5009)) then type='iperf'; else if ((6666<=dstport<=6670) or (6666<=srcport<=6670)) then type='irc'; else if ((srcport=135) or (dstport=135) or (137<=srcport<=139) or (137<=dstport<=139) or (srcport=445) or (dstport=445) or (568<=srcport<=569) or (568<=dstport<=569) or (srcport=1512) or (dstport=1512)) then type='ms-windows-app(tcp)'; else if ((6970<=srcport<=6973) or (6970<=dstport<=6973) or (7070<=srcport<=7071) or (7070<=dstport<=7071) or (srcport=554) or (dstport=554)) then type='realplayer(tcp)'; else if ((7000<=srcport<=7006) or (7000<=dstport<=7006)) then type='afs(tcp)'; else if ((6000<=srcport<=6005) or (6000<=dstport<=6005) or (srcport=7100) or (dstport=7100) or (srcport=6016) or (dstport=6016)) then type='x11'; /* note: I2 throws port 1024 in here, but I'm omitting it */ else if ((srcport=1755) or (dstport=1755) or (srcport=7007) or (dstport=7007) or (srcport=135) or (dstport=135)) then type='winmedia(tcp)'; else if ((srcport=161) or (dstport=161)) then type='snmp(tcp)'; else if ((srcport=113) or (dstport=113)) then type='ident'; else if ((srcport=1080) or (dstport=1080)) then type='socks'; else if ((srcport=4000) or (dstport=4000) or (6112<=srcport<=6119) or (6112<=dstport<=6119)) then type='battlenet(tcp)'; else if ((srcport=26000) or (dstport=26000) or (27910<=srcport<=27961) or (27910<=dstport<=27961)) then type='quake(tcp)'; else if ((28000<=srcport<=28008) or (28000<=dstport<=28008)) then type='starsiege(tcp)'; else if ((6700<=srcport<=6702) or (6700<=dstport<=6702)) then type='carracho(tcp)'; else if ((srcport=27005) or (dstport=27005) or (srcport=27015) or (dstport=27015)) then type='halflife(tcp)'; else if ((srcport=5190) or (dstport=5190)) then type='aim(tcp)'; else if ((412<=srcport<=413) or (412<=dstport<=413)) then type='neomodus(tcp)'; else if ((srcport=2048) or (dstport=2048)) then type='backbone-radio(tcp)'; else if ((srcport=771) or (dstport=771)) then type='rtip(tcp)'; else if ((srcport=111) or (dstport=111)) then type='portmapper(tcp)'; else if ((srcport=6714) or (dstport=6714)) then type='ibp'; else if ((srcport=112) or (dstport=112)) then type='mcidas(tcp)'; else if ((srcport=47624) or (dstport=47624) or (2300<=srcport<=2400) or (2300<=dstport<=2400)) then type='directx(tcp)'; else if ((srcport=1720) or (dstport=1720) or (srcport=1503) or (dstport=1503)) then type='h323'; else if ((srcport=1558) or (dstport=1558)) then type='streamworks(tcp)'; else if ((dstport=388) or (srcport=388)) then type='unidata-ldm(tcp)'; else if ((dstport=563) or (srcport=563)) then type='nntps'; else if ((dstport=873) or (srcport=873)) then type='rsync'; else if ((srcport=110) or (dstport=110) or (srcport=143) or (dstport=143)) then type='pop/imap'; else if ((41000<=dstport<=42000) or (41000<=srcport<=42000)) then type='audiogalaxy'; else if ((srcport=6699) or (dstport=6699) or (srcport=6257) or (dstport=6257)) then type='winmx(tcp)'; else if ((8000<=srcport<=8005) or (8000<=dstport<=8005)) then type='shoutcast(tcp)'; else if ((dstport=1863) or (srcport=1863)) then type='msn messenger(tcp)'; else if ((dstport=3128) or (srcport=3128)) then type='squid(tcp)'; else if ((dstport=0) and (srcport=0)) then type='tcp frag (src/dstprt=0)'; end; else if ((src_as=0) and (dst_as=0)) then type='src_as=0/dst_as=0'; else if (prot=50) then type='ipsec_esp_app (prot 50)'; else if (prot=51) then type='ipsec_ah_app (prot 51)'; data mystuff.atla; set mystuff.atla; if (input=27) or (input=65) or (input=66) then delete; /* drop backbone interface traffic to avoid double counting */ /* sample analyses */ title 'traffic by type (octet weighted)'; proc freq order=freq; table type; weight doctets; run; title 'uncategorized dstport (octet weighted)'; proc freq order=freq; table dstport; weight doctets; where type='other'; run;