Identifying P2P

micers · March 18, 2009, 10:36pm

How does MT identify P2P? If I set a mangle rule and flag all P2P, what actual criteria is used to do that determine what should be flagged? Is it possible to be catching other stuff? I am asking because I think some other things are hitting that flag.

I’m going to post my mangle rules and queue rules so that anyone who has the time can check them out. You can cut and past them into your test unit if you wish. That should work if you don’t already have rules.

It is a very simple setup. I just want to prioritize all traffic, and limit only P2P.

/ip firewall mangle
add action=mark-packet chain=prerouting comment=OSPF* disabled=no \
    new-packet-mark=ospf passthrough=no protocol=ospf
add action=mark-packet chain=prerouting comment=ICMP* disabled=no \
    new-packet-mark=icmp passthrough=no protocol=icmp
add action=mark-packet chain=prerouting comment=TCPACK* disabled=no \
    new-packet-mark=tcpack packet-size=0-40 passthrough=no protocol=tcp \
    tcp-flags=ack
add action=mark-packet chain=prerouting comment=SMALL-TCP* disabled=no \
    new-packet-mark=tcp-small packet-size=0-192 passthrough=no protocol=tcp
add action=mark-packet chain=prerouting comment=HTTP* disabled=no port=80 \
    new-packet-mark=http passthrough=no protocol=tcp
add action=mark-packet chain=prerouting comment=SMALL-UDP* disabled=no \
    new-packet-mark=udp-small packet-size=0-192 passthrough=no protocol=udp
add action=mark-packet chain=prerouting comment=IPSEC* disabled=no \
    new-packet-mark=ipsec-esp passthrough=no protocol=ipsec-esp
add action=mark-packet chain=prerouting comment=SSL* disabled=no port=443 \
    new-packet-mark=ssl passthrough=no protocol=tcp
add action=mark-packet chain=prerouting comment="WOW Gamerz" disabled=no \
    new-packet-mark=WOW passthrough=no port=3724 protocol=tcp
add action=mark-packet chain=prerouting comment="WOW Gamerz" disabled=no \
    new-packet-mark=WOW passthrough=no port=6112 protocol=tcp
add action=mark-packet chain=prerouting comment="WOW Gamerz" disabled=no \
    new-packet-mark=WOW passthrough=no port=6881-6999 protocol=tcp
add action=mark-packet chain=prerouting comment=MESSANGER* disabled=no \
    port=1863 new-packet-mark=msn-messenger passthrough=no protocol=tcp
add action=mark-packet chain=prerouting comment=POP-3* disabled=no port=\
    110 new-packet-mark=pop3 passthrough=no protocol=tcp
add action=mark-packet chain=prerouting comment=SMTP* disabled=no port=25 \
    new-packet-mark=smtp passthrough=no protocol=tcp
add action=mark-packet chain=prerouting comment=IMAP* disabled=no port=\
    143 new-packet-mark=imap passthrough=no protocol=tcp
add action=mark-packet chain=prerouting comment=GRE* disabled=no \
    new-packet-mark=gre passthrough=no protocol=gre
add action=mark-packet chain=prerouting comment=IPSEC* disabled=no \
    new-packet-mark=ipsec-ah passthrough=no protocol=ipsec-ah
add action=mark-packet chain=prerouting comment=IPENCAP* disabled=no \
    new-packet-mark=ipencap passthrough=no protocol=ipencap
add action=mark-packet chain=prerouting comment=IPIP* disabled=no \
    new-packet-mark=ipip passthrough=no protocol=ipip
add action=mark-packet chain=prerouting comment=WinBox disabled=no \
    new-packet-mark=tcp-other passthrough=no port=8291 protocol=tcp
add action=mark-packet chain=prerouting comment=MEDIUM-UDP* disabled=no \
    new-packet-mark=upd-medium packet-size=193-512 passthrough=no protocol=\
    udp
add action=mark-packet chain=prerouting comment=OTHER-UDP* disabled=no \
    new-packet-mark=upd-other packet-size=513-1500 passthrough=no protocol=\
    udp
add action=mark-packet chain=prerouting comment=MEDIUM-TCP* disabled=no \
    new-packet-mark=tcp-medium packet-size=193-512 passthrough=no protocol=\
    tcp
add action=mark-packet chain=prerouting comment=OTHER-TCP* disabled=no \
    new-packet-mark=tcp-other packet-mark=!p2p packet-size=513-1500 \
    passthrough=yes protocol=tcp
add action=mark-packet chain=prerouting comment=YouTube* disabled=no \
    new-packet-mark=Youtube passthrough=no src-address-list=Youtube
add action=mark-packet chain=prerouting comment=P2P* disabled=no \
    new-packet-mark=p2p p2p=all-p2p passthrough=yes
/


/queue tree
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
    max-limit=0 name=GLOBAL packet-mark="" parent=global-total priority=8 \
    queue=default
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
    max-limit=0 name=GRP-1 packet-mark="" parent=GLOBAL priority=1 queue=\
    default
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
    max-limit=0 name=GRP-2 packet-mark="" parent=GLOBAL priority=2 queue=\
    default
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
    max-limit=0 name=GRP-3 packet-mark="" parent=GLOBAL priority=3 queue=\
    default
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
    max-limit=0 name=GRP-4 packet-mark="" parent=GLOBAL priority=4 queue=\
    default
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
    max-limit=0 name=GRP-5 packet-mark="" parent=GLOBAL priority=5 queue=\
    default
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
    max-limit=0 name=GRP-6 packet-mark="" parent=GLOBAL priority=6 queue=\
    default
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
    max-limit=0 name=GRP-7 packet-mark="" parent=GLOBAL priority=7 queue=\
    default
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
    max-limit=0 name=GRP-8 packet-mark="" parent=GLOBAL priority=8 queue=\
    default
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
    max-limit=0 name=OSPF packet-mark=ospf parent=GRP-1 priority=1 queue=\
    default
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
    max-limit=0 name=ICMP packet-mark=icmp parent=GRP-1 priority=2 queue=\
    default
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
    max-limit=0 name=SSL packet-mark=ssl parent=GRP-2 priority=2 queue=\
    default
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
    max-limit=0 name=HTTP packet-mark=http parent=GRP-2 priority=3 queue=\
    default
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
    max-limit=0 name=TCPACK packet-mark=tcpack parent=GRP-1 priority=2 queue=\
    default
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
    max-limit=0 name=SMALL-UDP packet-mark=udp-small parent=GRP-1 priority=4 \
    queue=default
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
    max-limit=0 name=POP-3 packet-mark=pop3 parent=GRP-3 priority=3 queue=\
    default
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
    max-limit=0 name=IMAP packet-mark=imap parent=GRP-3 priority=3 queue=\
    default
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
    max-limit=0 name=SMTP packet-mark=smtp parent=GRP-3 priority=3 queue=\
    default
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
    max-limit=3072000 name=P2P packet-mark=p2p parent=GRP-8 priority=8 queue=\
    default
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
    max-limit=0 name=YOUTUBE packet-mark=Youtube parent=GRP-8 priority=7 \
    queue=default
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
    max-limit=0 name=MED-UDP packet-mark=upd-medium parent=GRP-2 priority=1 \
    queue=default
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
    max-limit=0 name=OTHER-UDP packet-mark=upd-other parent=GRP-6 priority=4 \
    queue=default
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
    max-limit=0 name=MESSANGER packet-mark=msn-messenger parent=GRP-2 \
    priority=2 queue=default
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
    max-limit=0 name=GRE packet-mark=gre parent=GRP-2 priority=4 queue=\
    default
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
    max-limit=0 name=IPSEC-ESP packet-mark=ipsec-esp parent=GRP-2 priority=4 \
    queue=default
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
    max-limit=0 name=IPSEC-AH packet-mark="" parent=GRP-2 priority=4 queue=\
    default
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
    max-limit=0 name=IPENCAP packet-mark=ipencap parent=GRP-2 priority=8 \
    queue=default
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
    max-limit=0 name=IPIP packet-mark=ipip parent=GRP-2 priority=8 queue=\
    default
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
    max-limit=0 name=SMALL-TCP packet-mark=tcp-small parent=GRP-1 priority=3 \
    queue=default
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
    max-limit=0 name=MED-TCP packet-mark=tcp-medium parent=GRP-2 priority=1 \
    queue=default
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
    max-limit=0 name=OTHER-TCP packet-mark=tcp-other parent=GRP-6 priority=4 \
    queue=default
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
    max-limit=0 name=WOW packet-mark=WOW parent=GRP-2 priority=6 queue=\
    default
/

Thanks in advance;

-m-

normis · March 19, 2009, 6:40am

it’s being identified by looking for certain patterns in packets. you can do the same, but with more control, by using the layer 7 filters:

http://wiki.mikrotik.com/wiki/L7

iwantlemonjuice · March 22, 2009, 1:45pm

hi normis

i am newbie in mikrotik here i just ask something it is possible to set schedule the P2P rules, let say i will set the p2p enable in 12 midnight and disable on 5 am, what i mean is auto schedule without clicking to enable or to disable.

thanks

iwantlemonjuice

normis · March 23, 2009, 6:41am

Yes, use the “/System scheduler” to enable and disable rules at certain times.

http://wiki.mikrotik.com/wiki/System_scheduler

iwantlemonjuice · March 23, 2009, 7:46am

hi normis

can you give me a simple script regarding this setup my p2p now is disable.

thanks much appreaciated

iwantlemonjuice

alphahawk · April 7, 2009, 12:54am

How well does the L7 find encrypted P2P packets? Has anyone had any experience with this?

normis · April 7, 2009, 5:39am

It doesn’t. You can only find some of the first packets, before it all gets encrypted, and then mark connection to drop it, but I don’t think it works all that well. That’s what encryption is for.

alphahawk · April 7, 2009, 2:13pm

Figured as much. Just wishful thinking of being able to limit encrypted packets for p2p