6 points
can you maybe link some ressources on how the protocol used can be detected? i did not know about this and would like to read into it some more :)
2 points
Look up NBAR for the basic idea. Each vendor has their own ‘secret sauce’ implementation, Palo Alto only needs 9 bytes of payload for disambiguation, iirc.
1 point
thank you! so it is basically looking at identifiable patterns in the packet flow and matching them to protocols. i also found this paper about traffic identification interesting.
2 points