Identify application based on its packets

Question

Is it possible to identify a particular application by analysing it's packets ? If yes , which attributes of the packets may help identify an application uniquely ? Any help would be appreciated.

Answer 1

This question has a very broad range and if you come up with a solution you should apply for a patent. You can derive knowledge of applications depending on packets and protocols but rules don't work in 100% of cases. These are some considerations you need to know (not a complete list but they can give you an idea):

• Based on the src or dst port you can have information about what application is running in one of two nodes. For example, by default a web server uses ports 80 or 8080 (or 443 with HTTPS). By default ssh uses port 22. However, an application can be configured to listen to a different port. Also many different applications use HTTP for communication through ports 80, 8080, 443. In the latter case, there are possibilities protocol is HTTP but you cannot determine which application it is.
• If communication is not encrypted you can obtain information sniffing packets payloads. But if communication is throught SSL, for example, there is not way to do it unless you implement a man-in-the-middle attack.
• If you have access to a machine, using netstat or other tool you can identify an application based on the ports it is using.
• Other way of guessing (it's more guessing than deterministic) the application is by analyzing the communication pattern.

In short, based on networking analysis you can make a guess of the application. However, there is no method that can tell you with 100% accuracy.