Catch Skype with Flexible Packet Matching

Joe Harris published an excellent post detailing how you can use Flexible Packet Matching to recognize (and potentially block) Skype traffic. The solution depends on recognizing the first four bytes sent by the Skype application in a TCP session. While this is a great idea, you have to be aware that there's always a non-zero chance of false positives, more so as the described filter is testing the beginning of the payload in every TCP packet (not just the first data packet in the session).

3 comments:

  1. Maybe this will be implemented in NBAR :

    CSCsg19895
    Externally found enhancement (Sev6) bug: New (N)
    NBAR Skype PDLM support for Skype versions (2.x, 3.x, etc.)

    ReplyDelete
  2. This bug is for the built-in IOS PDLM support of Skype...Please note in my config I don't reference the built-in PDLMs with the "match protocol skype" command. For instance you will run into this bug if you use a config such as:

    class-map match-any block-stuff
    match protocol gnutella
    match protocol skype
    match protocol edonkey
    !
    !
    policy-map drop-inbound-stuff
    class block-stuff
    drop
    !
    ...
    This is completely different technology from the configuration which I detail. Please note that I use Flexible Packet Matching which is a next-generation technology that is capable of filtering at a bit-level to catch later versions of Skype...You can also use the Skype.tcdf (XML scripting) file available on CCO @ http://www.cisco.com/cgi-bin/tablebuild.pl/fpm which will catch later versions of Skype as well...Please reference the following docs for additional details:

    http://www.cisco.com/en/US/products/ps6441/products_feature_guide09186a00805138d3.html

    http://www.cisco.com/en/US/products/ps6441/products_feature_guide09186a008061d643.html

    -Joe

    ReplyDelete
  3. Hi - I used the FPM config and XML files and it still fails to block Skype (any version from 1.4 up to 3.6 actually).

    ReplyDelete

You don't have to log in to post a comment, but please do provide your real name/URL. Anonymous comments might get deleted.

Ivan Pepelnjak, CCIE#1354, is the chief technology advisor for NIL Data Communications. He has been designing and implementing large-scale data communications networks as well as teaching and writing books about advanced technologies since 1990. See his full profile, contact him or follow @ioshints on Twitter.