Catch Skype with Flexible Packet Matching

Joe Harris published an excellent post detailing how you can use Flexible Packet Matching to recognize (and potentially block) Skype traffic. The solution depends on recognizing the first four bytes sent by the Skype application in a TCP session. While this is a great idea, you have to be aware that there's always a non-zero chance of false positives, more so as the described filter is testing the beginning of the payload in every TCP packet (not just the first data packet in the session).

3 comments:

  1. Maybe this will be implemented in NBAR :

    CSCsg19895
    Externally found enhancement (Sev6) bug: New (N)
    NBAR Skype PDLM support for Skype versions (2.x, 3.x, etc.)
  2. This bug is for the built-in IOS PDLM support of Skype...Please note in my config I don't reference the built-in PDLMs with the "match protocol skype" command. For instance you will run into this bug if you use a config such as:

    class-map match-any block-stuff
    match protocol gnutella
    match protocol skype
    match protocol edonkey
    !
    !
    policy-map drop-inbound-stuff
    class block-stuff
    drop
    !
    ...
    This is completely different technology from the configuration which I detail. Please note that I use Flexible Packet Matching which is a next-generation technology that is capable of filtering at a bit-level to catch later versions of Skype...You can also use the Skype.tcdf (XML scripting) file available on CCO @ http://www.cisco.com/cgi-bin/tablebuild.pl/fpm which will catch later versions of Skype as well...Please reference the following docs for additional details:

    http://www.cisco.com/en/US/products/ps6441/products_feature_guide09186a00805138d3.html

    http://www.cisco.com/en/US/products/ps6441/products_feature_guide09186a008061d643.html

    -Joe
  3. Hi - I used the FPM config and XML files and it still fails to block Skype (any version from 1.4 up to 3.6 actually).
Add comment
Sidebar