Development of l7-filter has moved to the Clear Foundation. These pages are out of date, but will remain as a historical record.
Below is the list of supported protocols. Note that most of the
protocols are listed as needing more testing. We need your help (yes,
you!) to do this. Simply reporting on how patterns are
working for you is helpful. The easiest way to do this is to follow the
links by patterns you use. On the wiki, post your results in the
l7-filter section of each page. You can also post to
l7-filter-developers(@)lists(.)sf(.)net (you must subscribe
first).
To help add support for more protocols, see the Pattern Writing HOWTO.
The "quality" gives a rough idea of how well the pattern works. This is a conglomerate measure of several things, including (1) how well the protocol is understood (2) how much the pattern has been tested (3) in what variety of situations the pattern has been tested and (4) what fraction of identifiable traffic is identified correctly. For details, read the pattern file or the protocol's wiki entry.
The protocol package includes a tool for testing pattern performance. It tests them against 122 samples of actual network data (as of the 2009-05-19 release) 100,000 times each. The following times are for a 2 GHz Opteron.
The first speed shown for a pattern in the tables below is the speed when used in the kernel (with the old V8 regular expression library). The second is the speed when used in userspace (with the modern GNU library). Note that the userspace version has a smaller spread of speeds. That is, its slowest patterns are faster and its fastest patterns are slower than the kernel version.
Protocols are marked as being in one or more "groups". Some groups refer to what sort of purpose each protocol has. These allow front-ends to treat a set of protocols in the same way without requiring the user to select (or know about) each individual protocol. For instance, an application could have a checkbox for "VoIP" rather than one for Skype, one for H.323, etc..
Other groups indicate whether a protocol is documented in an IETF RFC, whether it is standardized by any official body, a non-standard but used primarily by open source programs, or proprietary. Among other things, this is supposed to give some idea of how volatile these protocols are likely to be. IETF standards are highly unlikely to change behavior and break l7-filter's patterns suddenly. (Although if programs misimplement them, anything can happen.) Open source non-standardized protocols are somewhat more likely to change abruptly, but changes are likely to be publically documented and, of course, the source code can be read to learn about them as a last resort. Proprietary protocols can change at any time without warning. The nature of the changes may be a closely kept secret.
Not all groups that exist in the pattern files have icons shown on this page. Also, just because a protocol is not listed as being in a group does not mean that it is specifically excluded from that group. For instance, not every protocol without "secure" is insecure. We invite you to make the groups more complete by sending corrections/additions to our mailing list.
The pattern name is what you must use when issuing l7-filter commands. The names below link to the pattern files. Select column headings to sort.
| wiki | name | speed | quality | group | notes | description |
|---|---|---|---|---|---|---|
| applejuice | Apple Juice - P2P filesharing - http://www.applejuicenet.de | |||||
| dns | DNS - Domain Name System - RFC 1035 | |||||
| ftp | FTP - File Transfer Protocol - RFC 959 | |||||
| gkrellm | Gkrellm - a system monitor - http://gkrellm.net | |||||
| hddtemp | hddtemp - Hard drive temperature reporting | |||||
| http | HTTP - HyperText Transfer Protocol - RFC 2616 | |||||
| imap | IMAP - Internet Message Access Protocol (A common e-mail protocol) | |||||
| irc | IRC - Internet Relay Chat - RFC 1459 | |||||
| pop3 | POP3 - Post Office Protocol version 3 (popular e-mail protocol) - RFC 1939 | |||||
| smtp | SMTP - Simple Mail Transfer Protocol - RFC 2821 (See also RFC 1869) | |||||
| ssh | SSH - Secure SHell | |||||
| vnc | VNC - Virtual Network Computing. Also known as RFB - Remote Frame Buffer | |||||
| aim | AIM - AOL instant messenger (OSCAR and TOC) | |||||
| aimwebcontent | AIM web content - ads/news content downloaded by AOL Instant Messenger | |||||
| ares | Ares - P2P filesharing - http://aresgalaxy.sf.net | |||||
| armagetron | Armagetron Advanced - open source Tron/snake based multiplayer game | |||||
| biff | Biff - new mail notification | |||||
| bittorrent | Bittorrent - P2P filesharing / publishing tool - http://www.bittorrent.com | |||||
| chikka | Chikka - SMS service which can be used without phones - http://chikka.com | |||||
| cimd | Computer Interface to Message Distribution, an SMSC protocol by Nokia | |||||
| counterstrike-source | Counterstrike (using the new "Source" engine) - network game | |||||
| cvs | CVS - Concurrent Versions System | |||||
| dayofdefeat-source | Day of Defeat: Source - game (Half-Life 2 mod) - http://www.valvesoftware.com | |||||
| dhcp | DHCP - Dynamic Host Configuration Protocol - RFC 1541 | |||||
| directconnect | Direct Connect - P2P filesharing - http://www.neo-modus.com | |||||
| doom3 | Doom 3 - computer game | |||||
| edonkey | eDonkey2000 - P2P filesharing - http://edonkey2000.com and others | |||||
| fasttrack | FastTrack - P2P filesharing (Kazaa, Morpheus, iMesh, Grokster, etc) | |||||
| finger | Finger - User information server - RFC 1288 | |||||
| gnucleuslan | GnucleusLAN - LAN-only P2P filesharing | |||||
| gnutella | Gnutella - P2P filesharing | |||||
| gopher | Gopher - A precursor to HTTP - RFC 1436 | |||||
| halflife2-deathmatch | Half-Life 2 Deathmatch - popular computer game | |||||
| ident | Ident - Identification Protocol - RFC 1413 | |||||
| ipp | IP printing - a new standard for UNIX printing - RFC 2911 | |||||
| jabber | Jabber (XMPP) - open instant messenger protocol - RFC 3920 - http://jabber.org | |||||
| mohaa | Medal of Honor Allied Assault - an Electronic Arts game | |||||
| msn-filetransfer | MSN (Micosoft Network) Messenger file transfers (MSNFTP and MSNSLP) | |||||
| msnmessenger | MSN Messenger - Microsoft Network chat client | |||||
| napster | Napster - P2P filesharing | |||||
| nbns | NBNS - NetBIOS name service | |||||
| ncp | NCP - Novell Core Protocol | |||||
| nntp | NNTP - Network News Transfer Protocol - RFCs 977 and 2980 | |||||
| ntp | (S)NTP - (Simple) Network Time Protocol - RFCs 1305 and 2030 | |||||
| openft | OpenFT - P2P filesharing (implemented in giFT library) | |||||
| Tencent QQ Protocol - Chinese instant messenger protocol - http://www.qq.com | ||||||
| quake-halflife | Half Life 1 engine games (HL 1, Quake 2/3/World, Counterstrike 1.6, etc.) | |||||
| replaytv-ivs | ReplayTV Internet Video Sharing - Digital Video Recorder - http://replaytv.com | |||||
| rtsp | RTSP - Real Time Streaming Protocol - http://www.rtsp.org - RFC 2326 | |||||
| shoutcast | Shoutcast and Icecast - streaming audio | |||||
| sip | SIP - Session Initiation Protocol - Internet telephony - RFC 3261, 3265, etc. | |||||
| smb | Samba/SMB - Server Message Block - Microsoft Windows filesharing | |||||
| snmp | SNMP - Simple Network Management Protocol - RFC 1157 | |||||
| socks | SOCKS Version 5 - Firewall traversal protocol - RFC 1928 | |||||
| soribada | Soribada - A Korean P2P filesharing program/protocol - http://www.soribada.com | |||||
| soulseek | Soulseek - P2P filesharing - http://slsknet.org | |||||
| ssdp | SSDP - Simple Service Discovery Protocol - easy discovery of network devices | |||||
| ssl | SSL and TLS - Secure Socket Layer / Transport Layer Security - RFC 2246 | |||||
| teamfortress2 | Team Fortress 2 - network game - http://www.valvesoftware.com | |||||
| teamspeak | TeamSpeak - VoIP application - http://goteamspeak.com | |||||
| telnet | Telnet - Insecure remote login - RFC 854 | |||||
| tor | Tor - The Onion Router - used for anonymization - http://tor.eff.org | |||||
| tsp | TSP - Berkely UNIX Time Synchronization Protocol | |||||
| validcertssl | Valid certificate SSL | |||||
| ventrilo | Ventrilo - VoIP - http://ventrilo.com | |||||
| whois | Whois - query/response system, usually used for domain name info - RFC 3912 | |||||
| x11 | X Windows Version 11 - Networked GUI system used in most Unices | |||||
| xunlei | Xunlei - Chinese P2P filesharing - http://xunlei.com | |||||
| yahoo | Yahoo messenger - an instant messenger protocol - http://yahoo.com | |||||
| 100bao | 100bao - a Chinese P2P protocol/program - http://www.100bao.com | |||||
| battlefield1942 | Battlefield 1942 - An EA game | |||||
| battlefield2 | Battlefield 2 - An EA game. | |||||
| battlefield2142 | Battlefield 2142 - An EA game. | |||||
| bgp | BGP - Border Gateway Protocol - RFC 1771 | |||||
| ciscovpn | Cisco VPN - VPN client software to a Cisco VPN server | |||||
| dazhihui | Dazhihui - stock analysis and trading; Chinese - http://www.gw.com.cn | |||||
| h323 | H.323 - Voice over IP. | |||||
| http-rtsp | RTSP tunneled within HTTP | |||||
| imesh | iMesh - the native protocol of iMesh, a P2P application - http://imesh.com | |||||
| kugoo | KuGoo - a Chinese P2P program - http://www.kugoo.com | |||||
| lpd | LPD - Line Printer Daemon Protocol (old-style UNIX printing) - RFC 1179 | |||||
| poco | POCO and PP365 - Chinese P2P filesharing - http://pp365.com http://poco.cn | |||||
| pplive | PPLive - Chinese P2P streaming video - http://pplive.com | |||||
| radmin | Famatech Remote Administrator - remote desktop for MS Windows | |||||
| rdp | RDP - Remote Desktop Protocol (used in Windows Terminal Services) | |||||
| rlogin | rlogin - remote login - RFC 1282 | |||||
| rtp | RTP - Real-time Transport Protocol - RFC 3550 | |||||
| runesofmagic | Runes of Magic - game - http://www.runesofmagic.com | |||||
| skypeout | Skype to phone - UDP voice call (program to POTS phone) - http://skype.com | |||||
| skypetoskype | Skype to Skype - UDP voice call (program to program) - http://skype.com | |||||
| stun | STUN - Simple Traversal of UDP Through NAT - RFC 3489 | |||||
| subversion | Subversion - a version control system | |||||
| thecircle | The Circle - P2P application - http://thecircle.org.au | |||||
| tonghuashun | Tonghuashun - stock analysis and trading; Chinese - http://www.10jqka.com.cn | |||||
| uucp | UUCP - Unix to Unix Copy | |||||
| worldofwarcraft | World of Warcraft - popular network game - http://blizzard.com/ | |||||
| zmaap | ZMAAP - Zeroconf Multicast Address Allocation Protocol | |||||
| citrix | Citrix ICA - proprietary remote desktop application - http://citrix.com | |||||
| goboogy | GoBoogy - a Korean P2P protocol | |||||
| guildwars | Guild Wars - online game - http://guildwars.com | |||||
| hotline | Hotline - An old P2P filesharing protocol | |||||
| live365 | live365 - An Internet radio site - http://live365.com | |||||
| mute | MUTE - P2P filesharing - http://mute-net.sourceforge.net | |||||
| netbios | NetBIOS - Network Basic Input Output System | |||||
| pcanywhere | pcAnywhere - Symantec remote access program | |||||
| quake1 | Quake 1 - A popular computer game. | |||||
| subspace | Subspace - 2D asteroids-style space game - http://sscentral.com | |||||
| tesla | Tesla Advanced Communication - P2P filesharing (?) | |||||
| tftp | TFTP - Trivial File Transfer Protocol - used for bootstrapping - RFC 1350 | |||||
| xboxlive | XBox Live - Console gaming | |||||
| freenet | Freenet - Anonymous information retrieval - http://freenetproject.org | |||||
| liveforspeed | Live For Speed - A racing game. |
These patterns were judged to be of lesser general interest than those above.
| wiki | name | speed | quality | group | notes | description |
|---|---|---|---|---|---|---|
| gtalk | GTalk, a Jabber (XMPP) client | |||||
| http-dap | HTTP by Download Accelerator Plus - http://www.speedbit.com | |||||
| http-freshdownload | HTTP by Fresh Download - http://www.freshdevices.com | |||||
| http-itunes | HTTP - iTunes (Apple's music program) | |||||
| httpaudio | HTTP - Audio over HyperText Transfer Protocol (RFC 2616) | |||||
| httpcachehit | HTTP - Proxy Cache hit for HyperText Transfer Protocol (RFC 2616) | |||||
| httpcachemiss | HTTP - Proxy Cache miss for HyperText Transfer Protocol (RFC 2616) | |||||
| httpvideo | HTTP - Video over HyperText Transfer Protocol (RFC 2616) | |||||
| quicktime | Quicktime HTTP | |||||
| snmp-mon | SNMP Monitoring - Simple Network Management Protocol (RFC1157) | |||||
| snmp-trap | SNMP Traps - Simple Network Management Protocol (RFC1157) | |||||
| audiogalaxy | Audiogalaxy - (defunct) Peer to Peer filesharing | |||||
| pressplay | pressplay - A legal music distribution site - http://pressplay.com |
This category of patterns is for file types. This sort of matching is not the focus of l7-filter, but it can be done in some cases. It requires some extra set up, so read the File Types README.
| wiki | name | speed | quality | group | notes | description |
|---|---|---|---|---|---|---|
| exe | Executable - Microsoft PE file format. | |||||
| flash | Flash - Macromedia Flash. | |||||
| gif | GIF - Popular Image format. | |||||
| html | (X)HTML - (Extensible) Hypertext Markup Language - http://w3.org | |||||
| mp3 | MP3 - Moving Picture Experts Group Audio Layer III | |||||
| PDF - Portable Document Format - Postscript-like format by Adobe | ||||||
| perl | Perl - A scripting language by Larry Wall. | |||||
| png | PNG - Portable Network Graphics, a popular image format | |||||
| postscript | Postscript - Printing Language | |||||
| rar | RAR - The WinRAR archive format | |||||
| rpm | RPM - Redhat Package Management packages | |||||
| rtf | RTF - Rich Text Format - an open document format | |||||
| tar | Tar - tape archive. Standard UNIX file archiver, not just for tapes. | |||||
| zip | ZIP - (PK|Win)Zip archive format | |||||
| jpeg | JPEG - Joint Picture Expert Group image format. | |||||
| ogg | Ogg - Ogg Vorbis music format (not any ogg file, just vorbis) |
This category is for worms, viruses, and anything else that uses the network to bother us. It doesn't appear that there is much demand for this functionality, but in case it interests you, this is a proof-of-concept. Malware README.
| wiki | name | speed | quality | group | notes | description |
|---|---|---|---|---|---|---|
| code_red | Code Red - a worm that attacks Microsoft IIS web servers | |||||
| nimda | Nimda - a worm that attacks Microsoft IIS web servers, and MORE! |
Computer code associated with l7-filter, such as these the protocol definitions, is licensed under the GNU GPLv2.