EDonkey
From Protocolinfo
eDonkey 2000, also known as Overnet, is P2P filesharing. There are a number of other programs that use the same protocol, including eMule, aMule and MLDonkey.
Contents |
[edit] Identification
[edit] Ports
The official eDonkey2000 client encourages users to use TCP port 4662 and UDP port 12155, but others can be chosen. eMule's default is TCP port 4662 and UDP port 4672. eMule says that it uses the UDP port for both KAD and "to reduce network usage".
[edit] l7-filter
l7-filter uses the edonkey pattern. It was well tested with various Linux clients in late 2003, and has also been tested with eDonkey 1.4 and eMule 0.47a in April 2006.
This is a difficult protocol to match with regular expressions. The l7-filter pattern will falsely identify about 1% of random data as eDonkey.
Despite the fact that eDonkey2000 and eMule claim to use multiple networks (KAD in the case of eMule, Overnet in the case of eDonkey2000), the edonkey pattern appears to match all of their traffic.
Starting with version 0.47b, eMule uses protocol obfuscation, which might complicate recognition. [1]
[edit] IPP2P
IPP2P can match "eDonkey, eMule, Kademlia" with --edk. Their page says that the match is "very good".
