I've been tasked to report on traffic flows of Instant Messaging types of communications to include Skype/Vonage use. It certainly is not as simple as the request sounded coming down from mgmt; IM clients port hop, Skype uses ports 80 & 443, etc.
Has anyone looked at this problem and maybe has a template? Is using an URL or domain name an effective filter?
Running Orion 10, NTA 3.7
Some types of IM traffic can be identified by domain name.
Skype traffic is extraordinarily difficult to identify. I believe that in most cases it's only possible with a packet inspection engine that can do pretty advanced statistical heuristics. Not possible with NTA