Testing spots salient characteristics of Skype that make its detection and exclusion difficult:

Port numbers: Calls are set up on dynamically changing, random port numbers. The same port numbers are used for the duration of a particular call, and may remain in use, for a while, between the same two users on subsequent calls. But other users are likely to employ totally different port numbers.

Protocols: It appears that Skype has the ability to employ either UDP or TCP for call set-up. UDP seems preferred; TCP may be the fallback option. UDP is used for the RTP stream. But TCP packets are also periodically sent along with the UDP/RTP stream, maybe one TCP per every 100 UDP packets.

Packet size: Packets within the same Skype VoIP stream vary dynamically in size, typically from 115 to 190 bytes per packet.

Packet spacing: The spacing between VoIP packets subsequently varies, too, from about 27 to 40 milliseconds, making packet-per-second counts for identification of a Skype stream nearly impossible.

SuperNodes: The nodes involved in call setup are obscured by a blast of traffic that occurs in the second or so that a Skype call is established. We captured and traced the nodes involved - about a dozen nodes, probably Skype SuperNodes, are contacted. They are dispersed all over the world. And the nodes can change from one call to the next. It's likely only one or two are used for actual setup of the call. The rest are likely for robustness and survivability of call setup.

* * *

VoIP encryption: After call setup, Skype VoIP streams are encrypted, making all information above the IP level in Skype packets indiscernible.

IM encryption: Skype Instant Messaging and Skype file transfers are likewise encrypted.

Return to Skype Clear Choice Test