Skype is an instant messenger, chat, file transfer application utilizing a combination of P2P and encryption techniques. It offers voicemail and the ability to dial out to normal telephone numbers, as well as acquire your own telephone numbers for others to dial into.
There are two distict types of Skype traffic: Skype-to-Skype for talking to other Skype clients, and SkypeOut for talking to standard telephones.
Skype uses both TCP and UDP. UDP datagrams are not (entirely) encrypted/obfuscated, so it is possible to detect them. TCP connections on the other hand are completely encrypted (very well obfuscated, actually) so it would be difficult enough to recognize TCP Skype traffic with custom software and nearly impossible with l7-filter. Blocking UDP is also not enough to block Skype.
Skype does not use a predictable port. However, it appears to be most likely to be found on ports 443 or 80, as described on Skype’s “Skype and Firewalls” page.
The optional requirements (allows P2P file transfers and superior voice quality):
- [IN/OUT] 1 port > 1023 TCP: Skype by default chooses a random port which can be configured through ‘Tools:Options’ in the program itself. This port is generally used for chat and voice data.
- [IN/OUT] 1 port > 1023 UDP: Additional voice quality can be achieved using UDP, also choosen at random. Port generally used for superior voice quality and file transfers.
The minimum requirements (relays file transfers and voice calls to Skype servers):
- [OUT] TCP 80 — HTTP Required for use as a fallback.
- [OUT] TCP 443 — SSL Required for use as a fallback.
For Skype-to-Skype communications, including both calls and the general chatter of the program, l7-filter uses the skypetoskype pattern. It is tested with 22.214.171.124_API on Linux.
For Skype-to-phone communications (“SkypeOut”), L7-filter uses the skypeout pattern. This is a clunky pattern (have seen it conflict with some FTP traffic). It has been tested with 126.96.36.199_API on Linux and it does work, but it also matches a significant fraction of non-Skype traffic. It would be much easier to match this sort of thing with IPP2P or something like it. As shown in the packet traces below, the first two packets start with the same group of bytes, and following packets start with the same group of bytes (different from the first two), but that these bytes are different each time a connection is made. This is quite difficult to match with L7-filter’s regular expresions.
 Lynanda Asynchronous Filter
The Lynanda Asynchronous Filter can filter and block SkypeToSkype, SkypeOut, and SkypeChat.
 Other information
Skype appears to make a lot of NTP requests. (Needs confirmation.)