This is ok, but it's really not much of an improvement on Linux's layer7 modules for netfilter. It is still not very useful for identifying encrypted traffic. Much cooler are statistical approaches, because they can frequently get around encryption for protocol identification purposes. E.G. spid (don't know if it gets around the encryption thing...) <a href="http://sourceforge.net/projects/spid/" rel="nofollow">http://sourceforge.net/projects/spid/</a>