SleepyEgg

Typical Web traffic is easy enough to spot: it uses TCP port 80. But plenty of protocols prefer to remain in the shadows and purposely make themselves difficult to identify—including Skype, BitTorrent, and eMule. If easy to identify, such protocols might make a tempting target for ISPs seeking to throttle back certain kinds of traffic. However, even these "obfuscated" protocols have a hard time hiding their secrets; encrypting the traffic can't keep them hidden, nor can certain tunneling behaviors that try to disguise one sort of traffic as another .

Who wants to identify traffic that hopes to remain hidden? Vendors of traffic analysis hardware, for one, who sell their gear to ISPs and must first be able to classify traffic before doing anything useful with it.