Internet traffic analysis is nowadays a key ingredient to detect and possibly prevent malicious activity of the web that may cause severe constrains and/or security leaks.

In this paper, using some properties that are easy to collect from the package head we study how one can use compression to efficiently cluster similarities of different types of data and infer their (ab)normality.

In particular, we envisage to answer if, using compression, it is possible to:

(i) Identify the protocols used in an internet connection;
(ii) Identify the services that the tcp internet protocol used;
(iii) Detect the type of traffic being transmitted via internet.