What is signature in a packet payload?

Question

What is a signature in a packet payload? Why are they even necessary ? Also traffic classifiers use signature to detect the type of protocol of packet like there are regular expressions for http signature and ftp signature.

Answer 1

I think you may be reading too much into the use of the word "signature" for these definitions (often heuristics) used in various DPI-based solutions to recognize different protocols.
It's really just any aspect of the protocol that identifies what it is, whether the protocol outright states which protocol it is or whether it for example has specific commands or structures that can be recognized to disambiguate it from other protocols.

Eg, an HTTP 1 request would start with something like VERB path HTTP/version (eg GET /foo HTTP/1.1).
This pretty much gives away that it is HTTP in both senses above, it outright states an HTTP version, but even if HTTP hadn't been designed to include the protocol version as part of the request it would still be pretty clear from just something like GET /foo that it looks a lot like HTTP.

For some protocols the very first message is not necessarily what gives it away. For example both SMTP and FTP look potentially similar in terms of the greeting message from the server being 220 stuff about the server (the "stuff about the server" portion usually gives away what it is, but can be more noisy and potentially unclear), however the client immediately gives away that it's SMTP by saying EHLO host (or possibly HELO host), while an FTP client would say USER myuser and so on (might need to look at more of the conversation for the FTP case to properly disambiguate it from other things).

Now of course, if you are talking about some protocol that is tunneled over TLS (eg HTTPS), all the regular observer (not the TLS endpoint) would recognize in the sense discussed here is the TLS protocol itself (might simply be: the first thing transmitted is the client sending a TLS clienthello message). Unless you actually have access to the payload inside you would need to rely on other hints for what might be inside (maybe the port number, for instance).

Worth noting is that for many protocols the port number typically already correctly identifies which protocol it is. The method you are talking about is rather a way of identifying/confirming the protocol regardless which port number is used by peeking at the payload.