Last updated at Thu, 03 Dec 2020 19:26:37 GMT
What is BitTorrent traffic?
BitTorrent is a communication protocol for peer-to-peer file sharing (“P2P”), which is used to distribute data and electronic files over the internet. It is most famous as a method for downloading copyrighted material such as movies and music. However, it can also be used for software delivery.
When it comes to monitoring BitTorrent traffic, you need to understand how the protocol works. It is not like a traditional download, where you download everything from a single link or IP address. Instead, you download pieces from other clients (peers), and the management is looked after by trackers or, more commonly, Distributed Hash Tables. Every download has a unique associated INFO-HASH value, and this is an important piece of data when it comes to identifying BitTorrent traffic.
Capturing BitTorrent traffic
There are multiple potential data sources if you want to monitor BitTorrent traffic on your network, including:
- Network traffic at your network edge using a SPAN, mirror port, or TAP
- Flow records such as NetFlow or IPFIX
- Firewall logs
The most reliable source is network traffic, as “packets don’t lie.” Flow records will not capture metadata such as INFO-HASH values, so you will never know for sure that traffic is associated with BitTorrent activity. Firewall logs may indicate the presence of BitTorrent, but they are not designed as a forensics tool to store long-term records of all traffic and application information.
Analyzing BitTorrent traffic
When it comes to analyzing BitTorrent traffic, watch out for applications like BitTorrent DHT Tracker and BitTorrent Peer Traffic.
Once you detect these applications on your network, you need to capture certain metadata so you don’t need to store every packet, which can be expensive. A network traffic analysis (NTA) tool should be able to show the network user, IP address, INFO-HASH, and file name.
If the download is associated with a private tracker, you may not see any filenames. In that case, you should look at the destination IP addresses, which can reveal a lot about the applications associated with the BitTorrent traffic. In the image below, we can see that there is some BitTorrent activity associated with a client, and by looking at the destination IP addresses, it would appear that the user has the uTorrent application installed.