Detecting BitTorrent

Harry Hoffman via Argus-info argus-info at
Mon Nov 9 22:12:22 EST 2015

Hi Monah,

So assuming that the internal culprit means you are running NAT at the border then you can come to a reasonable estimate by looking at the records generated during the time period 2015-11-09T14:30:35Z and with a port of 51413.

(from memory so please check):
 ra -nnr /some/path/argus-<within_time_range_files> -t 11.09:14-15 - port 51413

The -t might need to be adjusted for timezone

If you run argus post nat then you’re in trouble as you won’t see the internal addresses before they are translated to the public ip address.

Can you describe some of your setup and we can help you run the commands you need to query the data.


On 11/9/15, 8:40 PM, "Argus-info on behalf of Monah Baki via Argus-info" < at on behalf of argus-info at> wrote:

>Hi all,
>Today we got an email from ip-echelon warning one user was downloading
>a bit torrent file.
>    - ------------- Infringement Details ----------------------------------
>    Title:        The Man from U.N.C.L.E.
>    Timestamp:    2015-11-09T14:30:35Z
>    IP Address:   63.151.x.x
>    Port:         51413
>    Type:         BitTorrent
>    Torrent Hash: f0f1e4f6c1073fb24212613c715cf0b2e115c2b4
>    Filename:     The.Man.from.U.N.C.L.E.2015.HDRip.XViD-ETRG
>    Filesize:     706 MB
>    - ---------------------------------------------------------------------
>That's the only information they gave us.
>We need to track the internal culprit since 63.151.x.x is our public facing IP.
>Can this be done?

More information about the argus mailing list