Detecting BitTorrent

Harry Hoffman via Argus-info argus-info at lists.andrew.cmu.edu
Mon Nov 9 22:12:22 EST 2015


Hi Monah,

So assuming that the internal culprit means you are running NAT at the border then you can come to a reasonable estimate by looking at the records generated during the time period 2015-11-09T14:30:35Z and with a port of 51413.

(from memory so please check):
 ra -nnr /some/path/argus-<within_time_range_files> -t 11.09:14-15 - port 51413

The -t might need to be adjusted for timezone

If you run argus post nat then you’re in trouble as you won’t see the internal addresses before they are translated to the public ip address.

Can you describe some of your setup and we can help you run the commands you need to query the data.

Cheers,
Harry




On 11/9/15, 8:40 PM, "Argus-info on behalf of Monah Baki via Argus-info" <argus-info-bounces+hhoffman=ip-solutions.net at lists.andrew.cmu.edu on behalf of argus-info at lists.andrew.cmu.edu> wrote:

>Hi all,
>
>Today we got an email from ip-echelon warning one user was downloading
>a bit torrent file.
>
>    - ------------- Infringement Details ----------------------------------
>    Title:        The Man from U.N.C.L.E.
>    Timestamp:    2015-11-09T14:30:35Z
>    IP Address:   63.151.x.x
>    Port:         51413
>    Type:         BitTorrent
>    Torrent Hash: f0f1e4f6c1073fb24212613c715cf0b2e115c2b4
>    Filename:     The.Man.from.U.N.C.L.E.2015.HDRip.XViD-ETRG
>    Filesize:     706 MB
>    - ---------------------------------------------------------------------
>
>That's the only information they gave us.
>
>We need to track the internal culprit since 63.151.x.x is our public facing IP.
>
>Can this be done?
>
>
>Thanks
>Monah




More information about the argus mailing list