Detecting BitTorrent
Harry Hoffman via Argus-info
argus-info at lists.andrew.cmu.edu
Mon Nov 9 22:12:22 EST 2015
Hi Monah,
So assuming that the internal culprit means you are running NAT at the border then you can come to a reasonable estimate by looking at the records generated during the time period 2015-11-09T14:30:35Z and with a port of 51413.
(from memory so please check):
ra -nnr /some/path/argus-<within_time_range_files> -t 11.09:14-15 - port 51413
The -t might need to be adjusted for timezone
If you run argus post nat then you’re in trouble as you won’t see the internal addresses before they are translated to the public ip address.
Can you describe some of your setup and we can help you run the commands you need to query the data.
Cheers,
Harry
On 11/9/15, 8:40 PM, "Argus-info on behalf of Monah Baki via Argus-info" <argus-info-bounces+hhoffman=ip-solutions.net at lists.andrew.cmu.edu on behalf of argus-info at lists.andrew.cmu.edu> wrote:
>Hi all,
>
>Today we got an email from ip-echelon warning one user was downloading
>a bit torrent file.
>
> - ------------- Infringement Details ----------------------------------
> Title: The Man from U.N.C.L.E.
> Timestamp: 2015-11-09T14:30:35Z
> IP Address: 63.151.x.x
> Port: 51413
> Type: BitTorrent
> Torrent Hash: f0f1e4f6c1073fb24212613c715cf0b2e115c2b4
> Filename: The.Man.from.U.N.C.L.E.2015.HDRip.XViD-ETRG
> Filesize: 706 MB
> - ---------------------------------------------------------------------
>
>That's the only information they gave us.
>
>We need to track the internal culprit since 63.151.x.x is our public facing IP.
>
>Can this be done?
>
>
>Thanks
>Monah
More information about the argus
mailing list