Detecting BitTorrent

Monah Baki via Argus-info argus-info at lists.andrew.cmu.edu
Mon Nov 9 22:43:46 EST 2015 

Hi Harry,

We are running Argus off a span port monitoring our internal core
switches, so we do see our internal IP flows.

Is there a way to just display downloads > 700MB??

Our logs are rotated on a daily basis, so we are looking at a 9GB size file

Thanks
Monah

On Mon, Nov 9, 2015 at 10:12 PM, Harry Hoffman
<hhoffman at ip-solutions.net> wrote:
> Hi Monah,
>
> So assuming that the internal culprit means you are running NAT at the border then you can come to a reasonable estimate by looking at the records generated during the time period 2015-11-09T14:30:35Z and with a port of 51413.
>
> (from memory so please check):
>  ra -nnr /some/path/argus-<within_time_range_files> -t 11.09:14-15 - port 51413
>
> The -t might need to be adjusted for timezone
>
> If you run argus post nat then you’re in trouble as you won’t see the internal addresses before they are translated to the public ip address.
>
> Can you describe some of your setup and we can help you run the commands you need to query the data.
>
> Cheers,
> Harry
>
>
>
>
> On 11/9/15, 8:40 PM, "Argus-info on behalf of Monah Baki via Argus-info" <argus-info-bounces+hhoffman=ip-solutions.net at lists.andrew.cmu.edu on behalf of argus-info at lists.andrew.cmu.edu> wrote:
>
>>Hi all,
>>
>>Today we got an email from ip-echelon warning one user was downloading
>>a bit torrent file.
>>
>>    - ------------- Infringement Details ----------------------------------
>>    Title:        The Man from U.N.C.L.E.
>>    Timestamp:    2015-11-09T14:30:35Z
>>    IP Address:   63.151.x.x
>>    Port:         51413
>>    Type:         BitTorrent
>>    Torrent Hash: f0f1e4f6c1073fb24212613c715cf0b2e115c2b4
>>    Filename:     The.Man.from.U.N.C.L.E.2015.HDRip.XViD-ETRG
>>    Filesize:     706 MB
>>    - ---------------------------------------------------------------------
>>
>>That's the only information they gave us.
>>
>>We need to track the internal culprit since 63.151.x.x is our public facing IP.
>>
>>Can this be done?
>>
>>
>>Thanks
>>Monah
>

More information about the argus mailing list