Detecting BitTorrent

Carter Bullard via Argus-info argus-info at lists.andrew.cmu.edu
Tue Nov 10 10:04:26 EST 2015


All excellent advice !!  Port number may have been NAT'd so may not be a good indicator, they didn't say if it was the src or dst port ...  but you want to look none-the-less.   Time is the best clue in this case, and limiting searches to a small time range should help a lot.  If the archive file is huge, and you have MySQL, running rasqltimeindex.1 may be helpful.  But that is a heavy tool, so best to go through the gargantuan file once with ra.1 to generate a subset of records using a time filter (say 5m before and 5m after) and then work with that sub file to find what you're looking for, and ratop is a good tool to browse that smaller file, using 'vi' navigation, '/' searching, and display filtering.

Also, the notification of the rights violation maybe generated by the end system advertising availability to the file, not actual file transfer, so, ..., maybe more fruitful to look for bit torrent banners in the flow records, if you were collecting user data.  "-e torrent" or just "-e bit" may find mesh insertion and advertisement flows, which are more important than the file ...

Since you, as a bit torrent node may only contribute a part of the file, the flows may not be as big as you expect ????

Carter

	 	
Carter Bullard • CTO
150 E 57th Street Suite 12D
New York, New York 10022-2795
Phone +1.212.588.9133 • Mobile +1.917.497.9494

> On Nov 10, 2015, at 8:40 AM, John Gerth via Argus-info <argus-info at lists.andrew.cmu.edu> wrote:
> 
> Remember that a large transfer can take awhile to complete and is
> will comprise more than one argus record if it spans multiple
> reporting intervals.  Tbat said, if you use the "-t" and "port" options
> as recommended previously, you'll be focused on the right time
> interval and will see a series of large transfers involving
> the suspect local IP.
> 
> 
> -----Oprindelig meddelelse-----
> Fra: Argus-info [mailto:argus-info-bounces+jesper.skou.jensen=statens-it.dk at lists.andrew.cmu.edu] På vegne af Monah Baki via Argus-info
> Sendt: 10. november 2015 04:44
> Til: Harry Hoffman
> Cc: Argus
> Emne: Re: [ARGUS] Detecting BitTorrent
> 
> Hi Harry,
> 
> We are running Argus off a span port monitoring our internal core
> switches, so we do see our internal IP flows.
> 
> Is there a way to just display downloads > 700MB??
> 
> Our logs are rotated on a daily basis, so we are looking at a 9GB size file
> 
> Thanks
> Monah
> 
> 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20151110/94b4b2f1/attachment.html>


More information about the argus mailing list