BitTorrent protocol primer, part 3: Detecting

In my previous post on the BitTorrent protocol, I took a look at how BitTorrent operates as a very efficient way of downloading and uploading data. For this post I am going to take a look at how you can detect for its presence on a network. There are many reasons why you would want to do this, from investigating DMCA notifications to finding out where all your Internet bandwidth has gone. The three main ways in which I see BitTorrent been used.

  1. Standard BitTorrent clients downloading data directing from other clients on the BitTorrent networks. For the purposes of this blog article, I am going to focus on detecting this activity as it is the most popular way BitTorrent is used.
  2. The use of external proxies which allow for the tunnelling of BitTorrent over ports like TCP 22, 80 or 443. This form of tunnelling is used when firewalls are used to block all but the standard ports on the perimeter of networks. An external proxy server is used to handle the download requests between the client behind the firewall, and other clients on the BitTorrent network.
  3. Remote control of systems on open networks. Individuals who may find themselves on networks which block BitTorrent may use systems on other networks run BitTorrent clients. For example, I may have access to use BitTorrent on my home network but it is blocked at my place of work. To get access to the data I downloaded at home in the workplace, I could use a remote control client which can tunnel this data into the workplace. Some applications have been designed specifically for this task. To monitor for this type of activity I recommend that you keep an eye on the top users on bandwidth on your network.

When it comes to detecting BitTorrent you need to look at traffic analysis tools. The most popular ones use packet capture or flow data like Cisco NetFlow. For packet capture, you just need mirror the switch port which connects your firewall to the network core or other local switch.  For flow capture you need to look at capturing flow records from a switch or router inside your network. What I mean by this is the flow records need to show what systems are making connections, no point in monitoring the external interfaces on your firewalls as they may show the firewall as the source of all connections.

Once you have monitoring in place you need to look at two things. The first is to look for any clients connecting to systems outside your network on high port numbers. This is unusual as normal web browsing will be on ports 80(HTTP) and 443(HTTPS). A connection from a local system to an external one over something like port 10321 would be unusual. Also look out systems which are uploading a lot of data. Normally we download a lot more data than we would upload when accessing web pages. Client systems which upload a lot of data are sharing something.

Deep packet inspection (DPI) tools use packet capture to look at what data is moving around your network. Most can detect BitTorrent by looking for specific things in packet headers and payloads. Systems which are used to throttle bandwidth use employ similar techniques for identifying its presence. If you are interested in this technology, look out for systems which can extract the info hash values from the BitTorrent traffic. This will make it easier to respond to DMCA notifications as these notifications may reference the info hash values.


Darragh Delaney is head of technical services at NetFort.  As Director of Technical Services and Customer Support, he interacts on a daily basis with NetFort customers and is responsible for the delivery of a high quality technical and customer support service. Follow Darragh on Twitter @darraghdelaney


Copyright © 2012 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon