First time here? Check out the FAQ!
THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

How wireshark defines the bittorrent protocol?

I am studying the detection (I am developing my program for coursework) of P2P traffic on the network, including I need to detect bittorrent traffic. I understand that BitTorrent can be identified by port numbers, the string "BitTorrent protocol" in the payload of packets, but what other methods are there?

unins000exe's avatar
3
unins000exe
asked 2023-03-12 13:52:14 +0000
edit flag offensive 0 remove flag close merge delete

Comments

add a comment see more comments

1 Answer

0

The Wireshark bittorrent dissector uses two methods to identify bittorrent traffic:

  1. It uses a range of TCP ports
  2. It uses a heuristic analysis of the packet consisting of:
    1. minimum payload length
    2. a length indication
    3. an identification string

If there are others, these are not (yet) implemented in the dissector.

Jaap's avatar
13.7k
Jaap
answered 2023-03-12 14:14:55 +0000
edit flag offensive 0 remove flag delete link
more

Comments

Could you describe the heuristic method in a little more detail?

unins000exe's avatar unins000exe (2023-03-12 14:59:38 +0000) edit
more
  • delete

Click the "heuristic analysis of the packet" link in @Jaap reply. It's 3 lines of code that read pretty easy.

Chuckc's avatar Chuckc (2023-03-12 17:16:30 +0000) edit
more
  • delete

The three lines say:

  1. Length minimum 20 bytes
  2. a byte with value 19
  3. followed by a string "BitTorrent protocol"
Jaap's avatar Jaap (2023-03-12 20:33:39 +0000) edit
more
  • delete

But there are packages that do not meet these conditions, but are still defined as BitTorrent. I have attached a link to this comment where you can see an example of such a package.

https://ibb.co/YfqVMQ6

unins000exe's avatar unins000exe (2023-03-13 08:13:25 +0000) edit
more
  • delete 
   if (tvb_captured_length(tvb) >= 20 &&
       tvb_get_guint8(tvb, 0) == 19 &&
       tvb_memeql(tvb, 1, (const guint8*)"BitTorrent protocol", 19) == 0) {
      conversation = find_or_create_conversation(pinfo);
      conversation_set_dissector(conversation, dissector_handle);


Is the packet in the screen shot part of a conversation that matches the protocol heuristics?

Chuckc's avatar Chuckc (2023-03-13 11:33:04 +0000) edit
more
  • delete
add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer