Ask Your Question
0

How wireshark defines the bittorrent protocol?

asked 2023-03-12 13:52:14 +0000

unins000exe gravatar image

I am studying the detection (I am developing my program for coursework) of P2P traffic on the network, including I need to detect bittorrent traffic. I understand that BitTorrent can be identified by port numbers, the string "BitTorrent protocol" in the payload of packets, but what other methods are there?

edit retag flag offensive close merge delete

1 Answer

Sort by ยป oldest newest most voted
0

answered 2023-03-12 14:14:55 +0000

Jaap gravatar image

The Wireshark bittorrent dissector uses two methods to identify bittorrent traffic:

  1. It uses a range of TCP ports
  2. It uses a heuristic analysis of the packet consisting of:
    1. minimum payload length
    2. a length indication
    3. an identification string

If there are others, these are not (yet) implemented in the dissector.

edit flag offensive delete link more

Comments

Could you describe the heuristic method in a little more detail?

unins000exe gravatar imageunins000exe ( 2023-03-12 14:59:38 +0000 )edit

Click the "heuristic analysis of the packet" link in @Jaap reply. It's 3 lines of code that read pretty easy.

Chuckc gravatar imageChuckc ( 2023-03-12 17:16:30 +0000 )edit

The three lines say:

  1. Length minimum 20 bytes
  2. a byte with value 19
  3. followed by a string "BitTorrent protocol"
Jaap gravatar imageJaap ( 2023-03-12 20:33:39 +0000 )edit

But there are packages that do not meet these conditions, but are still defined as BitTorrent. I have attached a link to this comment where you can see an example of such a package.

https://ibb.co/YfqVMQ6

unins000exe gravatar imageunins000exe ( 2023-03-13 08:13:25 +0000 )edit
   if (tvb_captured_length(tvb) >= 20 &&
       tvb_get_guint8(tvb, 0) == 19 &&
       tvb_memeql(tvb, 1, (const guint8*)"BitTorrent protocol", 19) == 0) {
      conversation = find_or_create_conversation(pinfo);
      conversation_set_dissector(conversation, dissector_handle);


Is the packet in the screen shot part of a conversation that matches the protocol heuristics?

Chuckc gravatar imageChuckc ( 2023-03-13 11:33:04 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

Stats

Asked: 2023-03-12 13:52:14 +0000

Seen: 288 times

Last updated: Mar 12 '23