Ask Your Question
0

How wireshark defines the bittorrent protocol?

asked 2023-03-12 13:52:14 +0000

unins000exe gravatar image

I am studying the detection (I am developing my program for coursework) of P2P traffic on the network, including I need to detect bittorrent traffic. I understand that BitTorrent can be identified by port numbers, the string "BitTorrent protocol" in the payload of packets, but what other methods are there?

edit retag flag offensive close merge delete
add a comment

1 Answer

Sort by ยป oldest newest most voted
0

answered 2023-03-12 14:14:55 +0000

Jaap gravatar image

The Wireshark bittorrent dissector uses two methods to identify bittorrent traffic:

  1. It uses a range of TCP ports
  2. It uses a heuristic analysis of the packet consisting of:
    1. minimum payload length
    2. a length indication
    3. an identification string

If there are others, these are not (yet) implemented in the dissector.

edit flag offensive delete link more

Comments

Could you describe the heuristic method in a little more detail?

unins000exe gravatar imageunins000exe ( 2023-03-12 14:59:38 +0000 )edit

Click the "heuristic analysis of the packet" link in @Jaap reply. It's 3 lines of code that read pretty easy.

Chuckc gravatar imageChuckc ( 2023-03-12 17:16:30 +0000 )edit

The three lines say:

  1. Length minimum 20 bytes
  2. a byte with value 19
  3. followed by a string "BitTorrent protocol"
Jaap gravatar imageJaap ( 2023-03-12 20:33:39 +0000 )edit

But there are packages that do not meet these conditions, but are still defined as BitTorrent. I have attached a link to this comment where you can see an example of such a package.

https://ibb.co/YfqVMQ6

unins000exe gravatar imageunins000exe ( 2023-03-13 08:13:25 +0000 )edit
   if (tvb_captured_length(tvb) >= 20 &&
       tvb_get_guint8(tvb, 0) == 19 &&
       tvb_memeql(tvb, 1, (const guint8*)"BitTorrent protocol", 19) == 0) {
      conversation = find_or_create_conversation(pinfo);
      conversation_set_dissector(conversation, dissector_handle);


Is the packet in the screen shot part of a conversation that matches the protocol heuristics?

Chuckc gravatar imageChuckc ( 2023-03-13 11:33:04 +0000 )edit

Check the bittorrent dissector preferences. The stated port range are the default port numbers. These are configurable, so it's impossible to tell what these were in the Wireshark session you made a screenshot from.

Jaap gravatar imageJaap ( 2023-03-13 12:40:17 +0000 )edit

There are default ports in bittorrent dissector preferences. https://ibb.co/g4jZYmy

unins000exe gravatar imageunins000exe ( 2023-03-13 14:18:07 +0000 )edit

Are you going to share the capture file?

Jaap gravatar imageJaap ( 2023-03-13 15:11:30 +0000 )edit

It can be seen in the Wiki sample capture. (Frame 4)

BITTORRENT.pcap (libpcap) Capture file of two torrent clients communicationg without DHT or peer exch.

(The wiki is having issues currently - get file from Gitlab version: https://gitlab.com/wireshark/wireshar...)
If you export frame 4 to a pcap and open, it will display as TCP and data.

Chuckc gravatar imageChuckc ( 2023-03-13 15:25:02 +0000 )edit

Okay, for example https://drive.google.com/file/d/1NL5J....

unins000exe gravatar imageunins000exe ( 2023-03-13 16:38:46 +0000 )edit

Look, @Chuckc sent a link to an example of traffic. The fourth packet, which is defined as Unchoke, does not contain standard ports, and the payload length is less than 20, and there is no string "BitTorrent protocol". How is such a packet defined in Wireshark as BitTorrent?

unins000exe gravatar imageunins000exe ( 2023-03-13 16:41:56 +0000 )edit

This is where the power of 'conversations' comes in. Once it is established that a IP/protocol/port pair exchanges the bittorrent protocol a conversation is created (see code sample above) that causes the payloads of the packets exchanged between them to be handed off to the bittorrent dissector.

Jaap gravatar imageJaap ( 2023-03-13 16:55:25 +0000 )edit

README.dissector:

2.2.1.11 The conversation_set_dissector function

This function sets the protocol dissector to be invoked whenever conversation parameters (addresses, port_types, ports, etc) are matched during the dissection of a packet.


A conversation is defined in frame 1 and the BitTorrent dissector is set for it.
Future frames (such as frame 4) that are part of the conversation then use the BitTorrent dissector.

Chuckc gravatar imageChuckc ( 2023-03-13 16:56:54 +0000 )edit

That is, if it was detected that a pair of addresses started a BitTorrent conversation, then the following packets between them are perceived as potentially BitTorrent?

unins000exe gravatar imageunins000exe ( 2023-03-13 17:03:05 +0000 )edit
see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

subscribe to rss feed

Stats

Asked: 2023-03-12 13:52:14 +0000

Seen: 339 times

Last updated: Mar 12 '23

Related questions

I have filtered bt-dht UDP packets. Can Wireshark decode the bencoding for me?