Having a bit of trouble finding a string I can use for tshark to get it to capture bittorrent traffic only, and include a mac address. Preferably it would be something like: [time] [MAC] [torrent hash] I got as far as: tshark tcp portrange 6881-6889 -i 3 -w cap -b filesize:4096 -b filenum:100 -T fields -e eth.src But there's several problems there, mainly the lack of the torrent hash and that tcp portrange 6881-6889 doesn't seem to reliably capture torrent traffic at all. (Is there a better way?) The objective is to be able to forward takedown notices to the correct users in a network. Any ideas or suggestions would be appreciated. I know which users are registered to which MACs, I just need to be able to link a hash to a MAC at a given time. asked 07 Sep '12, 11:49 Lurkios edited 07 Sep '12, 12:04 |
One Answer:
I think you can't track torrents by assuming a range of ports between 6881-6889. Most torrent clients I know have the option of randomizing their port each time they start, and they can basically use the whole range from 1025 to 65535 if they like. So I doubt that capturing by port is helping you. In my opinion the only way to track down torrent traffic is to find a specific traffic pattern that indicates torrent traffic. I haven't looked into that myself so I can't provide you a pattern like that. I know that Intrusion Prevention systems often have the ability to block torrent traffic specifically, so there must be some sort of pattern that works. What makes it even harder is that modern torrent programs can even encrypt their traffic (to avoid being throttled by ISPs detecting torrent patterns), so detecting it might not even be possible at all. I'm not sure how your network is set up, but if you're NATting connection and the takedown notice comes with an IP and port you could look at the NAT tables to see who the connection was forwarded to. It will probably require to keep NAT table logs for quite some time I guess. answered 08 Sep '12, 04:28 Jasper ♦♦ |