How to know if someone is using torrent in my network??
-
Hey,
Can anyone tell me how to check if someone is downloading anything from torrent or other things via p2p clients..
I have installed squidguard and sarg in my PFSense server machine but I'm unable to know who is downloading via torrent, p2p clients. -
Install Snort and let it block it?
-
why don't you just take a simple sniff for a few minutes and look at the traffic - it will very simple to spot p2p traffic.
-
Not even sniff needed. If you look at the firewall states, it's extremely obvious.
-
This is very true as well ;) I just like to see the actual traffic..
-
A shout-out to Dustin Webber for his Snorby project. I use it as a front-end for my Snort-IDS to display the payload for P2P traffic in the database.
-
Unsure whether it's worse to get DoSed by BT or by Snort… :P
-
This is how I know when I'm torrenting. But really, most torrent clients use random ports for nearly everything, some even randomly change ports over time, and they use a mixture of UDP and TCP traffic, all encrypted. Your only hope would be to block all encrypted traffic. But you can slow down torrent or look for torrent by monitoring the default torrent ports, but that will mostly get you stuff like Blizzard's Battle.Net launcher.
-
why don't you just take a simple sniff for a few minutes and look at the traffic - it will very simple to spot p2p traffic.
Not even sniff needed. If you look at the firewall states, it's extremely obvious.
DHCP: the next day you'll have to sniff another thing.
(Yes, we economists, we're stupid with our thing about efficiency ;D ).
-
why don't you just take a simple sniff for a few minutes and look at the traffic - it will very simple to spot p2p traffic.
but how to check p2p log?
-
The only good way to mostly stop torrents is to block all incoming ports, no port forwarding, and limit outgoing ports. If all you care about is web pages, then this should work, I think.
-
Agreed, p2p hard to work when only port 80 and 443 outbound is allowed ;) With no inbound ports - sure they might be able to be able to get to a few seeds, but they sure wouldn't be uploading anything.
As to how it looks in a sniff, I don't run any p2p locally anyway - its all via a seedbox. But sure if I get a chance will fire up a sniff there to show how it looks.. Simple look and you will see it – its very distinct and easy to spot traffic.
As to why would you have to look at it tmrw.. You shut down a few users with warning letters from management, and the rest of the user base follows suite very quickly in not doing it.
-
I must be having a different Transmission client than you all ;D
-
I have no ports open on WAN;
-
I have no ports forwarded;
-
I easily seed 500% per torrent;
That aside, if you set your client port to port 80 you'll circumvent any measure with allowed ports too.
Imho either snort to block it, or traffic shaper to limit the speed to zero.
(I'd go for Snort; set it, and forget it, instead of wasting time again and again because you have to sniff if somebody might be torrenting).
-
-
Shut down your outbound ports and see how much you upload to peers that listen all kinds of random ports.
