Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    How to know if someone is using torrent in my network??

    General pfSense Questions
    6
    14
    6.8k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • johnpozJ
      johnpoz LAYER 8 Global Moderator
      last edited by

      why don't you just take a simple sniff for a few minutes and look at the traffic - it will very simple to spot p2p traffic.

      An intelligent man is sometimes forced to be drunk to spend time with his fools
      If you get confused: Listen to the Music Play
      Please don't Chat/PM me for help, unless mod related
      SG-4860 24.11 | Lab VMs 2.7.2, 24.11

      1 Reply Last reply Reply Quote 0
      • D
        doktornotor Banned
        last edited by

        Not even sniff needed. If you look at the firewall states, it's extremely obvious.

        1 Reply Last reply Reply Quote 0
        • johnpozJ
          johnpoz LAYER 8 Global Moderator
          last edited by

          This is very true as well ;)  I just like to see the actual traffic..

          An intelligent man is sometimes forced to be drunk to spend time with his fools
          If you get confused: Listen to the Music Play
          Please don't Chat/PM me for help, unless mod related
          SG-4860 24.11 | Lab VMs 2.7.2, 24.11

          1 Reply Last reply Reply Quote 0
          • G
            gjaltemba
            last edited by

            A shout-out to Dustin Webber for his Snorby project. I use it as a front-end for my Snort-IDS to display the payload for P2P traffic in the database.

            1 Reply Last reply Reply Quote 0
            • D
              doktornotor Banned
              last edited by

              Unsure whether it's worse to get DoSed by BT or by Snort… :P

              1 Reply Last reply Reply Quote 0
              • H
                Harvy66
                last edited by

                This is how I know when I'm torrenting. But really, most torrent clients use random ports for nearly everything, some even randomly change ports over time, and they use a mixture of UDP and TCP traffic, all encrypted. Your only hope would be to block all encrypted traffic. But you can slow down torrent or look for torrent by monitoring the default torrent ports, but that will mostly get you stuff like Blizzard's Battle.Net launcher.

                1 Reply Last reply Reply Quote 0
                • M
                  Mr. Jingles
                  last edited by

                  @johnpoz:

                  why don't you just take a simple sniff for a few minutes and look at the traffic - it will very simple to spot p2p traffic.

                  @doktornotor:

                  Not even sniff needed. If you look at the firewall states, it's extremely obvious.

                  DHCP: the next day you'll have to sniff another thing.

                  (Yes, we economists, we're stupid with our thing about efficiency  ;D ).

                  6 and a half billion people know that they are stupid, agressive, lower life forms.

                  1 Reply Last reply Reply Quote 0
                  • P
                    pankajpomal
                    last edited by

                    @johnpoz:

                    why don't you just take a simple sniff for a few minutes and look at the traffic - it will very simple to spot p2p traffic.

                    but how to check p2p log?

                    1 Reply Last reply Reply Quote 0
                    • H
                      Harvy66
                      last edited by

                      The only good way to mostly stop torrents is to block all incoming ports, no port forwarding, and limit outgoing ports. If all you care about is web pages, then this should work, I think.

                      1 Reply Last reply Reply Quote 0
                      • johnpozJ
                        johnpoz LAYER 8 Global Moderator
                        last edited by

                        Agreed, p2p hard to work when only port 80 and 443 outbound is allowed ;)  With no inbound ports - sure they might be able to be able to get to a few seeds, but they sure wouldn't be uploading anything.

                        As to how it looks in a sniff, I don't run any p2p locally anyway - its all via a seedbox.  But sure if I get a chance will fire up a sniff there to show how it looks.. Simple look and you will see it – its very distinct and easy to spot traffic.

                        As to why would you have to look at it tmrw.. You shut down a few users with warning letters from management, and the rest of the user base follows suite very quickly in not doing it.

                        An intelligent man is sometimes forced to be drunk to spend time with his fools
                        If you get confused: Listen to the Music Play
                        Please don't Chat/PM me for help, unless mod related
                        SG-4860 24.11 | Lab VMs 2.7.2, 24.11

                        1 Reply Last reply Reply Quote 0
                        • M
                          Mr. Jingles
                          last edited by

                          I must be having a different Transmission client than you all  ;D

                          • I have no ports open on WAN;

                          • I have no ports forwarded;

                          • I easily seed 500% per torrent;

                          That aside, if you set your client port to port 80 you'll circumvent any measure with allowed ports too.

                          Imho either snort to block it, or traffic shaper to limit the speed to zero.

                          (I'd go for Snort; set it, and forget it, instead of wasting time again and again because you have to sniff if somebody might be torrenting).

                          6 and a half billion people know that they are stupid, agressive, lower life forms.

                          1 Reply Last reply Reply Quote 0
                          • johnpozJ
                            johnpoz LAYER 8 Global Moderator
                            last edited by

                            Shut down your outbound ports and see how much you upload to peers that listen all kinds of random ports.

                            An intelligent man is sometimes forced to be drunk to spend time with his fools
                            If you get confused: Listen to the Music Play
                            Please don't Chat/PM me for help, unless mod related
                            SG-4860 24.11 | Lab VMs 2.7.2, 24.11

                            1 Reply Last reply Reply Quote 0
                            • First post
                              Last post
                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.