Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    How to know if someone is using torrent in my network??

    Scheduled Pinned Locked Moved General pfSense Questions
    14 Posts 6 Posters 6.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      Mr. Jingles
      last edited by

      Install Snort and let it block it?

      6 and a half billion people know that they are stupid, agressive, lower life forms.

      1 Reply Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator
        last edited by

        why don't you just take a simple sniff for a few minutes and look at the traffic - it will very simple to spot p2p traffic.

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.7.2, 24.11

        1 Reply Last reply Reply Quote 0
        • D
          doktornotor Banned
          last edited by

          Not even sniff needed. If you look at the firewall states, it's extremely obvious.

          1 Reply Last reply Reply Quote 0
          • johnpozJ
            johnpoz LAYER 8 Global Moderator
            last edited by

            This is very true as well ;)  I just like to see the actual traffic..

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.7.2, 24.11

            1 Reply Last reply Reply Quote 0
            • G
              gjaltemba
              last edited by

              A shout-out to Dustin Webber for his Snorby project. I use it as a front-end for my Snort-IDS to display the payload for P2P traffic in the database.

              1 Reply Last reply Reply Quote 0
              • D
                doktornotor Banned
                last edited by

                Unsure whether it's worse to get DoSed by BT or by Snort… :P

                1 Reply Last reply Reply Quote 0
                • H
                  Harvy66
                  last edited by

                  This is how I know when I'm torrenting. But really, most torrent clients use random ports for nearly everything, some even randomly change ports over time, and they use a mixture of UDP and TCP traffic, all encrypted. Your only hope would be to block all encrypted traffic. But you can slow down torrent or look for torrent by monitoring the default torrent ports, but that will mostly get you stuff like Blizzard's Battle.Net launcher.

                  1 Reply Last reply Reply Quote 0
                  • M
                    Mr. Jingles
                    last edited by

                    @johnpoz:

                    why don't you just take a simple sniff for a few minutes and look at the traffic - it will very simple to spot p2p traffic.

                    @doktornotor:

                    Not even sniff needed. If you look at the firewall states, it's extremely obvious.

                    DHCP: the next day you'll have to sniff another thing.

                    (Yes, we economists, we're stupid with our thing about efficiency  ;D ).

                    6 and a half billion people know that they are stupid, agressive, lower life forms.

                    1 Reply Last reply Reply Quote 0
                    • P
                      pankajpomal
                      last edited by

                      @johnpoz:

                      why don't you just take a simple sniff for a few minutes and look at the traffic - it will very simple to spot p2p traffic.

                      but how to check p2p log?

                      1 Reply Last reply Reply Quote 0
                      • H
                        Harvy66
                        last edited by

                        The only good way to mostly stop torrents is to block all incoming ports, no port forwarding, and limit outgoing ports. If all you care about is web pages, then this should work, I think.

                        1 Reply Last reply Reply Quote 0
                        • johnpozJ
                          johnpoz LAYER 8 Global Moderator
                          last edited by

                          Agreed, p2p hard to work when only port 80 and 443 outbound is allowed ;)  With no inbound ports - sure they might be able to be able to get to a few seeds, but they sure wouldn't be uploading anything.

                          As to how it looks in a sniff, I don't run any p2p locally anyway - its all via a seedbox.  But sure if I get a chance will fire up a sniff there to show how it looks.. Simple look and you will see it – its very distinct and easy to spot traffic.

                          As to why would you have to look at it tmrw.. You shut down a few users with warning letters from management, and the rest of the user base follows suite very quickly in not doing it.

                          An intelligent man is sometimes forced to be drunk to spend time with his fools
                          If you get confused: Listen to the Music Play
                          Please don't Chat/PM me for help, unless mod related
                          SG-4860 24.11 | Lab VMs 2.7.2, 24.11

                          1 Reply Last reply Reply Quote 0
                          • M
                            Mr. Jingles
                            last edited by

                            I must be having a different Transmission client than you all  ;D

                            • I have no ports open on WAN;

                            • I have no ports forwarded;

                            • I easily seed 500% per torrent;

                            That aside, if you set your client port to port 80 you'll circumvent any measure with allowed ports too.

                            Imho either snort to block it, or traffic shaper to limit the speed to zero.

                            (I'd go for Snort; set it, and forget it, instead of wasting time again and again because you have to sniff if somebody might be torrenting).

                            6 and a half billion people know that they are stupid, agressive, lower life forms.

                            1 Reply Last reply Reply Quote 0
                            • johnpozJ
                              johnpoz LAYER 8 Global Moderator
                              last edited by

                              Shut down your outbound ports and see how much you upload to peers that listen all kinds of random ports.

                              An intelligent man is sometimes forced to be drunk to spend time with his fools
                              If you get confused: Listen to the Music Play
                              Please don't Chat/PM me for help, unless mod related
                              SG-4860 24.11 | Lab VMs 2.7.2, 24.11

                              1 Reply Last reply Reply Quote 0
                              • First post
                                Last post
                              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.