This wiki has been migrated to https://gitlab.com/wireshark/wireshark/-/wikis/home and is now deprecated. Please use that site instead.
Differences between revisions 13 and 14
Revision 13 as of 2006-05-11 00:59:18
Size: 3696
Editor: GuyHarris
Comment: Prefer portrange to the more complicated expression, warn about 0.8.x.
Revision 14 as of 2006-06-05 03:19:09
Size: 3701
Editor: localhost
Comment:
Deletions are marked like this. Additions are marked like this.
Line 18: Line 18:
XXX - Add example traffic here (as plain text or Ethereal screenshot). XXX - Add example traffic here (as plain text or Wireshark screenshot).
Line 20: Line 20:
== Ethereal == == Wireshark ==
Line 30: Line 30:
XXX - Add a simple example capture file to the SampleCaptures page and link from here (see below). Keep this file short, it's also a good idea to gzip it to make it even smaller, as Ethereal can open gzipped files automatically. XXX - Add a simple example capture file to the SampleCaptures page and link from here (see below). Keep this file short, it's also a good idea to gzip it to make it even smaller, as Wireshark can open gzipped files automatically.
Line 35: Line 35:
A complete list of BitTorrent display filter fields can be found in the [http://www.ethereal.com/docs/dfref/b/bittorrent.html display filter reference] A complete list of BitTorrent display filter fields can be found in the [http://www.wireshark.org/docs/dfref/b/bittorrent.html display filter reference]
Line 40: Line 40:
Note: implemented in Ethereal post 0.10.12! Note: implemented in Wireshark post 0.10.12!

BitTorrent

BitTorrent is a protocol designed for transferring files. It is peer-to-peer in nature, as users connect to each other directly to send and receive portions of the file. However, there is a central server (called a tracker) which coordinates the action of all such peers. The tracker only manages connections, it does not have any knowledge of the contents of the files being distributed, and therefore a large number of users can be supported with relatively limited tracker bandwidth.

A recent extension to BitTorrent is the DHT ("distributed sloppy hash table" or simply called UDP tracker) protocol. A UDP based peer to peer tracker protocol.

History

XXX - add a brief description of BitTorrent history

Protocol dependencies

  • ["TCP"]: Typically, BitTorrent uses ["TCP"] as its transport protocol. The well known TCP port for BitTorrent traffic is 6881-6889 (and 6969 for the tracker port). The DHT extension (peer2peer tracker) uses various UDP ports negotiated by the peers.

Example traffic

XXX - Add example traffic here (as plain text or Wireshark screenshot).

Wireshark

The BitTorrent dissector is (fully functional, partially functional, not existing, ... whatever the current state is). The DHT extension is currently not decoded.

Preference Settings

(XXX add links to preference settings affecting how PROTO is dissected).

Example capture file

XXX - Add a simple example capture file to the SampleCaptures page and link from here (see below). Keep this file short, it's also a good idea to gzip it to make it even smaller, as Wireshark can open gzipped files automatically.

  • attachment:SampleCaptures/PROTO.pcap

Display Filter

A complete list of BitTorrent display filter fields can be found in the [http://www.wireshark.org/docs/dfref/b/bittorrent.html display filter reference]

  • Show only the BitTorrent based traffic:

     bittorrent 

Note: implemented in Wireshark post 0.10.12!

Capture Filter

You cannot directly filter BitTorrent protocols while capturing. However, if you know the ["TCP"] port used (see above), you can filter on that one.

  • Capture only the BitTorrent tracker traffic over one of the default ports (e.g. 6881):

     tcp port 6881 

    Capture the BitTorrent tracker traffic over the range of default ports (e.g. 6881-6889):

     tcp portrange 6881-6889 

    when using libpcap 0.9.1 or later or WinPcap 3.1 or later; that expression won't work with older versions of libpcap or WinPcap, so, on Windows, upgrade to WinPcap 3.1 or later and, on UN*X, upgrade to libpcap 0.9.x if possible and, if not possible and you have a version of libpcap prior to 0.8.1, use

     (tcp[0:2] >= 6881 and tcp[0:2] <= 6889) or (tcp[2:2] >= 6881 and tcp[2:2] <= 6889) 
    (a bug in the libpcap optimizer in libpcap 0.8.x means this won't work with libpcap 0.8.x, although you might be able to use tcpdump with the "-O" flag).

BitTorrent (last edited 2019-03-18 22:16:09 by JimDeLaHunt)