This wiki has been migrated to https://gitlab.com/wireshark/wireshark/-/wikis/home and is now deprecated. Please use that site instead.
Differences between revisions 32 and 33
Revision 32 as of 2008-02-27 23:54:15
Size: 4187
Editor: GeraldCombs
Comment: This page gets a lot of spam. Add an ACL.
Revision 33 as of 2008-04-12 17:50:00
Size: 4211
Editor: localhost
Comment: converted to 1.6 markup
Deletions are marked like this. Additions are marked like this.
Line 11: Line 11:
In April 2001 Bram Cohen designed the BitTorrent protocol, which he implemented summer 2002. The first program to use the protocol was the original [http://www.bittorrent.com/download BitTorrent client]. Today many applications are availiable, and the protocol is widely used. In April 2001 Bram Cohen designed the BitTorrent protocol, which he implemented summer 2002. The first program to use the protocol was the original [[http://www.bittorrent.com/download|BitTorrent client]]. Today many applications are availiable, and the protocol is widely used.
Line 15: Line 15:
 * ["TCP"]: Typically, BitTorrent uses ["TCP"] as its transport protocol. The well known TCP port for BitTorrent traffic is 6881-6889 (and 6969 for the tracker port). The DHT extension (peer2peer tracker) uses various UDP ports negotiated by the peers.  * [[TCP]]: Typically, BitTorrent uses [[TCP]] as its transport protocol. The well known TCP port for BitTorrent traffic is 6881-6889 (and 6969 for the tracker port). The DHT extension (peer2peer tracker) uses various UDP ports negotiated by the peers.
Line 27: Line 27:
 * ["Reassemble BitTorrent messages spanning multiple TCP segments"]
 * ["Decode the peer_id of the handshake messages"]
 * [[Reassemble BitTorrent messages spanning multiple TCP segments]]
 * [[Decode the peer_id of the handshake messages]]
Line 32: Line 32:
attachment:SampleCaptures/BitTorrent.Transfer1.cap (Microsoft Network Monitor) Here's a capture with a few BitTorrent packets; it contains some small packets I got whilst downloading something on BitTorrent. [[attachment:SampleCaptures/BitTorrent.Transfer1.cap]] (Microsoft Network Monitor) Here's a capture with a few BitTorrent packets; it contains some small packets I got whilst downloading something on BitTorrent.
Line 34: Line 34:
attachment:SampleCaptures/BITTORRENT.pcap (libpcap) Capture file of two torrent clients communicationg without DHT or peer exch. [[attachment:SampleCaptures/BITTORRENT.pcap]] (libpcap) Capture file of two torrent clients communicationg without DHT or peer exch.
Line 37: Line 37:
A complete list of BitTorrent display filter fields can be found in the [http://www.wireshark.org/docs/dfref/b/bittorrent.html display filter reference] A complete list of BitTorrent display filter fields can be found in the [[http://www.wireshark.org/docs/dfref/b/bittorrent.html|display filter reference]]
Line 46: Line 46:
You cannot directly filter BitTorrent protocols while capturing. However, if you know the ["TCP"] port used (see above), you can filter on that one. You cannot directly filter BitTorrent protocols while capturing. However, if you know the [[TCP]] port used (see above), you can filter on that one.
Line 61: Line 61:
 * [http://www.bittorrent.com/] the official BitTorrent page
 * [http://en.wikipedia.org/wiki/Bittorrent Wikipedia Bittorrent page]
 * [http://userpages.umbc.edu/%7Ehamilton/btclientconfig.html How BitTorrent Works] about P2P in general, BitTorrent and firewall settings
 * [http://www.bittorrent.org/Draft_DHT_protocol.html distributed sloppy hash table protocol] UDP based BitTorrent extension for distributed trackers (the UDP port number is negotiated)
 * [http://hippie.oofle.com/protocols/bittorrent Hippie protocol signature description] the TCP and UDP protocol signatures which might be used to heuristically identify the BitTorrent protocol
 * [http://blog.eukhost.com/2006/09/22/bittorrent More on BitTorrent]
 * [[http://www.bittorrent.com/]] the official BitTorrent page
 * [[http://en.wikipedia.org/wiki/Bittorrent|Wikipedia Bittorrent page]]
 * [[http://userpages.umbc.edu/%7Ehamilton/btclientconfig.html|How BitTorrent Works]] about P2P in general, BitTorrent and firewall settings
 * [[http://www.bittorrent.org/Draft_DHT_protocol.html|distributed sloppy hash table protocol]] UDP based BitTorrent extension for distributed trackers (the UDP port number is negotiated)
 * [[http://hippie.oofle.com/protocols/bittorrent|Hippie protocol signature description]] the TCP and UDP protocol signatures which might be used to heuristically identify the BitTorrent protocol
 * [[http://blog.eukhost.com/2006/09/22/bittorrent|More on BitTorrent]]

BitTorrent

BitTorrent is a protocol designed for transferring files. It is peer-to-peer in nature, as users connect to each other directly to send and receive portions of the file. However, there is a central server (called a tracker) which coordinates the action of all such peers. The tracker only manages connections, it does not have any knowledge of the contents of the files being distributed, and therefore a large number of users can be supported with relatively limited tracker bandwidth.

A recent extension to BitTorrent is the DHT ("distributed sloppy hash table" or simply called UDP tracker) protocol. A UDP based peer to peer tracker protocol.

History

In April 2001 Bram Cohen designed the BitTorrent protocol, which he implemented summer 2002. The first program to use the protocol was the original BitTorrent client. Today many applications are availiable, and the protocol is widely used.

Protocol dependencies

  • TCP: Typically, BitTorrent uses TCP as its transport protocol. The well known TCP port for BitTorrent traffic is 6881-6889 (and 6969 for the tracker port). The DHT extension (peer2peer tracker) uses various UDP ports negotiated by the peers.

Example traffic

XXX - Add example traffic here (as plain text or Wireshark screenshot).

Wireshark

The BitTorrent dissector is (fully functional, partially functional, not existing, ... whatever the current state is). The DHT extension is currently not decoded.

Preference Settings

Example capture files

SampleCaptures/BitTorrent.Transfer1.cap (Microsoft Network Monitor) Here's a capture with a few BitTorrent packets; it contains some small packets I got whilst downloading something on BitTorrent.

SampleCaptures/BITTORRENT.pcap (libpcap) Capture file of two torrent clients communicationg without DHT or peer exch.

Display Filter

A complete list of BitTorrent display filter fields can be found in the display filter reference

  • Show only the BitTorrent based traffic:

     bittorrent 

Note: implemented in Wireshark post 0.10.12!

Capture Filter

You cannot directly filter BitTorrent protocols while capturing. However, if you know the TCP port used (see above), you can filter on that one.

  • Capture only the BitTorrent tracker traffic over one of the default ports (e.g. 6881):

     tcp port 6881 

    Capture the BitTorrent tracker traffic over the range of default ports (e.g. 6881-6889):

     tcp portrange 6881-6889 

    when using libpcap 0.9.1 or later or WinPcap 3.1 or later; that expression won't work with older versions of libpcap or WinPcap, so, on Windows, upgrade to WinPcap 3.1 or later and, on UN*X, upgrade to libpcap 0.9.x if possible and, if not possible and you have a version of libpcap prior to 0.8.1, use

     (tcp[0:2] >= 6881 and tcp[0:2] <= 6889) or (tcp[2:2] >= 6881 and tcp[2:2] <= 6889) 
    (a bug in the libpcap optimizer in libpcap 0.8.x means this won't work with libpcap 0.8.x, although you might be able to use tcpdump with the "-O" flag).

BitTorrent (last edited 2019-03-18 22:16:09 by JimDeLaHunt)