XXX - BitTorrent is a protocol designed for transferring files. It is peer-to-peer in nature, as users connect to each other directly to send and receive portions of the file. However, there is a central server (called a tracker) which coordinates the action of all such peers. The tracker only manages connections, it does not have any knowledge of the contents of the files being distributed, and therefore a large number of users can be supported with relatively limited tracker bandwidth.
XXX - add a brief description of BitTorrent history
["TCP"]: Typically, BitTorrent uses ["TCP"] as its transport protocol. The well known TCP port for BitTorrent traffic is 6881-6889.
XXX - Add example traffic here (as plain text or Ethereal screenshot).
The BitTorrent dissector is (fully functional, partially functional, not existing, ... whatever the current state is).
(XXX add links to preference settings affecting how PROTO is dissected).
Example capture file
XXX - Add a simple example capture file to the SampleCaptures page and link from here (see below). Keep this file short, it's also a good idea to gzip it to make it even smaller, as Ethereal can open gzipped files automatically.
A complete list of BitTorrent display filter fields can be found in the [http://www.ethereal.com/docs/dfref/b/bittorrent.html display filter reference]
Show only the BitTorrent based traffic:
Note: implemented in Ethereal post 0.10.12!
You cannot directly filter BitTorrent protocols while capturing. However, if you know the ["TCP"] port used (see above), you can filter on that one.
Capture only the BitTorrent tracker traffic over one of the default ports (6881):
tcp port 6881
XXX - how to filter the tcp port range 6881-6889?
[http://www.bittorrent.com/] the official BitTorrent page
[http://en.wikipedia.org/wiki/Bittorrent Wikipedia Bittorrent page]
[http://userpages.umbc.edu/%7Ehamilton/btclientconfig.html How BitTorrent Works] about P2P in general, BitTorrent and firewall settings
I've seen the usage of the TCP port 6969 while using BitTorrent. Is this the new web based tracker or simply a virus? - UlfLamping
Apparently this is a typical "tracker" port, whereas 6881+ are typical client ports.