Clients connect to each other directly to send and receive portions
of a single file. The central server (called a tracker) only coordinates
the action of the clients, and manages connections. Unlike the
protocols discussed above, the BitTorrent server is not responsible
for locating the searching files for the clients, instead the BitTorrent
network client locates a torrent file through the Web, and initiates
the downloading by clicking on the hyperlink. Hence there is no
signaling communication for searching in the BitTorrent network.
To identify BitTorrent traffic, we focus on the downloading data
packets between clients only since the communication between the
client and server is negligible.
The communication between the clients starts with a handshake
followed by a never-ending stream of length-prefixed messages.
We discovered that the BitTorrent header of the handshake messages
assumes following format:
The first byte is a fixed character with value '0x13', and the string
value is `BitTorrent protocol'. Based on this common header, we
use following signatures for identifying BitTorrent traffic:
- The first byte in the TCP payload is the character 19 (0x13).
- The next 19 bytes match the string `BitTorrent protocol'.
therefore they are very accurate and cost-effective.
Accurate, Scalable InNetwork Identication of P2P Trafc
Using Application Signatures