Decoding torrent traffic for security analyst use.

[aliz]

Hey Guys,

I'm new to this forum. I'm here for some understanding and help in decoding torrent traffic. I don't want to sound too off-topic for this forum, but I perhaps by asking this question in this forum can help other facing the same problem.

I work as Info sec analyst, and I'm stuck in decoding torrent traffic coming on the network. The way I'm vieweing the traffic is by use of network flows (layer 7 inspection), I did some research and found that DHT protocol, is used to carry all session and user-data related information (e.g filenames, peer addresses and nodes).

I was able to extract all file name using "names" through regex names\d{1,3} now I want to know if someone who knows a technique to find out something as IP address of node in ping request, or some-how get the list of peers. I cannot do decoding of bencoded packets on fly as it is coming on real-time but on some suscipcios packets I can do the analysis by following some of the manaul decoding methods or perhaps some script refs be useful.

Like for example in flows it says destination IP address 89.241.186.50 and payload is given as below

d1:ad2:id20:.."......./....=<.yO9:info_hash20:.........    (..$7...Y.e1:q9:get_peers1:t4:.Y-.1:v4:UTtt1:y1:qed1:ad2:id20:.."......./....=<.yO9:info_hash20:.........    (..$7...Y.4:name52:The Teenie Weenie Bikini squad 2012 HDRip Xvid-Facez4:porti33565e5:token20:Jo....    ...W.%.J....0e1:q13:announce_peer1:t4:...,1:v4:UTtt

Is the IP address encoded in this payload somewhere? What interesting info can i get by looking at this packet info. I have paste-bin flow information for torrent traffic. The link is:-

http://pastebin.com/1X6BYCiP

Also, in my enviroment all the torrent traffic is allowed to proxy which is windows (TMG) does TMG in a way can decode the fields in the DHT protocol, or any proxy for that matter just passes to the end-destination.

Thanks.