How does Palo Alto Networks Identify BitTorrent?

How does Palo Alto Networks Identify BitTorrent?

28170
Created On 09/25/18 19:26 PM - Last Modified 06/06/23 19:20 PM


Resolution


Overview

How does Palo Alto Networks Identify BitTorrent?

 

Detail

A BitTorrent payload begins with: "d1:ad2:id20:", which is a typical DHT Protocol pattern used solely by BitTorrent.

 

The following URL references the DHT Protocol, which includes sample patterns, all beginning with: d1:ad2:id20

 

http://bittorrent.org/beps/bep_0005.html

 

Reference the following section within the site in regards to 'DHT Queries':

 

----------------------------------------------------------------------------------------------

DHT Queries

 

All queries have an "id" key and value containing the node ID of the querying node. All responses have an "id" key and value containing the node ID of the responding node.

 

ping

 

The most basic query is a ping. "q" = "ping" A ping query has a single argument, "id" the value is a 20-byte string containing the senders node ID in network byte order. The appropriate response to a ping has a single key "id" containing the node ID of the responding node.

 

arguments: {"id" : "<querying nodes id>"}

 

response: {"id" : "<queried nodes id>"}

Example Packets

 

ping Query = {"t":"aa", "y":"q", "q":"ping", "a":{"id":"abcdefghij0123456789"}}

bencoded = d1:ad2:id20:abcdefghij0123456789e1:q4:ping1:t2:aa1:y1:qe

----------------------------------------------------------------------------------------------

 

Owner:  bryan
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClYlCAK&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language