Lord_Foul
01-23-2005, 12:31 AM
Hi,
Question:
Is there an accurate way to identify a user/ip address within a LAN who is using P2P software such as emule, winmx or Bitorrent etc. using free software tools?
I can use ethereal in promiscuous mode to monitor internal traffic and then look for default udp/tcp ports i.e 4662, 4672 etc. The problem here is that the ports can easily be changed via the P2P client. I have found some software that claims it will work, but it is prohibitively expensive and so is not an option.
The LAN has a firewall and proxy server, but im sure the user is an admin and has enabled a rule allowing P2P in/out and is also probably bypassing the proxy server, i don't want to raise his suspicions as he is a good friend, i'd just like to startle him with proof heh.
I pretty sure that P2P traffic from the different networks have unique signatures, but i have no idea how to identify these sigs from a network capture. Maybe i have to drill-down into the packets and have a deeper look but it is a busy network and will take forever.
Any advice or help much appreciated.
Question:
Is there an accurate way to identify a user/ip address within a LAN who is using P2P software such as emule, winmx or Bitorrent etc. using free software tools?
I can use ethereal in promiscuous mode to monitor internal traffic and then look for default udp/tcp ports i.e 4662, 4672 etc. The problem here is that the ports can easily be changed via the P2P client. I have found some software that claims it will work, but it is prohibitively expensive and so is not an option.
The LAN has a firewall and proxy server, but im sure the user is an admin and has enabled a rule allowing P2P in/out and is also probably bypassing the proxy server, i don't want to raise his suspicions as he is a good friend, i'd just like to startle him with proof heh.
I pretty sure that P2P traffic from the different networks have unique signatures, but i have no idea how to identify these sigs from a network capture. Maybe i have to drill-down into the packets and have a deeper look but it is a busy network and will take forever.
Any advice or help much appreciated.