[Bro] Patch for BitTorrent analyzer

Bernhard Ager ager at net.in.tum.de
Tue Jun 23 03:53:49 PDT 2009

Hi Martin,

On Mon, Jun 22, 2009 at 06:26:09PM -0700, Martin Szydlowski wrote:

> This is a patch that extends the functionality of the BitTorrent
> analyzer added by Nadi Sarrar and Bernd Ager. In particular, it will
> parse many popular extensions to the official protocol and also the
> azureus messaging protocol which uses a different message format. The
> patch has been thoroughly tested on off-line traces without causing
> problems. I am attaching the patch for both the 1.4 release and the
> latest svn revision (r6773) available and also a short description of
> the changes.

Oh, interesting to see that. Especially as I have also written a few
extensions for the BitTorrent analyzer, among them the above mentioned
Azureus Messaging Protocol (AZMP) and the LibTorrent Extension
Protocol. My flavour of the enhanced parser analyzes the extension
negotiation protocol (I remember that being a bit hairy) before
deciding if AZMP or plain BitTorrent is used.

Main differences between the analyzers as far as I can tell from a
short peek into your code (forgive me if I mistook a thing or two):

- AZMP is parsed generically, e.g., I don't handle AZ_PEER_EXCHANGE in
  a special way. When handling those messages explicitely, then this
  should be unified with LTEP anyway.

- Well, LTEP and arbitraty message parsing integrated.

- We use different methods for determining the transparent switch to
  the AZMP protocol. I can happily claim mine works correct for all
  examined connections---that includes a few TB of traffic :-)

- I deliberately decided against changing the event signatures by
  adding an explicit PDU len field, though this is definitely the
  cleaner solution, and in case of padding it is the only way to
  communicate the correct PDU length. I have never seen a
  non-encrypted BT connection using padding in the wild, though.

- Your analyzer handles a few non-standard message types that mine
  does only cover by the bittorrent_peer_unknown event (with no loss
  of information though).

I've been testing my analyzer now on several TB of (live) BitTorrent
traffic and it appears to run stable. For SSH subversion users all of
this is available from
svn+ssh://svn.icir.org/bro/branches/bager/bittorrent-enhancements but
there appears to be no public access to this branch currently. Martin:
If you are interested in the patch but don't have access, drop me a
mail, then I'll send it to you.

Technische Universität Berlin
An-Institut Deutsche Telekom Laboratories
FG INET, Research Group Anja Feldmann
Sekr. TEL 4
Ernst-Reuter-Platz 7
D-10587 Berlin

More information about the Bro mailing list