Is P2P or BitTorrent traffic a concern on your network or more specifically, how can you detect BitTorrent with NetFlow?  Well, you have to perform traffic behavior analysis.

Developers of tools like BitTorrent and Skype don’t want to see their application blocked by network admins.  To avoid this, they employ traffic behavior techniques that make their application difficult to detect.  How do they do this?  They make the application behave like ‘ordinary’ applications.  They can use ports like 80 and 443 which usually can’t be blocked.  They engineer throttling techniques to ensure that any one connection out of hundreds doesn’t absorb excessive bandwidth (I digress more on this in a minute).  They also design the application to be flexible so that its behavior on the network can change.

In order to demonstrate the above, I decided to ask a couple of people I work with to initiate torrent downloads so that we could study the behavior with our NetFlow Analyzer.  The NetFlow is coming from our 48 port Enterasys N series switch.

P2P BitTorrent Detection with NetFlow

Above we see the top incoming internet hosts on the uplink interface during the time of the download. The BitTorrent download is in the non top 10 traffic (i.e. shown in gray). BitTorrent doesn’t want to grab the file from any one single host so it grabs pieces of it from different hosts. This keeps the internet hosts sending the file out of the top 10. It’s clever.

At the very top of the report, I toggled Source to Destination.  I’m still looking at inbound traffic, I just want to look at the top hosts it is heading to:

P2P BitTorrent Detection with NetFlow 2

Notice above that shows up as #1. In just 5 minutes it has downloaded 1.53 Gb (> 187MB) of the file. It is downloading the file from hundreds of different hosts.  How do I know this?  Look at the Flows column (2.48K)!

You can confirm your suspicious by filtering on and changing the NetFlow report type:

P2P BitTorrent Dection with NetFlow 3

Notice above that the application uses different well known ports to over 800 different hosts to down load the file. Savvy users of BitTorrent know to throttle the bandwidth consumed by any one connection to a few k/minute.

Luckily, Flow Analytics also knows what behavior to look for when it comes to BitTorrent and can monitor and alarm for this type of P2P traffic.

P2P BitTorrent Detection with NetFlow 4 P2P BitTorrent Detection with NetFlow 5

The above can be performed across hundreds of routers simultaneously and deduplication ensures that you don’t receive multiple alarms for the same torrent.

I hope the above helps you become more aware of BitTorrent.  I don’t think it is a horrible application however, it can be abused and network admins, need to be aware if it is causing problems.

Mike Patterson author pic


Michael is one of the Co-founders and the former product manager for Scrutinizer. He enjoys many outdoor winter sports and often takes videos when he is snowmobiling, ice fishing or sledding with his kids. Cold weather and lots of snow make the best winters as far as he is concerned. Prior to starting Somix and Plixer, Mike worked in technical support at Cabletron Systems, acquired his Novell CNE and then moved to the training department for a few years. While in training he finished his Masters in Computer Information Systems from Southern New Hampshire University and then left technical training to pursue a new skill set in Professional Services. In 1998 he left the 'Tron' to start Somix which later became Plixer.


Big Data

Sankey Flow Graph

One of the greatest benefits of NetFlow collection for traffic analysis, is we’re provided with the ability to visualize the…

Leave a Reply