Tracking Contraband Files Transmitted Using Bittorrent

  • Karl Schrader
  • Barry Mullins
  • Gilbert Peterson
  • Robert Mills
Part of the IFIP Advances in Information and Communication Technology book series (IFIPAICT, volume 306)


This paper describes a digital forensic tool that uses an FPGA-based embedded software application to identify and track contraband digital files shared using the BitTorrent protocol. The system inspects each packet on a network for a BitTorrent Handshake message, extracts the “info hash” of the file being shared, compares the hash against a list of known contraband files and, in the event of a match, adds the message to a log file for forensic analysis. Experiments demonstrate that the system is able to successfully capture and process BitTorrent Handshake messages with a probability of at least 99.0% under a network traffic load of 89.6 Mbps on a 100 Mbps network.


Peer-to-peer file sharing BitTorrent forensic tool packet analysis 


  1. 1.
    R. Badonnel, R. State, I. Chrisment and O. Festor, A management platform for tracking cyber predators in peer-to-peer networks, Proceedings of the Second International Conference on Internet Monitoring and Protection, p.11, 2007.Google Scholar
  2. 2.
    K. Chow, K. Cheng, L. Man, P. Lai, L. Hui, C. Chong, K. Pun, W. Tsang, H. Chan and S. Yiu, BTM – An automated rule-based BT monitoring system for piracy detection, Proceedings of the Second International Conference on Internet Monitoring and Protection, p. 2, 2007.Google Scholar
  3. 3.
    B. Cohen, Incentives build robustness in BitTorrent (www.bittor, 2003.Google Scholar
  4. 4.
    B. Cohen, BEP3: The BitTorrent protocol specification (www.bittor, 2008.Google Scholar
  5. 5.
    P. Gil, “Peer Guardian” Firewall: Keep your P2P private (netfor, 2009.Google Scholar
  6. 6.
    Institute of Electrical and Electronics Engineers, IEEE Standard 802.3-2005: Local and Metropolitan Area Networks – Specific Requirements Part 3: Carrier Sense Multiple Access with Collision Detection (CSMA/CD) Access Method and Physical Layer Specifications, Piscataway, New Jersey ( /802.3.html), 2005.Google Scholar
  7. 7.
    R. MacManus, The underground world of private P2P networks (, 2006.Google Scholar
  8. 8.
    National Institute of Standards and Technology, Secure Hash Standard (FIPS 180-1), Federal Information Processing Standard Publication 180-1, Gaithersburg, Maryland ( /fip180-1.htm), 1995.Google Scholar
  9. 9.
    D. Plonka, UW-Madison Napster traffic measurement, University of Wisconsin, Madison, Wisconsin (, 2000.Google Scholar
  10. 10.
    S. Saroiu, K. Gummadi, R. Dunn, S. Gribble and H. Levy, An analysis of Internet content delivery systems, Proceedings of the Fifth Symposium on Operating Systems Design and Implementation, pp. 315–327, 2002.Google Scholar
  11. 11.
    TorrentFreak, The“one-third of all Internet traffic”myth (torrentfre, 2006.Google Scholar

Copyright information

© IFIP International Federation for Information Processing 2009

Authors and Affiliations

  • Karl Schrader
  • Barry Mullins
  • Gilbert Peterson
  • Robert Mills

There are no affiliations available

Personalised recommendations