Myra Canyon  v0.0.1-768
network control
 All Classes Namespaces Files Functions Variables Typedefs Enumerations Enumerator Friends Macros Pages
Functions
Myra::Traffic::BitTorrent Namespace Reference

Detect and examine BitTorrent packets. More...

Functions

bool examine_udp_bencode (Flow &flow, const Myra::PktInfo &info)
 Examine a udp packet for BitTorrent bencode, and mark the flow if found. More...
 
bool examine_udp_num_dht (Flow &flow, const Myra::PktInfo &info)
 Examine a udp packet for Number DHT (distributed hash table). More...
 
bool examine_tcp_protocol (Flow &flow, const Myra::PktInfo &info)
 Examine a tcp packet for the "BitTorrent protocol" signature, and mark the flow if found. More...
 

Detailed Description

Detect and examine BitTorrent packets.

Function Documentation

bool Myra::Traffic::BitTorrent::examine_tcp_protocol ( Flow &  flow,
const Myra::PktInfo info 
)

Examine a tcp packet for the "BitTorrent protocol" signature, and mark the flow if found.

Returns
true if this exam needs to be called again for the given flow
false if this exam never needs to be called again

Look for the following pattern: 

-> flow #15332929261297764508: payload: number of bytes: 68
  0: 13 42 69 74 54 6f 72 72 65 6e 74 20 70 72 6f 74 6f 63 6f 6c 00 00 00 00 00 10 00 05 b4 15 c9 13 - .BitTorrent protocol............
 20: 64 3e 5f f4 9f e3 7d 30 4b bb 5e 6e 11 ad 51 01 2d 54 52 32 38 32 30 2d 70 65 38 78 7a 30 32 74 - d>_...}0K.^n..Q.-TR2820-pe8xz02t
 40: 74 31 33 31                                                                                     - t131

Here is the call graph for this function:

Here is the caller graph for this function:

bool Myra::Traffic::BitTorrent::examine_udp_bencode ( Myra::Flow flow,
const Myra::PktInfo info 
)

Examine a udp packet for BitTorrent bencode, and mark the flow if found.

Returns
true if this exam needs to be called again for the given flow
false if this exam never needs to be called again

Bencode has 4 possible values:

  • i...e for integers
  • #:... for byte strings
  • l...e for lists
  • d...e for dictionaries 
       -> flow #15764720793030815980: payload: number of bytes: 49
     0: 64 31 3a 72 64 32 3a 69 64 32 30 3a b5 b8 ac 92 97 00 e2 a0 f8 17 2a e4 25 8a 96 7a cc b6 3a d3 - d1:rd2:id20:..........*.%..z..:.
    20: 65 31 3a 74 34 3a 70 6e 00 00 31 3a 79 31 3a 72 65                                              - e1:t4:pn..1:y1:re
See also
http://en.wikipedia.org/wiki/Bencode

Here is the call graph for this function:

Here is the caller graph for this function:

bool Myra::Traffic::BitTorrent::examine_udp_num_dht ( Flow &  flow,
const Myra::PktInfo info 
)

Examine a udp packet for Number DHT (distributed hash table).

Returns
true if this exam needs to be called again for the given flow
false if this exam never needs to be called again
See also
https://secure.wand.net.nz/trac/libprotoident/wiki/BitTorrentUDP 
-> flow #13167771187865445090: Unknown+IP+IPv4+UDP: 10.0.1.3:51413->94.209.214.235:64866 (data len: 20, number of packets: 7)
-> flow #13167771187865445090: payload: number of bytes: 20
  0: 21 00 00 cc 4c 11 7c 6b f7 02 78 e7 00 00 f0 00 65 95 56 61                                     - !...L.|k..x.....e.Va

Here is the call graph for this function:

Here is the caller graph for this function: