Bandwidth Monitoring: Identify bittorrent traffic

Hello,

I've a Banana Pi BPI-R3 router working as gateway to the internet and essentially controller for everything on a fairly large building. Most devices are isolated from talking to each other and there are a bunch of VLANs going around as well.

I'm currently trying to add some bandwidth monitoring measures and followed the guide here: https://openwrt.org/docs/guide-user/services/network_monitoring/bwmon

Everything works out perfectly however I would like to have a way to identify MAC addresses on the network that are torrenting stuff.

I don't really want to block bittorrent traffic because it is useful and there are legit use cases for it but would like to be able to have on the nlbw UI or somewhere else a list of GB of bittorrent traffic by MAC.

Is there any solution for this? Thank you.

Please post output of

ubus call system board

Sure, here's for the BPI-R3:

{
 "kernel": "5.15.137",
 "hostname": "router",
 "system": "ARMv8 Processor rev 4",
 "model": "Bananapi BPI-R3",
 "board_name": "bananapi,bpi-r3",
 "rootfs_type": "squashfs",
 "release": {
  "distribution": "OpenWrt",
  "version": "23.05.2",
  "revision": "r23630-842932a63d",
  "target": "mediatek/filogic",
  "description": "OpenWrt 23.05.2 r23630-842932a63d"
 }
}'

I also have a spare R7800 that I could use for this if it was somewhat easier or more reliable:

{
        "kernel": "5.15.137",
        "hostname": "router",
        "system": "ARMv7 Processor rev 0 (v7l)",
        "model": "Netgear Nighthawk X4S R7800",
        "board_name": "netgear,r7800",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "23.05.2",
                "revision": "r23630-842932a63d",
                "target": "ipq806x/generic",
                "description": "OpenWrt 23.05.2 r23630-842932a63d"
        }
}

Thank you.

typically it is

meta l4proto {tcp,udp} th dport . th sport {0-65535 . 6881-6889 , 6881-6889 . 0-65535}

i.e either end port in 6881-6889

Yeah that might work, I can simply add this to the protocol mapping:

6 6881 BitTorrent
6 6882 BitTorrent
6 6883 BitTorrent
6 6884 BitTorrent
6 6885 BitTorrent
6 6886 BitTorrent
6 6887 BitTorrent
6 6888 BitTorrent
6 6889 BitTorrent
6 6969 BitTorrent
17 6881 BitTorrent
17 6882 BitTorrent
17 6883 BitTorrent
17 6884 BitTorrent
17 6885 BitTorrent
17 6886 BitTorrent
17 6887 BitTorrent
17 6888 BitTorrent
17 6889 BitTorrent
17 6969 BitTorrent

However torrents also run under DHT and it seens to be able to use any random UDP port.

I was looking for a more reliable way of identifying it.

I think to do this well would take a fair amount of time.

There are some academic papers reflecting classification attempts.

https://www.semanticscholar.org/paper/BitTorrent-Traffic-Classification-Dinh/13e569461c4c4cf2ec4c5380dc094c15866266f4

https://scholarworks.sjsu.edu/cgi/viewcontent.cgi?article=1249&context=etd_projects

http://caia.swin.edu.au/reports/091022A/CAIA-TR-091022A.pdf

https://www.researchgate.net/publication/221081885_Rapid_Identification_of_BitTorrent_traffic

One could presumably implement a classifier in nftables - potentially using an existing algorithm like the ones adopted in the research papers above.

With openwrt no idea. I know IPS/IDS do traffic pattern analysis that can try to detect. I've set up Suricata before as well as used a commercial IPS/IDS to go tracking down users.

But IMO monitoring is never going to be precise. I think bandwidth usage is a reasonable indicator that someone is doing something 'media' related.... Sailing the high seas or not....

Have you considered endpoint monitoring, or a a terms of service? The question always becomes how much sway you have over your end users and whether this is to limit liability or letters from people?

So, why not use cake with per internal IP fairness enabled? That way a torrenter will only "eat" into his/her own capacity share (more if everybody else sleeps, less when everybody in using the network)... at which point tracking who is torrenting might not be all that urgent anymore?

Yes... I was hoping there was a more of less generic implementation of it already done for Openwrt, like commercial firewalls have. Thanks for the links.

I've been using nlbwmon for that and while it is helpful to keep an eye on things it doesn't really allow me to pinpoint torrent traffic. There are always machines pulling large games or OS images that end up taking the top place - and I'm perfectly okay with that.

There's some talk about installing Suricata 6 but doesn't seem like would work, did you install it on OpenWrt?

ToS already in place and I do have some sway but at some point I did identify large amounts of traffic from a machine and iknowwhatyoudownload.com indeed showed a few large 4k movies.

Yes SQM / cake does work to solve bandwidth issues, this a 1Gbps connection so not much of a problem usually, but it doesn't solve the liability part.

No. Initially with pfsense first but I found pfsense maddening. It won't let you do link aggregation with inline mode.
I run pairs of inline firewalls on older riverbed gear (cx570, cx770, half width and 12VDC is handy), my bigger setup is dual dell R320's with relay passthrough cards. (one is active at a time, the other is for manual failover purposes)

If you don't have that you can always just run port mirroring....

TurrisOSA has something build on top of suricata IIRC, called pakon, which does part of what you are after. I do not know of a package for OpenWrt proper though...

Well, if you have legal obligations to fulfil, that is a different kettle of fish... but check with a lawyer for your area (assuming you did not do so already) to figure out what exactly you need to do...