Powered by Zoomin Software. For more details please contactZoomin

Flowmon ADS User Guide

Table of Contents

BITTORRENT - BitTorrent Traffic

Save PDF
Save selected topicSave selected topic and subtopicsSave all topics
Share
Share to emailCopy topic URL
Print
  • Last Updated: April 5, 2026
  • 2 minute read
    • Flowmon Products
    • Flowmon Anomaly Detection System
    • Documentation

Method description

A method for detecting P2P networks of the BitTorrent type. This method is based on behavioral analysis of the flow data and heuristics that look for specific manifestations of P2P networks. The incidents detected by these heuristics are then compared. The event is generated if BitTorrent traffic is detected by multiple heuristics. The MinimalProbability option allows you to set the minimal percentage of heuristics that have to detect the incident. This way it is possible to detect almost any BitTorrent clients. The LANFilter parameter enables the reduction of possible false positives by excluding internal network communication from detection. Other parameters are MinSeeds and MinHighPorts, which allow you to set a minimal count of remote peer sources the data is downloaded from, and a minimum count of connections on ports higher than 10240.

This method consists of the following submethod:

  • General: Reports the usage of the BitTorrent protocol in the network.

Method configuration

It is useful to activate this method network-wide for all traffic on the network, regardless of the IP addresses excluded from communications on the LAN by the LANFilter option. The recommended place for the monitoring of the traffic is the Internet connection line.

Method parameters

  • LANFilter: Name of the filter that defines the IP addresses in the monitored network. The communication between these devices is ignored within this detection method for the improvement of the false positive ratio.

  • MinSeeds: Minimal count of devices used as a source for a file download.

  • MinHighPorts: Minimal count of connections on the ports greater than 10240.

  • MinimalProbability: The probability of downloading using the BitTorrent service is evaluated during the detection. The evaluation is based on the results of partial methods. The parameter expresses the minimal probability to report the event.

Assigned filter

The filter is used for restricting the source IP addresses.

Interpretation of results

This method achieves very reliable results in the detection of notorious P2P downloaders. On the other hand, incidental and occasional use of the P2P network may not be detected, especially when the method is configured with strict values for the parameters. Furthermore, this method may alert on spyware-infected devices, whose behavior is often similar to that of the P2P networks.

TitleResults for “How to create a CRG?”Also Available inAlert