Can Current Packet Analysis Software Detect BitTORRENT Activity or Extract Files From BTP and uTP Traffic Streams?

Document Type

Conference Proceeding




Dr Andrew Woodward and Professor Craig Valli


Faculty of Computing, Health and Science


School of Computer and Security Science / Security Research Centre (secAU)




Pung, W. , & Woodward, A. J. (2011, NULLMONTH). Can Current Packet Analysis Software Detect BitTORRENT Activity or Extract Files From BTP and uTP Traffic Streams?. Paper presented at the The 9th Australian Digital Forensics Conference. NULLCONFORGANISER. Citigate Hotel, Perth, Western Australia. NULLSTATE. Available here


BitTorrent is a peer to peer file sharing protocol used to exchange files over the internet, and is used for both legal and illegal activity. Newer BitTorrent client programs are using proprietary UDP based protocols as well as TCP to transmit traffic, and also have the option of encrypting the traffic. This network forensic research examined a number of packet analysis programs to determine whether they could detect such traffic from a packet captures of a complete file transmitted using one of four protocol options. The four states examined were: TCP without encryption, TCP with encryption, μTP without encryption and μTP with encryption, and the six programs investigated were: Network Miner, Tcpxtract, Honeysnap, OpenDPI, Netwitness Investigator and SPID. Of the six programs investigated, none of them were fully able to fully reconstruct a file, with most not even able to detect that the traffic related to BitTorrent usage. The Netwitness Investigator program was able to extract the announce and scrape files. The signature based SPID was able to partly match TCP based torrent traffic, but could not identify μTP traffic. The conclusion is that until new tools are developed, forensic investigators must continue to rely on artifacts created by the BitTorrent clients themselves in order to locate evidence in the event that a crime has been alleged.



Access Rights



Link to publisher version (DOI)