Re: Feature #3086 app_proto for Torrent Traffic


For this feature of fixing the app_proto for torrent traffic which was showing up as “failed”, I’m wondering about the scope.

This seems to only happen for bittorrent dht protocol traffic over UDP, which is on random ports between 1024-65535.

Since this is a new app layer protocol for Suricata, for this ticket do we just want to simply detect this UDP traffic and label the app_proto as ‘bittorrent’/‘bittorrent_dht’ or should other fields e.g. error codes also be extacted and logged from the bittorrent dht protocol? And is it ok to probe for the bittorrent dht protocol on all ports between 1024-65535 by default?


I think adding “just” protocol detection is fine, although doing a full parser is of course even nicer :slight_smile:

I don’t know much about BT, so not sure what detection should look like. In general the ProbingParser is a bit of a last resort effort as its a bit of code running on a packet each flow, so potentially its expensive, esp if we’d have multiple probing parsers.

We’d be happy to test an implementation and submit it to some trex testing so we know exactly how expensive it is.