Wireshark supports the BitTorrent protocol. BitTorrent uses the Torrent file to download the content from the P2P network. The content that gets download through these programs is safe (depending on what kind of content is downloaded). Any download can contain Trojans or viruses so (this recommendation goes for any protocol used) be careful, especially when downloading any executable file or from unknown torrent URLs. All downloaded files are subjected to a scan. Open the bittorrent.pcapng file in Wireshark and check from that location that the content is getting downloaded.
The Wireshark BitTorrent dissector is able to decode the entire download process. To check what the endpoints are from this source, do the following. Click on Statistics | Endpoints; an Endpoint Window will appear:
As shown in the screenshot, Wireshark has obtained the following information:
- Filter the protocol, in this case BitTorrent.
- Select the Ipv4 TAB.
- In this capture, name resolution is enabled.
- The client (
192.168.1.101) has downloaded 10744 bytes and the content is coming from different geographical locations. Since the content was downloaded from various sources, it is always advised to scan it before opening it.
Endpoint statistics are a nice Wireshark feature. Endpoints reveal information such as outgoing connections for a given client. In this example, the client is connected to 16 different endpoint locations spread across different geographical locations. For any suspicious traffic, use the filter option directly on the Endpoint window.