Since filenames are often not transmitted in plain text within the BitTorrent traffic itself, you must extract the info_hash from the handshake packets: Open the capture file in a tool like . Filter for bittorrent traffic. Locate the BitTorrent Handshake message.
Search the hash on torrent indexing sites or DHT (Distributed Hash Table) crawlers.
Once you have the info_hash , you can use external databases to map it back to a specific torrent metadata file: Download File DODI_READDED_IT.torrent
: Looking for the filename directly in the PCAP; it is usually only found by resolving the hash externally. picoCTF 2022 Write-up: TorrentAnalyze | by Nisarg Suthar
BitTorrent is a decentralized peer-to-peer (P2P) protocol where users join a "swarm" to share files. When a user starts a download, they become a who both downloads and uploads pieces of the file. To identify what is being downloaded from a network capture, you must look for the info_hash , which is a unique SHA1 hash identifying the torrent. 2. Extract the Info Hash Since filenames are often not transmitted in plain
In the case of the or similar naming conventions, the hash will lead you to the metadata containing the original filename, such as DODI_REPACKS_IT.torrent or the specific software name. 4. Technical Summary Protocol : BitTorrent (P2P) Key Identifier : info_hash (SHA1)
In the packet details, find the field (a 20-byte/40-character hex string). 3. Identify the Filename Search the hash on torrent indexing sites or
This write-up covers the analysis of a network capture (PCAP) to identify a specific file downloaded via the BitTorrent protocol, a common task in CTF challenges like the picoCTF Torrent Analyze challenge. 1. Analyze the BitTorrent Protocol