Not able to block P2P traffic

[jahanzeb-arshad]

I am trying to block P2P/Torrent traffic for our enterprise network. I have blocked Bittorent protocol and the flows interface show that Bittorrent is being blocked. But I am still able to download via torrents. The flow interface show this traffic as Unknown.

[lucaderi]

Please report the ntopng version (are you using the latest 7.3.x version?) and setup to reproduce the issue. note that flows are detected at start, so if there is an intermediate flow we cannot detect it.

[jahanzeb-arshad]

The ntop version being used is "2.2.160229 - Professional Edition". To Reproduce configure the ntop service to use bridge interfaces. Pass the traffic of end machine via the bridge interfaces. Using Bittorent client Transmission to download CentOS torrent.

[jahanzeb-arshad]

Just to add to the info, following is the screenshot of the torrent peers and their relevant protocols being used.

[lucaderi]

How did you configure the filtering rules? Are the flows you mention detected as BitTorrent?

[jahanzeb-arshad]

Under Main menu Interface I select the bridge interface through my traffic is passing. Under Traffic Filtering tab I add my lan network to the filter. Then from whitlelisted protocols I selected Applejuice, Bittorrent, FIletopia, Gnutella, IRC, TOR, eDonkey and moved them to Blacklisted.

The flows information shows that the traffic passing through is unknown.

[simonemainardi]

thanks for the screenshot. it looks like not all the bittorrent flows are properly recognized as such. Any chance you can post a pcap with bittorrent traffic so we can try and reproduce? @kYroL01 may want to have a look at the nDPI engine.

[lucaderi]

@jahanzeb-arshad The flows with a strike-through are blocked the others are not. So we need to enhance our nDPI mechanism as @simonemainardi said. Please create one pcap with full packets per protocol. Example you start with protocol X and create a x.pcap, then protocol Y and create y.pcap. Then file a bug under the nDPI component (not ntopng) posting the pcap and the issue. Please one pcap per issue. Thanks.

[kYroL01]

@simonemainardi Definetly a P2P check about protocol dissectors are needed. There are other issues in nDPI that evidence that. Please @jahanzeb-arshad follow the instructions of @lucaderi . Thanks a lot.