Peer-to-peer (P2P) networking has changed the way users search for, send, and receive digital information over the Internet. Instead of relying on interactions with centralized servers to upload and download digital content, users now share content directly with other users. While peer-to-peer networking provides new and powerful applications for the legitimate distribution of digital information, it is also being used for many illicit purposes as well.

The goal of this research is to develop a system for detecting and tracking the illicit dissemination of sensitive government information using file sharing applications within a target network, and tracking terrorist cells or criminal organizations that are covertly communicating using VoIP applications.

The TRAPP System is set up on the gateway between a government-owned network and the Internet.
A digital forensic tool was developed using a field-programmable gate array (FPGA)-based embedded software application. The tool is designed to process file transfers using the BitTorrent peer-to-peer protocol and VoIP phone calls made using the Session Initiation Protocol (SIP). The BitTorrent protocol uses a specific lexicon to describe different aspects of the network’s components and functions. The tool searches a network for selected peer-to-peer control messages using payload analysis and compares the unique identifier of the file being shared or phone number being used against a list of known contraband files or phone numbers. If the identifier is found on the list, the control packet is added to a log file for later forensic analysis.

Results show that the FPGA tool processes peer-to-peer packets of interest 92% faster than a software-only configuration and is 99% accurate at capturing and processing BitTorrent Handshake messages under a network traffic load of at least 89.6 Mbps. When SIP is added to the system, the probability of intercept for BitTorrent Handshake messages remains at 99% and the probability of intercept for SIP control packets is 97.6% under a network traffic load of at least 89.6 Mbps, demonstrating that the tool can be expanded to process additional peer-to-peer protocols with minimal impact on overall performance.

This research provides the Air Force and other government agencies with a unique method of detecting and tracking both illicit file sharing and VoIP phone call patterns. This system differs from other methods of tracking illicit file sharing in that it is completely passive, meaning the system transmits absolutely no information into the network being monitored, making it completely invisible to users of the network.

The TRacking and Analysis for Peer-to-Peer (TRAPP) system allows an investigator or system administrator to monitor network traffic in real time for any digital information that meets the user’s definition of contraband being shared using peer-to-peer protocols. The TRAPP system (see figure) is designed to be set up on the gateway between a government-owned network and the Internet. As packets pass through the gateway, copies are sent to the system for analysis. For each packet received, TRAPP inspects the packet to determine if it is a control packet for a peer-to-peer protocol of interest. If the packet is not a peer-to-peer control packet, it is discarded. If the packet is a control packet, the system extracts from the packet’s payload the unique identifier for the data being shared, and attempts to match the identifier against a list of files of interest in the system’s memory. If a match is not made, the packet is discarded. If a match is made, the control packet is recorded in a log file for future analysis.

By designing the system to be completely self-contained on a Virtex II Pro FPGA, the TRAPP system can be easily and inexpensively implemented on any local-area network (LAN), provided the system has access to a spanning port on the LAN gateway. The simplicity of the system and its FPGA-based implementation enable it to run at very high speeds, ensuring a high probability that a packet of interest is successfully intercepted, even when monitoring a heavily utilized network.

This work was done by Major Karl R. Schrader of the Air Force Institute of Technology. For more information, download the Technical Support Package (free white paper) at  under the Information Sciences category. AFRL-0144

This Brief includes a Technical Support Package (TSP).
FPGA-Based System for Tracking Digital Information Transmitted Via Peer-to-Peer Protocols

(reference AFRL-0144) is currently available for download from the TSP library.

Don't have an account? Sign up here.