Get IP address when P2P

noemie · Fri Apr 13, 2018 3:04 pm

Hi!
This is the first time I work on a Mikrotik router. I'm actually a student, and I work on a little French ISP.
My job is to analysed the traffic to see who make p2p (we receive warning letter from “Hadopi”).
(Also, I want to make statistic, like the IP address who is used the most bandwidth)
And to do so, I just want to get the IP address of the client. I just want to get their IP address to then make a script to automatically send an email to him, thanks to the database of our client.
I work in that case since five days, read a lot of MikroTik documentation, install graylog to look at the syslog-ng server log (which it receives from the MikroTik router).

So, here I am : I'm completely lost.

First :
Use a proxy onto the mikroTik (proxylizer), to see the domain name and, why not, make a blacklist ? IDK. And I think it’s not legal… so, I forget it.

Second :
Use Wireshark with sniffer tool on MK to capture all of the traffic. Then read .cap Wireshark packet with TCPDUMP, filter to see p2p, the length of packet (a good indicator to see if the client is actually download something),… But I don’t understand if sniffer tool save file in the MikroTik, despite of the stream option. My MK have not a lot of memory and I have not the permission to use it.

Third :
Maybe “port mirroring” ? Like duplicate all of the traffic to a specific port of the MikroTik router which it will be capture and read by a Linux server with TCPDUMP ?

Thank you for your answer.
And I'm sorry for my bad English! (I’m french, this is why

)

Noémie.

solar77 · Fri Apr 13, 2018 4:15 pm

use L7 rules in mangle to detect P2P traffic (Google is your best friend here)
then action is add source address to a list
then you have a list of internal address that has had P2P traffic. However, depending on your Terms and Condition with your customer, you may not be able to do anything with just P2P traffic. some of the game use p2p and using P2P itself isn't technically against the law.
you can limit connection per Internal IP which will slow down torrent downloading. you can block access to torrent sites.

that's probably all you can do without spending on a proper Layer7 firewall. even that, may P2P traffic will be encrypted and in VPN, which as an ISP, you have to allow.

noemie · Mon Apr 16, 2018 12:29 pm

Hi!

use L7 rules in mangle to detect P2P traffic (Google is your best friend here)
then action is add source address to a list

THANK YOU A LOT!
I succeded! I used this post to manage my filters/rules/L7 firewall : viewtopic.php?t=59234
And by replacing “action=drop” by “action=add src to address list”, I catched the IP address sources, when customer come to a torrent site. I test it, it works.

I will add another thing, to be “sure”, because as you said :

some of the game use p2p and using P2P itself isn't technically against the law.

This thing is a blacklist, get from “University Toulouse 1” here : https://dsi.ut-capitole.fr/blacklists/
And make that when the IP address/domain name match with one of these (on this blacklist), then get the IP address source and finally send email, etc… as I already explained.
I don’t actually know how I can manage it but I think I will use a proxy (proxylizer on mikrotik ?).

even that, may P2P traffic will be encrypted and in VPN, which as an ISP, you have to allow.

If they used a VPN, it’s ok ! We will not receive any letters from Hadopi. It’s cool!

Finally, I just will make the download speed slower than usual for the customer who download illegal things.
I don’t know how actually… but I will work on that !
(maybe block access on that type of website, should be a good idea. I will ask to my boss!

)

I come back to you if I did it!
Thank you for your answer Solar77! You really help me!

Noémie

solar77 · Mon Apr 16, 2018 1:47 pm

Glad you managed to work things out.

Proxy will work for HTTP only. I have tried to get the IP address for the blacklisted website and then just block those IP. IP-Firewall--Address List allows you to create list based on URL and return its IP. that's how I do it but I come to realist many IPs belongs to cloudflare or cludfront and there are a number of sites hosted on the same IP....so this method is not 100% accurate.

As for slowing customers down, you already have their private IP address in a list. I'ts easit to mark connection, then mark packet based on the address list, once you have the packe mark, create a simple queue using PCQ. Reason for using PCQ is that you can limit per IP instead of limiting overall bandwidth of All target IPs.

noemie · Wed Apr 18, 2018 1:04 pm

Glad you managed to work things out.

Proxy will work for HTTP only. I have tried to get the IP address for the blacklisted website and then just block those IP. IP-Firewall--Address List allows you to create list based on URL and return its IP. that's how I do it but I come to realist many IPs belongs to cloudflare or cludfront and there are a number of sites hosted on the same IP....so this method is not 100% accurate.

As for slowing customers down, you already have their private IP address in a list. I'ts easit to mark connection, then mark packet based on the address list, once you have the packe mark, create a simple queue using PCQ. Reason for using PCQ is that you can limit per IP instead of limiting overall bandwidth of All target IPs.

I have tested the proxy solution. I don't managed it with success :/ I always block all http traffic. Well, I abandoned this solution.
By going in an innocent website named torrent... can't remember, not important... the IP address was added to the address list, without doing nothing illegal. So, I think I will not keep this solution.

Now, I think about port mirroring and wireshark.

solar77 · Wed Apr 18, 2018 1:13 pm

this is what I meant:

add address=pirateproxylist.com list=TorrentSite
add address=thepiratebay-proxylist.org list=TorrentSite
add address=torrents.me list=TorrentSite
add address=proxybay.xyz list=TorrentSite
add address=pirateproxy.party list=TorrentSite
add address=thehiddenbay.info list=TorrentSite

the list goes on...

then I get the IP here:

add action=add-src-to-address-list address-list=Torrent_user address-list-timeout=1w chain=prerouting comment=\
    "Add torrent user by Torrent Address List \"TorrentSite\"" connection-state=new dst-address-list=TorrentSite

noemie · Wed Apr 18, 2018 6:00 pm

this is what I meant:

add address=pirateproxylist.com list=TorrentSite
add address=thepiratebay-proxylist.org list=TorrentSite
add address=torrents.me list=TorrentSite
add address=proxybay.xyz list=TorrentSite
add address=pirateproxy.party list=TorrentSite
add address=thehiddenbay.info list=TorrentSite

the list goes on...

then I get the IP here:

add action=add-src-to-address-list address-list=Torrent_user address-list-timeout=1w chain=prerouting comment=\
    "Add torrent user by Torrent Address List \"TorrentSite\"" connection-state=new dst-address-list=TorrentSite

I WILL TRY !!
Thank you

noemie · Wed Apr 18, 2018 6:05 pm

this is what I meant:
Code: Select all
add address=pirateproxylist.com list=TorrentSite
add address=thepiratebay-proxylist.org list=TorrentSite
add address=torrents.me list=TorrentSite
add address=proxybay.xyz list=TorrentSite
add address=pirateproxy.party list=TorrentSite
add address=thehiddenbay.info list=TorrentSite
Where do you enter all of this address ? Because when I try in /ip firewall address-list... it doesn't work

BTW : THANK YOU TO HELPING ME !

Get IP address when P2P

Get IP address when P2P

Re: Get IP address when P2P

Re: Get IP address when P2P

Re: Get IP address when P2P

Re: Get IP address when P2P

Re: Get IP address when P2P

Re: Get IP address when P2P

Re: Get IP address when P2P

Who is online