How to track down Bit Torrent user on my network

I need some help tracking down a bit torrent client on our network. Can someone tell me how to go about doing this. Can I span a port on my cisco switch and monitor traffic via WireShark to find out where the traffic is going? What port(s) do I need to look for. Are there other methods I can use to figure this out? Thanks.
Who is Participating?
TickSoftConnect With a Mentor Commented:
For starters - depending on the torrent software, the Port number can be specified by the user.  So, one way to find out who is on your network downloading 'successfully' is to check the allowed outbound ports on your firewall.  Who has access to that... This should narrow down the search?

You could mirror traffic and run Wireshark on a specific workstation connected to those mirrored enabled ports.  Then within Wireshark you can filter by port numbers.

Are you on a domain?  Domain admin?  If so you could try running a scan on the network - some asset software and sift through the list of programs installed or processes running on everyone's computer.
FIFBAAuthor Commented:
This is on a domain, but things are pretty loose. This event will hopefully change that a bit. So honestly, any traffic originating from inside the firewall will be allowed back in. Can you recommend a good (free) assest auditing program?
subliferConnect With a Mentor Commented:
If you have access to the firewall you should be able to see the IP from there.  Cisco ASA devices, from the ASDM interface has a live traffic monitor although you may have to set it to debug or another level to view non-error-related messages.  On a PIX or from a command line interface you can turn on the debug mode to have the traffic scroll with the command:

debug packet outside  (as long as the outside interface is the default name: "outside")

You can narrow down your search with the command option: dport port_number  

Bit Torrent's default port range is: 6881-6889

Don't forget to turn off debug mode when you're finished by using the same command as before but with the word: no  in front of it. e.g. no debug packet outside
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.