Skip to content

sniff: Enhance BitTorrent detection with 11 protocol-aware sniffers#3801

Closed
spaiter wants to merge 1 commit intoSagerNet:dev-nextfrom
spaiter:sniff/enhanced-bittorrent-detection
Closed

sniff: Enhance BitTorrent detection with 11 protocol-aware sniffers#3801
spaiter wants to merge 1 commit intoSagerNet:dev-nextfrom
spaiter:sniff/enhanced-bittorrent-detection

Conversation

@spaiter
Copy link

@spaiter spaiter commented Feb 15, 2026

Summary

  • Replace the 3 basic BitTorrent sniffers (BitTorrent, UTP, UDPTracker) with comprehensive, hardened detection logic ported from a standalone DPI project with 99.5%+ accuracy
  • Add 8 new sniffers: BitTorrentMSE (encrypted streams), BitTorrentMessage (TCP message structure), BitTorrentFAST (BEP 6), BitTorrentExtended (BEP 10), BitTorrentHTTP (WebSeed/UA detection), BitTorrentSignature (pattern matching), BitTorrentDHTPacket (bencode DHT), BitTorrentLSD (Local Service Discovery)
  • Add robust false positive rejection for STUN, DHCP, DTLS, WireGuard, DNS, CAPWAP, AFS RX, SSH, and VoIP protocols in UTP and UDPTracker
  • Add signature database with 40+ byte patterns and 60+ peer ID prefixes in new bittorrent_signatures.go
  • Register all new sniffers in both explicit protocol selection (rule_action.go) and default sniffer lists (route.go)

Details

Enhanced existing sniffers

  • UTP: Validates connection ID, window size, timestamp_diff; rejects DHCP (magic cookie), STUN (RFC 5389 + 3489), DTLS, WireGuard handshakes, VoIP/messaging protocols (Zoom, Telegram, WhatsApp patterns)
  • UDPTracker: Validates connection_id non-zero/non-magic, peer ID prefixes, info_hash validity, trailing zero rejection; rejects DNS queries/responses, CAPWAP, DTLS, AFS RX protocol

New TCP stream sniffers

  • BitTorrentMSE: 4-phase detection of Message Stream Encryption — distinct-byte pre-check → Shannon entropy → Verification Constant scan → crypto field validation
  • BitTorrentMessage: Validates BT message structure (length + ID) with per-type size validation; rejects SSH encrypted packets and MSDO control messages
  • BitTorrentFAST: BEP 6 message IDs 13-17 with exact length matching
  • BitTorrentExtended: BEP 10 message ID 20 with bencode dict detection
  • BitTorrentHTTP: WebSeed, Bitcomet, known User-Agent strings with Shareaza/Gnutella exclusion
  • BitTorrentSignature: Fast pattern matching against 40+ known BT signatures

New UDP packet sniffers

  • BitTorrentDHTPacket: Bencode dictionary validation with DHT method names, transaction IDs, node list structure (26/38 bytes per IPv4/IPv6 node)
  • BitTorrentLSD: Multicast address detection (239.192.152.143:6771) and BT-SEARCH payload matching
  • BitTorrentSignaturePacket: Same signature database applied to UDP packets

Test plan

  • go vet ./common/sniff/ — clean
  • go test ./common/sniff/ — 44 tests pass (22 new tests for false positive rejection + new detectors)
  • go build -tags "with_gvisor,with_quic,with_wireguard,with_utls,with_acme,with_clash_api" ./cmd/sing-box — compiles
  • go test ./route/rule — no regressions

🤖 Generated with Claude Code

@spaiter @claude
sniff: Enhance BitTorrent detection with 11 protocol-aware sniffers
36276e5 
Replace the 3 basic BitTorrent sniffers with comprehensive detection
covering encrypted streams (MSE/PE), DHT, LSD, FAST/Extended protocol,
HTTP-based BT, and signature matching. Add robust false positive
rejection for STUN, DHCP, DTLS, WireGuard, DNS, CAPWAP, AFS RX,
SSH, and VoIP protocols.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@spaiter spaiter closed this by deleting the head repository Feb 15, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@spaiter