We have a backup Verizon DSL line that we sometimes put some of our heavier users on. We occasionally receive notices from Verizon that we have downloaded copyrighted material (tv shows, movies etc).

Does anybody know what software they could be using to track this?

Our system is natted (not that it matters) and even when I monitor the connections, none are marked as P2P. Aside from running a network trace 24x7 on every connection, then manually looking at the logs, I don't see how I could find the suspects.

I'm not looking to stop anybody, nor slow anybody down, nor limit peoples connections. I simply want a way to monitor usage and so forth. That way when a customer calls requesting a credit for poor service and such, I have data to back me (or them) up.

Sincerely,

you can't know what your users are downloading. it doesn't have to be P2P traffic. maybe it's an encrypted RAR archive from a newgroup? you will never know what was inside it

If I can't find out what they are downloading, then how is Verizon finding out what they are doing?

They in turn probably get contacted by a company hired by the copyright owner to that movie/song/whatever. I very much doubt that Verizon would be wasting time looking at what people download.

Basically Disney, Sony etc hire companies that check on Direct Connect etc for copyrighted material and then contacts the ISP with info about what copyrighted material was downloaded/shared, the timestamp and the IP.

That sucks. I just hope were never approached to produce information on what somebody has downloaded.

We don't have any software in place that provides that information. Doing a network trace might work, if we happen to be doing one when when that particular customer is downloading something.

I'm not a network guru. Just a small WISP providing internet where cable and dsl won't.

I understand your frustrations, I too am continually expanding and am finding my existing SNMP monitoring very lacking. As a natted system any customers of yours doing illegal or "bad" things on the network will show up as your IP address.

I have been exploring different software packages and setups to facilitate better capacity planning and insight to the who, what, when and where on my network. As a result I have been toying with Netflow (or in RouterOS's case traffic flow), the flow information has the destination/source IPs, port, and amount of traffic being transferred.

With the netflow information being recorded to one of my servers I am able to easily search that database. This would allow you to solve your problem if Verizon came to you and said someone was downloading illegal information, you would ask for the approx. time and the source IP the data was coming from as well as port info if available, do a search on your netflow database and it will give you the internal natted address of who your culprit is. If you use DHCP or some other dynamic method of issuing address on your internal network be aware that you would need logs or a searchable way of matching a name to that internal IP.

Cheers

That's an idea I hadn't thought about. I haven't messed with netflow at all. Are you importing the data into a mysql database?

We are using dhcp. It might cause a few problems, but I could set their IP's to not expire as often. Even still, when they do expire, they usually pick up the same one anyway.

I wish I had the money for all the expensive tools out there like Orion and such. But I don't so I try to make do with free stuff.

Even the "expensive tools" will not help you if it's an encrypted torrent download over the secure TOR network for example.

That is true. However, monitoring the connections now through the connection tab on the firewall page doesn't even show any P2P connection (which is kinda strange). Our main router is using 3.20 on a X86.

Put aside P2P traffic, I'd just like to be able to see who is downloading/uploading the most. That to me is even more important that what they are downloading.

I've got netflow working with Ntop. Which is nice, but how do I get this information to a database so I can search by local IP?