NetFort Advertising

How to detect Popcorn Time activity on your network

Popcorn Time is a multi platform, open source BitTorrent client which includes an integrated media player. It uses sequential downloading to play media. Torrent pieces are usually downloaded in an optimal order which maximizes speed and benefits to the swarm health. Sequential downloading allows you to download torrent pieces in sequentially order (from the beginning to the end) so it allows you to watch movies instantly.

It has become very popular since been abruptly taken down by its original developers on March 14, 2014 due to pressure from the MPAA. Since then, Popcorn Time has been maintained by other development teams.

Network managers are concerned about its use due to copyright issues and the fact that clients can consume vast amounts of bandwidth. Most people use Popcorn Time on portable devices so it makes it more difficult to track and control on networks.

Deep packet inspection technologies can be used to detect its presence. You need to use a SPAN or TAP and monitor traffic at your networks edge.

In the video below you can see what the application looks like and how it can be detected using network traffic analysis.

In the following example I used LANGuardian to extract certain information (metadata) from network traffic which shows Popcorn Time activity.

Popcorn Time Network Traffic

This screenshot above shows a typical network traffic breakdown for a client running Popcorn Time. This was captured after just a few minutes of video playback and amounts to almost 1GB of data. Most of the data is Bittorrent related with a small amount of web traffic (HTTP).

As well as streaming content via the Bittorrent protocol, the application also downloads other metadata from a number of websites. You can see some of the sites which the application communicates with in the images above. Blocking access to these sites will not stop the Popcorn Time applications. It just means that some images may be missing when users are browsing the app.

When it comes to Popcorn Time use, there are three issues you should consider if you are responsible for the operations and security of a computer network.

  1. Popcorn Time uses the Bittorrent protocol. A lot of the music and movies downloaded using Bittorrent clients are copyrighted. You may receive notifications from your ISP or from another third party if this type of activity is detected.
  2. Bittorrent will consume large amounts of bandwidth. During my tests I had downloaded almost 1GB of data in just a few minutes.If you allow it.
  3. If you allow it, Bittorrent is yet another way for Malware to get into your network.

Download a free trial of LANGuardian if you want to check for Bittorrent use on your network. The Bittorrent decoder is enabled in the trial version.

Darragh Delaney