PeerBlock shows LOTS of uTorrent port activity while no peers

[jpgreen3]

This morning I checked uTorrent activity and found that uTorrent reported that nothing was seeding, an unusual status. (No downloads were active either) I checked my "Seeds" group, and uTorrent reported that it was connected to no peers for any torrent in Seeding status.

I use Peerblock, which was logging lots of activity to and from the uTorrent port, which I have opened in my Symantec hosts firewall, and port forwarded to this computer in my Linksys internet connection router / firewall.

The activity logged by Peerblock ceased when I closed uTorrent.

As a test, I restarted uTorrent and stopped all torrents, verifying that the All Torrents showed statuses of either Finished or Stopped. All RSS feeds were also disabled. I again restarted uTorrent with all torrents and RSS feeds inactive, and Peerblock immediately showed a renewal of activity to and from the uTorrent port - between 5-10 log entries per second.

I'm running v2 Build 18296.

Any idea what could be happening? Clearly, I don't want to run uTorrent if it has been hijacked by some botnet.

[DreadWingKnight]

What type of traffic is it logging?

[jpgreen3]

I've checked FAQs and the Forum, and didn't see anything that looked relevant.

I ran a two-minute timed test of uTorrent, and have the PeerBlock log segment available for review. It resulted in a 42kB file consisting mainly of UDP activity with the source IP:Port indicating my host IP address and what I've configured as the uTorrent incoming connection port (55448). A distinct minority of the records show the same IP:Port as the destination. This activity in the log started and stopped with uTorrent. I have screen shots showing that there were no active torrents or RSS feeds within this interval, and can similarly document the incoming connection port configuration screen.

Is it safe to assume that uTorrent will initiate no network activity on behalf of torrents in Stopped, Finished or Error status?

I'll be happy to provide other documentation that might be useful.

[DreadWingKnight]

Do you have DHT enabled?

And why are you trusting peerblock to protect you from ANYTHING?

[jpgreen3]

I do have DHT enabled. As for PeerBlock . . .

[DreadWingKnight]

DHT being enabled is enough to cause the UDP traffic you're seeing.

[Switeck]

DHT working as designed...

[jpgreen3]

Thanks for the clarification. I ran a test with all of the Basic BitTorrent Features on the BitTorrent tab unchecked, and (after altering the uTorrent port) all the extraneous traffic went away.

To my way of thinking, when uTorrent is hosting no active torrents, there should be no network traffic except for polling for RSS and software updates. I've not been able to find a clear description of how Peer Exchange and DHT work and what information they share which would enable me to understand why there is traffic in the presence of no active torrents.

[DreadWingKnight]

DHT doesn't restrict its "tracking" to torrents you have running on your system

In fact, you may have never run a torrent at all and you'd still end up with DHT traffic for torrents.

It's a function of that protocol.

[Switeck]

Peer Exchange trades lists of peer/seed ips with the peers/seeds you're connected to on a public torrent.

[Firon]

DHT is a separate overlay network that is always active. It's just how it works. Skype's the same, it is always active even when you aren't using it.

http://en.wikipedia.org/wiki/Distributed_hash_table

[jpgreen3]

This information has been helpful. I see how the concept of an "overlay network" and the related peer-to-peer traffic is necessary in support of a "distributed tracker" function that supports the whole BitTorrent community. Thanks for your support.