What does Syncthing network traffic look like

Hi forum,

assume Syncthing is used in a company via the company’s wireless or wired network to sync some 50GB between multiple PC’s inside and outside the company’s location.

What would the Syncthing network traffic look like to the IT guys of that company?

Are you in contact with “the IT guys” of your company about your use of Syncthing to sync data on company drives?

I am asking because A you should, and B the easiest way to find out is to ask them something like “Hey, I am going to sync some 10s of GiBs of data using Syncthing, can you check whether that has any effects on the company network and if so what they are please?”.

2 Likes

Thanks Simon,

unfortunately, it would take years (no kidding) to even make them consider letting somebody use Syncthing instead of the official, dreaded MS 0neDr1ve. And then, the answer would be in the negative.

So I’d be thankful for any hints about what the traffic looks like when viewed ‘from the side’.

Thank you

Syncthing generally uses either TLS over TCP or TLS wiggled into UDP (IETF QUIC). TLS is the same encryption protocol used for https - major differences between https and sycnthing are

  • the port number used (443/https, vs 22000/syncthing) [assuming default settings].
  • The certificates used in the crypto handshake look a bit different from what you would expect in https and syncthing’s certs all read “syncthing” in the Common Name. Note that certificates in TLS 1.3 cannot be seen by a passive wire-listener.
  • The crypto handshake is also slightly different, for example because syncthing normally uses ALPN, which would read “http/X” in https and reads “bep/1.0” in syncthing.
  • There are some other minor differences here and there that I haven’t listed here.

But apart from the things mentioned above, syncthing traffic “is just TLS” and thus looks a lot like https.

3 Likes

Thanks very much for the information (and for not being judgmental about my question).

So basically IT would see that uncommon port number and the certificates reading “syncthing” when looking at the traffic…?

Sorry, but you have to explain what you are trying to achieve.

Can you explain how one drive traffic looks like? What about your remote desktop traffic?

To be honest, it seems like a pointless question to ask unless you can explain a reason behind it. Also, if you are not the one looking after the networks, why do you even care? If people have questions, they will come to you and ask whatever they deem relevant.

Sorry Audrius, I don’t understand your return question. What remote desktop traffic are you referring to? Also, I have no idea what network traffic looks like, that’s why I was asking my OP question.

What does your question even mean? What’s the purpose of your question? what are you trying to answer?

Can you quantify how the traffic of “one drive” that your IT admins are happy with looks like? If not, why do you need to answer this for syncthing.

The ports used are already documented in the docs.

Thanks – am only trying to understand whether Syncthing traffic is easily identifiable by someone monitoring their network traffic?

All traffic can be identified, it’s just a question of how much resource you pour into it, and how sophisticated your detection stack is.

Syncthing doesn’t do anything to hide itself, but nor is it very predictable in what it does.

But again, I feel if your network people should be asking these questions, as they know what their monitoring capabilities are.

If you are trying to hide youself, it probably will not work.

1 Like

Thank you. Am using Syncthing only in order to duly do my work on my (otherwise official) BYOD.

Could you tell me whether Syncthing traffic ‘screams’ syncthing by containing the word “syncthing” in clear text somewhere?

Sorry, can’t put the question any better because I know nothing about network protocols other than than a few protocol names.

It does

Thank you very much for the information

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.