identifing packets in wireshark [ ethereal ]

[para]

elllo all I deceided I'd try and make a bot, once I realised this was very complicated I took the "information" posts advice and got a packet logger to investigate the packets thatve accumulated during the time of connection.

My question is, how do I relate the information i see in wireshark to the packet information I see for example, on bnetdocs. I want to be able to understand what stage the connection is at, but i dont know how to differentiate the accumulation of packet.

Thank you for your time.

[Hdx]

it's pretty straight forward.
tcp.port == 612 and tcp.len > 0 will give you bncs packets that actually have data in them.
Then it's the data segment you have to pay attention to. Wireshark shows the tcp headers as well, I wish there was a way to turn it off, but I havent used in a while so I don't know.
But from that its pretty straight forward.

[Barabajagal]

6112*

Also, keep in mind how data is displayed...
A byte is a single value: 10
A word is two bytes (reversed order): 10 00
A dword is four bytes (reversed order): 10 00 00 00
A string is a series of bytes followed by a null terminator: 31 30 00
That's about it. Filetimes are two dwords, non-nt strings are simply arrays of bytes/words/dwords, etc..

[para]

Is that 01, 00 01 stuff at the very beginning of the huge block of hex numbers?

[iago]

On Wireshark, you'll see all the protocol details, not just Battle.net. That's the parts used for session control, routing, etc. You have to get used to looking for what you want.

In the "filter" dialog near the top, after doing the capture, put in the expression "tcp.port == 6112 && tcp.len > 0" (without the quotes). That'll filter out some of the stuff.

Then, for each packet you click on, a summary will display in the middle window, which will include things like "Internet Protocol". At the bottom, there should be one that says "data (xxx bytes)". Click on that. It should highlight the last part of the packet, and that's the actual data being sent to/from Battle.net.

Since you caught me on a really boring morning, I took a quick little screenshot:
http://www.javaop.com/~ron/images/screenshots/wireshark.png

Hope that helps!

[Barabajagal]

Isn't there a Follow TCP stream like there was in Ethereal?

[Yegg]

Isn't there a Follow TCP stream like there was in Ethereal?

Wireshark is Ethereal. They stopped referring to it as Ethereal a couple years ago.

[iago]

Isn't there a Follow TCP stream like there was in Ethereal?

Wireshark is Ethereal. They stopped referring to it as Ethereal a couple years ago.

Yeah, the name changed. And yes, there's a "Follow TCP Stream", but I personally only use it when examining ASCII data. You can miss things when using it to reverse engineer, especially if the program makes a secondary connection (like to BNFTP).

[Barabajagal]

Meh... I just use WPE for everything and modify the memory permissions of the things it "can't read".

[Yegg]

Meh... I just use WPE for everything and modify the memory permissions of the things it "can't read".

Probably the best idea for beginners considering how much extra info Wireshark displays.

[aton]

how about writing a wireshark plugin that parses the bncs and ingame packets? has anyone ever written a wireshark plugin?

[nitroxs]

Is anyone still interested in such a plugin? (btw, im not asking for it. just measuring the need )

[MyndFyre]

Sure.

[MysT_DooM]

Plugin sounds useful.
Wish they would add "tabbed views" to the GUI already also (Its on there wishlist http://wiki.wireshark.org/WishList#head-71481751b5dbe70881096b76745d3e4bc12818ad)

[nitroxs]

Good

Now that Wireshark has Lua support this task is much easier. I've been playing with it and came up with a very basic dissector. Currently only one packet is fully displayed, but headers are shown for every packet.

The good thing is that adding more packets doesn't take much work. It just need to be described like in the following sample

Code Select Expand


-- Packets form server to client
SPacketDescription = {
[SID_AUTH_INFO] = {
WProtoField.uint32("","Logon Type",base.DEC, {
[0x00] = "Broken SHA-1 (STAR/SEXP/D2DV/D2XP)",
[0x01] = "NLS version 1 (War3Beta)",
[0x02] = "NLS Version 2 (WAR3/W3XP)",
}),
WProtoField.uint32("","Server Token",base.HEX),
WProtoField.uint32("","UDPValue",base.HEX),
WProtoField.uint64("","MPQ Filetime",base.HEX),
WProtoField.stringz("","IX86 Filename"),
WProtoField.stringz("","Value String"),
},
}


I would like a more strightforward way of describing packets though.

For those familiar with Lua dissectors, WProtoField is a wrapper around Wireshark's ProtoField which handles field registration and provides other information like size. The return value of its methods is a table structured in the following way

Code Select Expand


{
    [pf] = The real ProtoField object
    [size] = Function returning field size
}


and it can be expanded for whatever unxplored purpose (like conditional or encoded fields).

Describing all the packets will be a tough task. Has bnetdocs some database that could be used to programatically generate the descriptions? I believe some regexp could be used for that.

There are also some problems with the logic
  1. TCP reassembly needs to be done
  2. Error recovery. Currently errors are mostly ignored. That not a big problem as Whireshark display them nicely (but with very thecnical messages) in the detailed view.
  3. Smarter packet direction detection. Currently it check whether src or dst port is 6112. Which doesnt work when they are the same like in (some) UDP packets.
  4. UDP support.
  5. Many more...

I don't kown how to upload it. Oh, thank god code block have scrollbars, hehe. Ok, the following code block has the script.

To use it, Lua has to be enabled by editting init.lua which can be found at wireshark directory (one of the first lines has to be commented) and bnetp.lua has to be loaded by a dofile at the end of init.lua.

Test it. Have a look at it. Suggestions, contributions and anything else are very welcomed

bnetp.lua:

Code Select Expand


do
-- Forward declarations
local
packet_names,
noop_handler,
handlers_by_type,
pid_label,
CPacketDescription,
SPacketDescription,
dissect_packet

local p_bnetp = Proto("bnetp","Battle.net Protocol");

local f_type = ProtoField.uint8("bnetp.type","Header Type",base.HEX, {
[0x1] = "Game protocol request",
[0x2] = "FTP protocol request",
[0x3] = "Chat protocol request",
[0xF7] = "W3IGP",
[0xFF] = "BNCS",
})
local f_pid = ProtoField.uint8("bnetp.pid")
local f_plen = ProtoField.uint16("bnetp.plen","Packet Length",base.DEC)

p_bnetp.fields = {
-- Header fields
--     Type
f_type,
--     Packet Info
f_pid,
f_plen,
}

function p_bnetp.dissector(buf,pkt,root)
if pkt.columns.protocol then
pkt.columns.protocol:set("BNETP")
end

if pkt.columns.info then
pkt.columns.info:clear()
end

if root then
local bnet_node = root:add(p_bnetp, buf(0))
bnet_node:add(f_type, buf(0, 1))
handlers_by_type[buf(0,1):uint()](buf(1):tvb(), pkt, bnet_node)
end
end

local udp_encap_table = DissectorTable.get("udp.port")
local tcp_encap_table = DissectorTable.get("tcp.port")
udp_encap_table:add(6112,p_bnetp)
tcp_encap_table:add(6112,p_bnetp)

-- Boilerplate

noop_handler = function (buf, pkt, root) return end

pid_label = function (pid, name)
return string.format("Packet ID: %s (0x%x)", name, pid)
end

handlers_by_type = {
[0x1] = noop_handler,
[0x2] = noop_handler,
[0x3] = noop_handler,
[0xF7] = function (buf, pkt, root)
root:add(f_pid, buf(0, 1))
root:add_le(f_plen, buf(1, 2))
end,
[0xFF] = function (buf, pkt, root)
local pidnode = root:add(f_pid, buf(0, 1))
local pid = buf(0,1):uint()
local type_pid = ((0xFF * 256) + pid)
pidnode:set_text(pid_label(pid,packet_names[type_pid]))
root:add_le(f_plen, buf(1, 2))

local pdesc
if pkt.src_port == 6112 then
-- process server packet
pdesc = SPacketDescription[type_pid]
else
-- process client packet
pdesc = CPacketDescription[type_pid]
end

if pdesc then
dissect_packet(buf(3):tvb(), root, pdesc)
else
error("Unssuported packet: " .. packet_names[type_pid])
end
end,
}

-- Packet dissector
function dissect_packet(buf, root, pdesc)
local cursor = 0
for k,v in pairs(pdesc) do
local size = v.size(buf(cursor):tvb())
root:add_le(v.pf, buf(cursor, size))
cursor = cursor + size
end
end

packet_names = {
-- Battle.net Messages Names
[0xFF00] = "SID_NULL",
[0xFF02] = "SID_STOPADV",
[0xFF04] = "SID_SERVERLIST",
[0xFF05] = "SID_CLIENTID",
[0xFF06] = "SID_STARTVERSIONING",
[0xFF07] = "SID_REPORTVERSION",
[0xFF08] = "SID_STARTADVEX",
[0xFF09] = "SID_GETADVLISTEX",
[0xFF0A] = "SID_ENTERCHAT",
[0xFF0B] = "SID_GETCHANNELLIST",
[0xFF0C] = "SID_JOINCHANNEL",
[0xFF0E] = "SID_CHATCOMMAND",
[0xFF0F] = "SID_CHATEVENT",
[0xFF10] = "SID_LEAVECHAT",
[0xFF12] = "SID_LOCALEINFO",
[0xFF13] = "SID_FLOODDETECTED",
[0xFF14] = "SID_UDPPINGRESPONSE",
[0xFF15] = "SID_CHECKAD",
[0xFF16] = "SID_CLICKAD",
[0xFF18] = "SID_REGISTRY",
[0xFF19] = "SID_MESSAGEBOX",
[0xFF1A] = "SID_STARTADVEX2",
[0xFF1B] = "SID_GAMEDATAADDRESS",
[0xFF1C] = "SID_STARTADVEX3",
[0xFF1D] = "SID_LOGONCHALLENGEEX",
[0xFF1E] = "SID_CLIENTID2",
[0xFF1F] = "SID_LEAVEGAME",
[0xFF21] = "SID_DISPLAYAD",
[0xFF22] = "SID_NOTIFYJOIN",
[0xFF25] = "SID_PING",
[0xFF26] = "SID_READUSERDATA",
[0xFF27] = "SID_WRITEUSERDATA",
[0xFF28] = "SID_LOGONCHALLENGE",
[0xFF29] = "SID_LOGONRESPONSE",
[0xFF2A] = "SID_CREATEACCOUNT",
[0xFF2B] = "SID_SYSTEMINFO",
[0xFF2C] = "SID_GAMERESULT",
[0xFF2D] = "SID_GETICONDATA",
[0xFF2E] = "SID_GETLADDERDATA",
[0xFF2F] = "SID_FINDLADDERUSER",
[0xFF30] = "SID_CDKEY",
[0xFF31] = "SID_CHANGEPASSWORD",
[0xFF32] = "SID_CHECKDATAFILE",
[0xFF33] = "SID_GETFILETIME",
[0xFF34] = "SID_QUERYREALMS",
[0xFF35] = "SID_PROFILE",
[0xFF36] = "SID_CDKEY2",
[0xFF3A] = "SID_LOGONRESPONSE2",
[0xFF3C] = "SID_CHECKDATAFILE2",
[0xFF3D] = "SID_CREATEACCOUNT2",
[0xFF3E] = "SID_LOGONREALMEX",
[0xFF3F] = "SID_STARTVERSIONING2",
[0xFF40] = "SID_QUERYREALMS2",
[0xFF41] = "SID_QUERYADURL",
[0xFF44] = "SID_WARCRAFTGENERAL",
[0xFF45] = "SID_NETGAMEPORT",
[0xFF46] = "SID_NEWS_INFO",
[0xFF4A] = "SID_OPTIONALWORK",
[0xFF4B] = "SID_EXTRAWORK",
[0xFF4C] = "SID_REQUIREDWORK",
[0xFF4E] = "SID_TOURNAMENT",
[0xFF50] = "SID_AUTH_INFO",
[0xFF51] = "SID_AUTH_CHECK",
[0xFF52] = "SID_AUTH_ACCOUNTCREATE",
[0xFF53] = "SID_AUTH_ACCOUNTLOGON",
[0xFF54] = "SID_AUTH_ACCOUNTLOGONPROOF",
[0xFF55] = "SID_AUTH_ACCOUNTCHANGE",
[0xFF56] = "SID_AUTH_ACCOUNTCHANGEPROOF",
[0xFF57] = "SID_AUTH_ACCOUNTUPGRADE",
[0xFF58] = "SID_AUTH_ACCOUNTUPGRADEPROOF",
[0xFF59] = "SID_SETEMAIL",
[0xFF5A] = "SID_RESETPASSWORD",
[0xFF5B] = "SID_CHANGEEMAIL",
[0xFF5C] = "SID_SWITCHPRODUCT",
[0xFF5D] = "SID_REPORTCRASH",
[0xFF5E] = "SID_WARDEN",
[0xFF60] = "SID_GAMEPLAYERSEARCH",
[0xFF65] = "SID_FRIENDSLIST",
[0xFF66] = "SID_FRIENDSUPDATE",
[0xFF67] = "SID_FRIENDSADD",
[0xFF68] = "SID_FRIENDSREMOVE",
[0xFF69] = "SID_FRIENDSPOSITION",
[0xFF70] = "SID_CLANFINDCANDIDATES",
[0xFF71] = "SID_CLANINVITEMULTIPLE",
[0xFF72] = "SID_CLANCREATIONINVITATION",
[0xFF73] = "SID_CLANDISBAND",
[0xFF74] = "SID_CLANMAKECHIEFTAIN",
[0xFF75] = "SID_CLANINFO",
[0xFF76] = "SID_CLANQUITNOTIFY",
[0xFF77] = "SID_CLANINVITATION",
[0xFF78] = "SID_CLANREMOVEMEMBER",
[0xFF79] = "SID_CLANINVITATIONRESPONSE",
[0xFF7A] = "SID_CLANRANKCHANGE",
[0xFF7B] = "SID_CLANSETMOTD",
[0xFF7C] = "SID_CLANMOTD",
[0xFF7D] = "SID_CLANMEMBERLIST",
[0xFF7E] = "SID_CLANMEMBERREMOVED",
[0xFF7F] = "SID_CLANMEMBERSTATUSCHANGE",
[0xFF81] = "SID_CLANMEMBERRANKCHANGE",
[0xFF82] = "SID_CLANMEMBERINFORMATION",
}

local SID_NULL = 0xFF00
local SID_STOPADV = 0xFF02
local SID_SERVERLIST = 0xFF04
local SID_CLIENTID = 0xFF05
local SID_STARTVERSIONING = 0xFF06
local SID_REPORTVERSION = 0xFF07
local SID_STARTADVEX = 0xFF08
local SID_GETADVLISTEX = 0xFF09
local SID_ENTERCHAT = 0xFF0A
local SID_GETCHANNELLIST = 0xFF0B
local SID_JOINCHANNEL = 0xFF0C
local SID_CHATCOMMAND = 0xFF0E
local SID_CHATEVENT = 0xFF0F
local SID_LEAVECHAT = 0xFF10
local SID_LOCALEINFO = 0xFF12
local SID_FLOODDETECTED = 0xFF13
local SID_UDPPINGRESPONSE = 0xFF14
local SID_CHECKAD = 0xFF15
local SID_CLICKAD = 0xFF16
local SID_REGISTRY = 0xFF18
local SID_MESSAGEBOX = 0xFF19
local SID_STARTADVEX2 = 0xFF1A
local SID_GAMEDATAADDRESS = 0xFF1B
local SID_STARTADVEX3 = 0xFF1C
local SID_LOGONCHALLENGEEX = 0xFF1D
local SID_CLIENTID2 = 0xFF1E
local SID_LEAVEGAME = 0xFF1F
local SID_DISPLAYAD = 0xFF21
local SID_NOTIFYJOIN = 0xFF22
local SID_PING = 0xFF25
local SID_READUSERDATA = 0xFF26
local SID_WRITEUSERDATA = 0xFF27
local SID_LOGONCHALLENGE = 0xFF28
local SID_LOGONRESPONSE = 0xFF29
local SID_CREATEACCOUNT = 0xFF2A
local SID_SYSTEMINFO = 0xFF2B
local SID_GAMERESULT = 0xFF2C
local SID_GETICONDATA = 0xFF2D
local SID_GETLADDERDATA = 0xFF2E
local SID_FINDLADDERUSER = 0xFF2F
local SID_CDKEY = 0xFF30
local SID_CHANGEPASSWORD = 0xFF31
local SID_CHECKDATAFILE = 0xFF32
local SID_GETFILETIME = 0xFF33
local SID_QUERYREALMS = 0xFF34
local SID_PROFILE = 0xFF35
local SID_CDKEY2 = 0xFF36
local SID_LOGONRESPONSE2 = 0xFF3A
local SID_CHECKDATAFILE2 = 0xFF3C
local SID_CREATEACCOUNT2 = 0xFF3D
local SID_LOGONREALMEX = 0xFF3E
local SID_STARTVERSIONING2 = 0xFF3F
local SID_QUERYREALMS2 = 0xFF40
local SID_QUERYADURL = 0xFF41
local SID_WARCRAFTGENERAL = 0xFF44
local SID_NETGAMEPORT = 0xFF45
local SID_NEWS_INFO = 0xFF46
local SID_OPTIONALWORK = 0xFF4A
local SID_EXTRAWORK = 0xFF4B
local SID_REQUIREDWORK = 0xFF4C
local SID_TOURNAMENT = 0xFF4E
local SID_AUTH_INFO = 0xFF50
local SID_AUTH_CHECK = 0xFF51
local SID_AUTH_ACCOUNTCREATE = 0xFF52
local SID_AUTH_ACCOUNTLOGON = 0xFF53
local SID_AUTH_ACCOUNTLOGONPROOF = 0xFF54
local SID_AUTH_ACCOUNTCHANGE = 0xFF55
local SID_AUTH_ACCOUNTCHANGEPROOF = 0xFF56
local SID_AUTH_ACCOUNTUPGRADE = 0xFF57
local SID_AUTH_ACCOUNTUPGRADEPROOF = 0xFF58
local SID_SETEMAIL = 0xFF59
local SID_RESETPASSWORD = 0xFF5A
local SID_CHANGEEMAIL = 0xFF5B
local SID_SWITCHPRODUCT = 0xFF5C
local SID_REPORTCRASH = 0xFF5D
local SID_WARDEN = 0xFF5E
local SID_GAMEPLAYERSEARCH = 0xFF60
local SID_FRIENDSLIST = 0xFF65
local SID_FRIENDSUPDATE = 0xFF66
local SID_FRIENDSADD = 0xFF67
local SID_FRIENDSREMOVE = 0xFF68
local SID_FRIENDSPOSITION = 0xFF69
local SID_CLANFINDCANDIDATES = 0xFF70
local SID_CLANINVITEMULTIPLE = 0xFF71
local SID_CLANCREATIONINVITATION = 0xFF72
local SID_CLANDISBAND = 0xFF73
local SID_CLANMAKECHIEFTAIN = 0xFF74
local SID_CLANINFO = 0xFF75
local SID_CLANQUITNOTIFY = 0xFF76
local SID_CLANINVITATION = 0xFF77
local SID_CLANREMOVEMEMBER = 0xFF78
local SID_CLANINVITATIONRESPONSE = 0xFF79
local SID_CLANRANKCHANGE = 0xFF7A
local SID_CLANSETMOTD = 0xFF7B
local SID_CLANMOTD = 0xFF7C
local SID_CLANMEMBERLIST = 0xFF7D
local SID_CLANMEMBERREMOVED = 0xFF7E
local SID_CLANMEMBERSTATUSCHANGE = 0xFF7F
local SID_CLANMEMBERRANKCHANGE = 0xFF81
local SID_CLANMEMBERINFORMATION = 0xFF82

-- ProtoField wrapper
function readOnly (t)
      local proxy = {}
      local mt = {       -- create metatable
        __index = t,
        __newindex = function (t,k,v)
          error("attempt to update a read-only table", 2)
        end
      }
      setmetatable(proxy, mt)
      return proxy
    end

local WProtoField = readOnly(
(function ()
local typemap = {
["uint64"] = {
["size"] = function(...) return 8 end,
},
["uint32"] = {
["size"] = function(...) return 4 end,
},
["uint16"] = {
["size"] = function(...) return 2 end,
},
["uint8"]  = {
["size"] = function(...) return 1 end,
},
["int64"]  = {
["size"] = function(...) return 8 end,
},
["int32"]  = {
["size"] = function(...) return 4 end,
},
["int16"]  = {
["size"] = function(...) return 2 end,
},
["int8"]   = {
["size"] = function(...) return 1 end,
},
["ipv4"]   = {
["size"] = function(...) return 4 end,
},
["stringz"] = {
["size"] = function(...)
local buf = arg[1]
return string.format("%s", buf(0):string()):len() + 1
end,
},
["sockaddr"] = {
["size"] = function(...) return 16 end,
["alias"] = "bytes",
},
}
return function(t,k)
return function (...)
local typeinfo = typemap[k]
local field = (typeinfo and (
(typeinfo.alias and ProtoField[typeinfo.alias]) or
(ProtoField[k])))

if typeinfo and field then
local tmp = {
["pf"] = field(unpack(arg)),
["size"]=typeinfo.size,
}
-- Add the field to the protocol field list
local n = table.getn(p_bnetp.fields) + 1
p_bnetp.fields[n] = tmp.pf
return tmp
end
error("unsupported field type: " .. k)
end
end
end)())

-- Packets form server to client
SPacketDescription = {
[SID_AUTH_INFO] = {
WProtoField.uint32("","Logon Type",base.DEC, {
[0x00] = "Broken SHA-1 (STAR/SEXP/D2DV/D2XP)",
[0x01] = "NLS version 1 (War3Beta)",
[0x02] = "NLS Version 2 (WAR3/W3XP)",
}),
WProtoField.uint32("","Server Token",base.HEX),
WProtoField.uint32("","UDPValue",base.HEX),
WProtoField.uint64("","MPQ Filetime",base.HEX),
WProtoField.stringz("","IX86 Filename"),
WProtoField.stringz("","Value String"),
},
[SID_NULL] = {},
[SID_SERVERLIST] = {
WProtoField.uint32("","Server version"),
WProtoField.stringz("","[] Server list"),
},
[SID_CLIENTID] = {
WProtoField.uint32("","Registration Version"),
WProtoField.uint32("","Registration Authority"),
WProtoField.uint32("","Account Number"),
WProtoField.uint32("","Registration Token"),
},
[SID_STARTVERSIONING] = {
WProtoField.uint64("","MPQ Filetime"),
WProtoField.stringz("","MPQ Filename"),
WProtoField.stringz("","ValueString"),
},
[SID_REPORTVERSION] = {
WProtoField.uint32("","Result"),
WProtoField.stringz("","Patch path"),
},
[SID_STARTADVEX] = {
WProtoField.uint32("","Status"),
},
[SID_GETADVLISTEX] = {
WProtoField.uint32("","Number of games"),
},
[SID_ENTERCHAT] = {
WProtoField.stringz("","Unique name"),
WProtoField.stringz("","Statstring"),
WProtoField.stringz("","Account name"),
},
[SID_GETCHANNELLIST] = {
WProtoField.stringz("","[TODO: array] Channel names"),
},
[SID_CHATEVENT] = {
WProtoField.uint32("","Event ID"),
WProtoField.uint32("","User's Flags"),
WProtoField.uint32("","Ping"),
WProtoField.uint32("","IP Address (Defunct)"),
WProtoField.uint32("","Account number (Defunct)"),
WProtoField.uint32("","Registration Authority (Defunct)"),
WProtoField.stringz("","Username"),
WProtoField.stringz("","Text"),
},
[SID_FLOODDETECTED] = {},
[SID_CHECKAD] = {
WProtoField.uint32("","Ad ID"),
WProtoField.uint32("","File extension"),
WProtoField.uint64("","Local file time"),
WProtoField.stringz("","Filename"),
WProtoField.stringz("","Link URL"),
},
[SID_REGISTRY] = {
WProtoField.uint32("","Cookie"),
WProtoField.uint32("","HKEY"),
WProtoField.stringz("","Registry path"),
WProtoField.stringz("","Registry key"),
},
[SID_MESSAGEBOX] = {
WProtoField.uint32("","Style"),
WProtoField.stringz("","Text"),
WProtoField.stringz("","Caption"),
},
[SID_STARTADVEX3] = {
WProtoField.uint32("","Status"),
},
[SID_LOGONCHALLENGEEX] = {
WProtoField.uint32("","UDP Token"),
WProtoField.uint32("","Server Token"),
},
[SID_PING] = {
WProtoField.uint32("","Ping Value"),
},
[SID_READUSERDATA] = {
WProtoField.uint32("","Number of accounts"),
WProtoField.uint32("","Number of keys"),
WProtoField.uint32("","Request ID"),
WProtoField.stringz("","[TODO: array] Requested Key Values"),
},
[SID_LOGONCHALLENGE] = {
WProtoField.uint32("","Server Token"),
},
[SID_LOGONRESPONSE] = {
WProtoField.uint32("","Result"),
},
[SID_CREATEACCOUNT] = {
WProtoField.uint32("","Result"),
},
[SID_GETICONDATA] = {
WProtoField.uint64("","Filetime"),
WProtoField.stringz("","Filename"),
},
[SID_GETFILETIME] = {
WProtoField.uint32("","Request ID"),
WProtoField.uint32("","Unknown"),
WProtoField.uint64("","Last update time"),
WProtoField.stringz("","Filename"),
},
[SID_QUERYREALMS] = {
WProtoField.uint32("","Unknown"),
WProtoField.uint32("","Count"),
},
[SID_PROFILE] = {
WProtoField.uint32("","Cookie"),
WProtoField.uint8("","Success"),
WProtoField.stringz("","ProfileDescription value"),
WProtoField.stringz("","ProfileLocation value"),
WProtoField.uint32("","Clan Tag"),
},
[SID_CDKEY2] = {
WProtoField.uint32("","Result"),
WProtoField.stringz("","Key owner"),
},
[SID_LOGONRESPONSE2] = {
WProtoField.uint32("","Result"),
WProtoField.stringz("","Reason"),
},
[SID_CHECKDATAFILE2] = {
WProtoField.uint32("","Result"),
},
[SID_NEWS_INFO] = {
WProtoField.uint8("","Number of entries"),
WProtoField.uint32("","Last logon timestamp"),
WProtoField.uint32("","Oldest news timestamp"),
WProtoField.uint32("","Newest news timestamp"),
},
[SID_OPTIONALWORK] = {
WProtoField.stringz("","MPQ Filename"),
},
[SID_REQUIREDWORK] = {
WProtoField.stringz("","ExtraWork MPQ FileName"),
},
[SID_TOURNAMENT] = {
WProtoField.uint8("","Unknown"),
WProtoField.uint8("","Unknown, maybe number of non-null strings sent?"),
WProtoField.stringz("","Description"),
WProtoField.stringz("","Unknown"),
WProtoField.stringz("","Website"),
WProtoField.uint32("","Unknown"),
WProtoField.stringz("","Name"),
WProtoField.stringz("","Unknown"),
WProtoField.stringz("","Unknown"),
WProtoField.stringz("","Unknown"),
WProtoField.uint32("","(TODO [5]) Unknown"),
},
[SID_AUTH_CHECK] = {
WProtoField.uint32("","Result"),
WProtoField.stringz("","Additional Information"),
},
[SID_AUTH_ACCOUNTCREATE] = {
WProtoField.uint32("","Status"),
},
[SID_AUTH_ACCOUNTLOGON] = {
WProtoField.uint32("","Status"),
WProtoField.uint8("","(TODO [32]) Salt (s)"),
WProtoField.uint8("","(TODO [32]) Server Key (B)"),
},
[SID_AUTH_ACCOUNTLOGONPROOF] = {
WProtoField.uint32("","Status"),
WProtoField.uint8("","(TODO [20]) Server Password Proof (M2)"),
WProtoField.stringz("","Additional information"),
},
[SID_AUTH_ACCOUNTCHANGE] = {
WProtoField.uint32("","Status"),
WProtoField.uint8("","[32] Salt (s)"),
WProtoField.uint8("","[32] Server key (B)"),
},
[SID_AUTH_ACCOUNTCHANGEPROOF] = {
WProtoField.uint32("","Status code"),
WProtoField.uint8("","[20] Server password proof for old password (M2)"),
},
[SID_AUTH_ACCOUNTUPGRADE] = {
WProtoField.uint32("","Status"),
WProtoField.uint32("","Server Token"),
},
[SID_AUTH_ACCOUNTUPGRADEPROOF] = {
WProtoField.uint32("","Status"),
WProtoField.uint32("","[5] Password proof"),
},
[SID_WARDEN] = {},
[SID_GAMEPLAYERSEARCH] = {
WProtoField.uint8("","Number of players"),
WProtoField.stringz("","[] Player names"),
},
[SID_FRIENDSLIST] = {
WProtoField.uint8("","Number of Entries"),
},
[SID_FRIENDSUPDATE] = {
WProtoField.uint8("","Entry number"),
WProtoField.uint8("","Friend Location"),
WProtoField.uint8("","Friend Status"),
WProtoField.uint32("","ProductID"),
WProtoField.stringz("","Location"),
},
[SID_FRIENDSADD] = {
WProtoField.stringz("","Account"),
WProtoField.uint8("","Friend Type"),
WProtoField.uint8("","Friend Status"),
WProtoField.uint32("","ProductID"),
WProtoField.stringz("","Location"),
},
[SID_FRIENDSREMOVE] = {
WProtoField.uint8("","Entry Number"),
},
[SID_FRIENDSPOSITION] = {
WProtoField.uint8("","Old Position"),
WProtoField.uint8("","New Position"),
},
[SID_CLANFINDCANDIDATES] = {
WProtoField.uint32("","Cookie"),
WProtoField.uint8("","Status"),
WProtoField.uint8("","Number of potential candidates"),
WProtoField.stringz("","[] Usernames"),
},
[SID_CLANINVITEMULTIPLE] = {
WProtoField.uint32("","Cookie"),
WProtoField.uint8("","Result"),
WProtoField.stringz("","[] Failed account names"),
},
[SID_CLANCREATIONINVITATION] = {
WProtoField.uint32("","Cookie"),
WProtoField.uint32("","Clan Tag"),
WProtoField.stringz("","Clan Name"),
WProtoField.stringz("","Inviter's username"),
WProtoField.uint8("","Number of users being invited"),
WProtoField.stringz("","[] List of users being invited"),
},
[SID_CLANDISBAND] = {
WProtoField.uint32("","Cookie"),
WProtoField.uint8("","Result"),
},
[SID_CLANMAKECHIEFTAIN] = {
WProtoField.uint32("","Cookie"),
WProtoField.uint8("","Status"),
},
[SID_CLANINFO] = {
WProtoField.uint8("","Unknown (0)"),
WProtoField.uint32("","Clan tag"),
WProtoField.uint8("","Rank"),
},
[SID_CLANQUITNOTIFY] = {
WProtoField.uint8("","Status"),
},
[SID_CLANINVITATION] = {
WProtoField.uint32("","Cookie"),
WProtoField.uint8("","Result"),
},
[SID_CLANREMOVEMEMBER] = {
WProtoField.uint32("","Cookie"),
WProtoField.uint8("","Status"),
},
[SID_CLANINVITATIONRESPONSE] = {
WProtoField.uint32("","Cookie"),
WProtoField.uint32("","Clan tag"),
WProtoField.stringz("","Clan name"),
WProtoField.stringz("","Inviter"),
},
[SID_CLANRANKCHANGE] = {
WProtoField.uint32("","Cookie"),
WProtoField.uint8("","Status"),
},
[SID_CLANMOTD] = {
WProtoField.uint32("","Cookie"),
WProtoField.uint32("","Unknown (0)"),
WProtoField.stringz("","MOTD"),
},
[SID_CLANMEMBERLIST] = {
WProtoField.uint32("","Cookie"),
WProtoField.uint8("","Number of Members"),
WProtoField.stringz("","Username"),
WProtoField.uint8("","Rank"),
WProtoField.uint8("","Online Status"),
WProtoField.stringz("","Location"),
},
[SID_CLANMEMBERREMOVED] = {
WProtoField.stringz("","Clan member name"),
},
[SID_CLANMEMBERSTATUSCHANGE] = {
WProtoField.stringz("","Username"),
WProtoField.uint8("","Rank"),
WProtoField.uint8("","Status"),
WProtoField.stringz("","Location"),
},
[SID_CLANMEMBERRANKCHANGE] = {
WProtoField.uint8("","Old rank"),
WProtoField.uint8("","New rank"),
WProtoField.stringz("","Clan member who changed your rank"),
},
[SID_CLANMEMBERINFORMATION] = {
WProtoField.uint32("","Cookie"),
WProtoField.uint8("","Status code"),
WProtoField.stringz("","Clan name"),
WProtoField.uint8("","User's rank"),
WProtoField.uint64("","Date joined"),
},
}

-- Packets form client to server
CPacketDescription = {
[SID_AUTH_INFO] = {
WProtoField.uint32("","Protocol ID",base.DEC),
WProtoField.uint32("","Platform ID",base.HEX),
WProtoField.uint32("","Product ID",base.HEX),
WProtoField.uint32("","Version Byte",base.DEC),
WProtoField.uint32("","Product Laguage",base.HEX),
WProtoField.ipv4("","Local IP"),
WProtoField.uint32("","Timezone Bias", base.HEX),
WProtoField.uint32("","Locale ID", base.HEX),
WProtoField.uint32("","Language ID", base.HEX),
WProtoField.stringz("","Country Abbreviation"),
WProtoField.stringz("","Country"),
},
[SID_NULL] = {},
[SID_STOPADV] = {},
[SID_CLIENTID] = {
WProtoField.uint32("","Registration Version"),
WProtoField.uint32("","Registration Authority"),
WProtoField.uint32("","Account Number"),
WProtoField.uint32("","Registration Token"),
WProtoField.stringz("","LAN Computer Name"),
WProtoField.stringz("","LAN Username"),
},
[SID_STARTVERSIONING] = {
WProtoField.uint32("","Platform ID"),
WProtoField.uint32("","Product ID"),
WProtoField.uint32("","Version Byte"),
WProtoField.uint32("","Unknown (0)"),
},
[SID_REPORTVERSION] = {
WProtoField.uint32("","Platform ID"),
WProtoField.uint32("","Product ID"),
WProtoField.uint32("","Version Byte"),
WProtoField.uint32("","EXE Version"),
WProtoField.uint32("","EXE Hash"),
WProtoField.stringz("","EXE Information"),
},
[SID_STARTADVEX] = {
WProtoField.uint32("","Password protected (32-bit)"),
WProtoField.uint32("","Unknown"),
WProtoField.uint32("","Unknown"),
WProtoField.uint32("","Unknown"),
WProtoField.uint32("","Unknown"),
WProtoField.uint32("","Port"),
WProtoField.stringz("","Game name"),
WProtoField.stringz("","Game password"),
WProtoField.stringz("","Game stats - flags, creator, statstring"),
WProtoField.stringz("","Map name - 0x0d terminated"),
},
[SID_GETADVLISTEX] = {
WProtoField.uint16("","Product-specific condition 1"),
WProtoField.uint16("","Product-specific condition 2"),
WProtoField.uint32("","Product-specific condition 3"),
WProtoField.uint32("","Product-specific condition 4"),
WProtoField.uint32("","List count"),
WProtoField.stringz("","Game name"),
WProtoField.stringz("","Game password"),
WProtoField.stringz("","Game stats"),
},
[SID_ENTERCHAT] = {
WProtoField.stringz("","Username *"),
WProtoField.stringz("","Statstring **"),
},
[SID_GETCHANNELLIST] = {
WProtoField.uint32("","Product ID"),
},
[SID_JOINCHANNEL] = {
WProtoField.uint32("","Flags"),
WProtoField.stringz("","Channel"),
},
[SID_CHATCOMMAND] = {
WProtoField.stringz("","Text"),
},
[SID_LEAVECHAT] = {},
[SID_LOCALEINFO] = {
WProtoField.uint64("","System time"),
WProtoField.uint64("","Local time"),
WProtoField.uint32("","Timezone bias"),
WProtoField.uint32("","SystemDefaultLCID"),
WProtoField.uint32("","UserDefaultLCID"),
WProtoField.uint32("","UserDefaultLangID"),
WProtoField.stringz("","Abbreviated language name"),
WProtoField.stringz("","Country name"),
WProtoField.stringz("","Abbreviated country name"),
WProtoField.stringz("","Country (English)"),
},
[SID_UDPPINGRESPONSE] = {
WProtoField.uint32("","UDPCode"),
},
[SID_CHECKAD] = {
WProtoField.uint32("","Platform ID"),
WProtoField.uint32("","Product ID"),
WProtoField.uint32("","ID of last displayed banner"),
WProtoField.uint32("","Current time"),
},
[SID_CLICKAD] = {
WProtoField.uint32("","Ad ID"),
WProtoField.uint32("","Request type"),
},
[SID_REGISTRY] = {
WProtoField.uint32("","Cookie"),
WProtoField.stringz("","Key Value"),
},
[SID_STARTADVEX2] = {
WProtoField.uint32("","Password Protected"),
WProtoField.uint32("","Unknown"),
WProtoField.uint32("","Unknown"),
WProtoField.uint32("","Unknown"),
WProtoField.uint32("","Unknown"),
WProtoField.uint32("","Port"),
WProtoField.stringz("","Game name"),
WProtoField.stringz("","Game password"),
WProtoField.stringz("","Unknown"),
WProtoField.stringz("","Game stats - Flags, Creator, Statstring"),
},
[SID_GAMEDATAADDRESS] = {
WProtoField.sockaddr("","Address"),
},
[SID_STARTADVEX3] = {
WProtoField.uint32("","State"),
WProtoField.uint32("","Time since creation"),
WProtoField.uint16("","Game Type"),
WProtoField.uint16("","Parameter"),
WProtoField.uint32("","Unknown (1F)"),
WProtoField.uint32("","Ladder"),
WProtoField.stringz("","Game name"),
WProtoField.stringz("","Game password"),
WProtoField.stringz("","Game Statstring"),
},
[SID_CLIENTID2] = {
WProtoField.uint32("","[TODO: Broken] Server Version"),
},
[SID_LEAVEGAME] = {},
[SID_DISPLAYAD] = {
WProtoField.uint32("","Platform ID"),
WProtoField.uint32("","Product ID"),
WProtoField.uint32("","Ad ID"),
WProtoField.stringz("","Filename"),
WProtoField.stringz("","URL"),
},
[SID_NOTIFYJOIN] = {
WProtoField.uint32("","Product ID *"),
WProtoField.uint32("","Product version"),
WProtoField.stringz("","Game Name"),
WProtoField.stringz("","Game Password"),
},
[SID_PING] = {
WProtoField.uint32("","Ping Value"),
},
[SID_READUSERDATA] = {
WProtoField.uint32("","Number of Accounts"),
WProtoField.uint32("","Number of Keys"),
WProtoField.uint32("","Request ID"),
WProtoField.stringz("","[] Requested Accounts"),
WProtoField.stringz("","[] Requested Keys"),
},
[SID_WRITEUSERDATA] = {
WProtoField.uint32("","Number of accounts"),
WProtoField.uint32("","Number of keys"),
WProtoField.stringz("","[] Accounts to update"),
WProtoField.stringz("","[] Keys to update"),
WProtoField.stringz("","[] New values"),
},
[SID_LOGONRESPONSE] = {
WProtoField.uint32("","Client Token"),
WProtoField.uint32("","Server Token"),
WProtoField.uint32("","[5] Password Hash"),
WProtoField.stringz("","Username"),
},
[SID_CREATEACCOUNT] = {
WProtoField.uint32("","[5] Hashed password"),
WProtoField.stringz("","Username"),
},
[SID_SYSTEMINFO] = {
WProtoField.uint32("","Number of processors"),
WProtoField.uint32("","Processor architecture"),
WProtoField.uint32("","Processor level"),
WProtoField.uint32("","Processor timing"),
WProtoField.uint32("","Total physical memory"),
WProtoField.uint32("","Total page file"),
WProtoField.uint32("","Free disk space"),
},
[SID_GAMERESULT] = {
WProtoField.uint32("","Game type"),
WProtoField.uint32("","Number of results - always 8"),
WProtoField.uint32("","[8] Results"),
WProtoField.stringz("","[8] Game players - always 8"),
WProtoField.stringz("","Map name"),
WProtoField.stringz("","Player score"),
},
[SID_GETICONDATA] = {},
[SID_CHECKDATAFILE] = {
WProtoField.uint32("","[5] File checksum"),
WProtoField.stringz("","File name"),
},
[SID_GETFILETIME] = {
WProtoField.uint32("","Request ID"),
WProtoField.uint32("","Unknown"),
WProtoField.stringz("","Filename"),
},
[SID_QUERYREALMS] = {
WProtoField.uint32("","Unused (0)"),
WProtoField.uint32("","Unused (0)"),
WProtoField.stringz("","Unknown (empty)"),
},
[SID_PROFILE] = {
WProtoField.uint32("","Cookie"),
WProtoField.stringz("","Username"),
},
[SID_CDKEY2] = {
WProtoField.uint32("","Spawn (0/1)"),
WProtoField.uint32("","Key Length"),
WProtoField.uint32("","CDKey Product"),
WProtoField.uint32("","CDKey Value1"),
WProtoField.uint32("","Server Token"),
WProtoField.uint32("","Client Token"),
WProtoField.uint32("","[5] Hashed Data"),
WProtoField.stringz("","Key owner"),
},
[SID_LOGONRESPONSE2] = {
WProtoField.uint32("","Client Token"),
WProtoField.uint32("","Server Token"),
WProtoField.uint32("","[5] Password Hash"),
WProtoField.stringz("","Username"),
},
[SID_CHECKDATAFILE2] = {
WProtoField.uint32("","File size in bytes"),
WProtoField.uint32("","File hash [5]"),
WProtoField.stringz("","Filename"),
},
[SID_WARCRAFTGENERAL] = {
WProtoField.uint8("","Subcommand ID"),
},
[SID_NETGAMEPORT] = {
WProtoField.uint16("","Port"),
},
[SID_NEWS_INFO] = {
WProtoField.uint32("","News timestamp"),
},
[SID_EXTRAWORK] = {
WProtoField.uint16("","Game type"),
WProtoField.uint16("","Length"),
WProtoField.stringz("","Work returned data"),
},
[SID_AUTH_CHECK] = {
WProtoField.uint32("","Client Token"),
WProtoField.uint32("","EXE Version"),
WProtoField.uint32("","EXE Hash"),
WProtoField.uint32("","Number of CD-keys in this packet"),
WProtoField.uint32("","Spawn CD-key"),
},
[SID_AUTH_ACCOUNTCREATE] = {
WProtoField.uint8("","[32] Salt (s)"),
WProtoField.uint8("","[32] Verifier (v)"),
WProtoField.stringz("","Username"),
},
[SID_AUTH_ACCOUNTLOGON] = {
WProtoField.uint8("","[32] Client Key ('A')"),
WProtoField.stringz("","Username"),
},
[SID_AUTH_ACCOUNTCHANGE] = {
WProtoField.uint8("","[32] Client key (A)"),
WProtoField.stringz("","Username"),
},
[SID_AUTH_ACCOUNTCHANGEPROOF] = {
WProtoField.uint8("","[20] Old password proof"),
WProtoField.uint8("","[32] New password's salt (s)"),
WProtoField.uint8("","[32] New password's verifier (v)"),
},
[SID_AUTH_ACCOUNTUPGRADE] = {},
[SID_AUTH_ACCOUNTUPGRADEPROOF] = {
WProtoField.uint32("","Client Token"),
WProtoField.uint32("","[5] Old Password Hash"),
WProtoField.uint8("","[32] New Password Salt"),
WProtoField.uint8("","[32] New Password Verifier"),
},
[SID_REPORTCRASH] = {
WProtoField.uint32("","0x10A0027"),
WProtoField.uint32("","Exception code"),
WProtoField.uint32("","Unknown"),
WProtoField.uint32("","Unknown"),
},
[SID_WARDEN] = {},
[SID_GAMEPLAYERSEARCH] = {},
[SID_FRIENDSLIST] = {},
[SID_FRIENDSUPDATE] = {
WProtoField.uint8("","Friends list index"),
},
[SID_CLANFINDCANDIDATES] = {
WProtoField.uint32("","Cookie"),
WProtoField.uint32("","Clan Tag"),
},
[SID_CLANINVITEMULTIPLE] = {
WProtoField.uint32("","Cookie"),
WProtoField.stringz("","Clan name"),
WProtoField.uint32("","Clan tag"),
WProtoField.uint8("","Number of users to invite"),
WProtoField.stringz("","[] Usernames to invite"),
},
[SID_CLANCREATIONINVITATION] = {
WProtoField.uint32("","Cookie"),
WProtoField.uint32("","Clan tag"),
WProtoField.stringz("","Inviter name"),
WProtoField.uint8("","Status"),
},
[SID_CLANDISBAND] = {
WProtoField.uint32("","Cookie"),
},
[SID_CLANMAKECHIEFTAIN] = {
WProtoField.uint32("","Cookie"),
WProtoField.stringz("","New Cheiftain"),
},
[SID_CLANINVITATION] = {
WProtoField.uint32("","Cookie"),
WProtoField.stringz("","Target User"),
},
[SID_CLANREMOVEMEMBER] = {
WProtoField.uint32("","Cookie"),
WProtoField.stringz("","Username"),
},
[SID_CLANINVITATIONRESPONSE] = {
WProtoField.uint32("","Cookie"),
WProtoField.uint32("","Clan tag"),
WProtoField.stringz("","Inviter"),
WProtoField.uint8("","Response"),
},
[SID_CLANRANKCHANGE] = {
WProtoField.uint32("","Cookie"),
WProtoField.stringz("","Username"),
WProtoField.uint8("","New rank"),
},
[SID_CLANSETMOTD] = {
WProtoField.uint32("","Cookie"),
WProtoField.stringz("","MOTD"),
},
[SID_CLANMOTD] = {
WProtoField.uint32("","Cookie"),
},
[SID_CLANMEMBERLIST] = {
WProtoField.uint32("","Cookie"),
},
[SID_CLANMEMBERINFORMATION] = {
WProtoField.uint32("","Cookie"),
WProtoField.uint32("","User's clan tag"),
WProtoField.stringz("","Username"),
},
}
end




PD: I highlighted the question just in case it gets lost. With so much text around  that would certainly happen 

EDIT 1: I made the forum too wide
EDIT 2: Hope it's fixed now.
EDIT 3: New  packets extracted from bnetdocs with some perl magic.