• Welcome to Valhalla Legends Archive.
 

Reading Ethereal?

Started by WiLD, June 28, 2005, 03:50 AM

Previous topic - Next topic
Print
|
Go Down Pages1 2 3
User actions

WiLD

June 28, 2005, 03:50 AM
Hi all.
Honustly... iv have no idea on how ethereal works etc.
Im wanting to be able to read the information captured by ethereal, so i know what packets to send/reply to from the server.

I really have no idea where to look for the packet ID (eg; 0x90).

Heres a picture of what ethereal captured in 5seconds.
Im hoping someone will be able to point out where to look for the packet ID and how to tell what it is etc.

http://netblues.org/raven/ethereal.JPG

Thanks in advance.
=_=  &&  g0dFraY  &&  -=Templar=-  @USWest

shout

#1
June 28, 2005, 09:01 AM Last Edit: June 28, 2005, 07:06 PM by Shout
I can tell you that the packet you selected is NOT a battle.net packet.

You click on the packet you want to examine and you click on a portion that says "data" or something of the like. Then you examine the packet all you want.

You will not get WPE-type logs with Ethereal (AFAIK).

The data portion (on a bnet packet) will have:
Code Select

FF [PID] [LOW LENGTH BYTE] [HIGH LENGTH BYTE]


So look for a FF at the very beginning of the data segment, not the TCP headers. The packet id will be right after it.

Battle.net packets are also always to port 6112.

warz

#2
June 28, 2005, 10:53 AM
Captured packets 1, 2 and 3 are battle.net packets.

MyndFyre

#3
June 28, 2005, 03:40 PM
You might want to be reading the packets with information denoted "Data" as opposed to control packets.
QuoteEvery generation of humans believed it had all the answers it needed, except for a few mysteries they assumed would be solved at any moment. And they all believed their ancestors were simplistic and deluded. What are the odds that you are the first generation of humans who will understand reality?

After 3 years, it's on the horizon.  The new JinxBot, and BN#, the managed Battle.net Client library.

Quote from: chyea on January 16, 2009, 05:05 PM
You've just located global warming.

WiLD

#4
June 28, 2005, 05:19 PM
I do know that the packets i selected at not Bnet packets.
Im actually wanting packets from something else.
Iv tried to follow what you said but i cant find anything understandable?

Iv included another screenshot of what i clicked etc.
http://www.netblues.org/raven/ethereal2.JPG
=_=  &&  g0dFraY  &&  -=Templar=-  @USWest

MyndFyre

#5
June 28, 2005, 06:30 PM
Quote from: Shout on June 28, 2005, 09:01 AM
The data portion (on a bnet packet) will have:
Code Select

FF [PID] [HIGH LENGTH BYTE] [LOW LENGTH BYTE]

Before answering the question at hand, I wanted to point out that this is wrong (for anyone else who might read this later).  Battle.net encodes integral values larger than a byte in little-endian order, which means the low byte for length is first, and the high byte is second.

Quote from: WiLD on June 28, 2005, 05:19 PM
I do know that the packets i selected at not Bnet packets.
Im actually wanting packets from something else.
Iv tried to follow what you said but i cant find anything understandable?

Iv included another screenshot of what i clicked etc.
http://www.netblues.org/raven/ethereal2.JPG
What exactly do you want to know?  That part that you have selected is the packet data that the application will process.  You'll need to be more specific if you want to know more.
QuoteEvery generation of humans believed it had all the answers it needed, except for a few mysteries they assumed would be solved at any moment. And they all believed their ancestors were simplistic and deluded. What are the odds that you are the first generation of humans who will understand reality?

After 3 years, it's on the horizon.  The new JinxBot, and BN#, the managed Battle.net Client library.

Quote from: chyea on January 16, 2009, 05:05 PM
You've just located global warming.

shout

#6
June 28, 2005, 07:07 PM
Ooops and thanks MyndFyre!

dxoigmn

#7
June 29, 2005, 12:26 AM
Quote from: MyndFyre on June 28, 2005, 06:30 PM
Quote from: Shout on June 28, 2005, 09:01 AM
The data portion (on a bnet packet) will have:
Code Select

FF [PID] [HIGH LENGTH BYTE] [LOW LENGTH BYTE]

Before answering the question at hand, I wanted to point out that this is wrong (for anyone else who might read this later).  Battle.net encodes integral values larger than a byte in little-endian order, which means the low byte for length is first, and the high byte is second.

Just nitpicking but would probably be better to say "high byte is last" instead of "high byte is second." Within context is sounds fine though ;)

MyndFyre

#8
June 29, 2005, 12:55 AM
Quote from: dxoigmn on June 29, 2005, 12:26 AM
Quote from: MyndFyre on June 28, 2005, 06:30 PM
Quote from: Shout on June 28, 2005, 09:01 AM
The data portion (on a bnet packet) will have:
Code Select

FF [PID] [HIGH LENGTH BYTE] [LOW LENGTH BYTE]

Before answering the question at hand, I wanted to point out that this is wrong (for anyone else who might read this later).  Battle.net encodes integral values larger than a byte in little-endian order, which means the low byte for length is first, and the high byte is second.

Just nitpicking but would probably be better to say "high byte is last" instead of "high byte is second." Within context is sounds fine though ;)
High byte is last in any little-endian context though, no?
QuoteEvery generation of humans believed it had all the answers it needed, except for a few mysteries they assumed would be solved at any moment. And they all believed their ancestors were simplistic and deluded. What are the odds that you are the first generation of humans who will understand reality?

After 3 years, it's on the horizon.  The new JinxBot, and BN#, the managed Battle.net Client library.

Quote from: chyea on January 16, 2009, 05:05 PM
You've just located global warming.

dxoigmn

#9
June 29, 2005, 12:57 AM
Quote from: MyndFyre on June 29, 2005, 12:55 AM
High byte is last in any little-endian context though, no?

True, it just sounded weird to me.

WiLD

#10
June 29, 2005, 02:37 AM
Quote from: MyndFyre on June 28, 2005, 06:30 PM
Quote from: WiLD on June 28, 2005, 05:19 PM
I do know that the packets i selected at not Bnet packets.
Im actually wanting packets from something else.
Iv tried to follow what you said but i cant find anything understandable?

Iv included another screenshot of what i clicked etc.
http://www.netblues.org/raven/ethereal2.JPG
What exactly do you want to know?  That part that you have selected is the packet data that the application will process.  You'll need to be more specific if you want to know more.

I want to know what the packet ID(data, type, number or whatever it is :S) is that iv recieved or sent. For example... where do you get the packet ID "0x25" out of ethereal? Where do you look and what do you do to know that you sent/recieved "0x25"?

Sorry for all this misunderstanding, a said before.... iv never used ethereal nor any other packet logger. I would normally just goto bnet docs if it were to do with bnet, but its to do with another application/game.
=_=  &&  g0dFraY  &&  -=Templar=-  @USWest

R.a.B.B.i.T

#11
June 29, 2005, 03:36 PM
Do you want to read BNCS packets or not, because you said you didn't.  Not every protocol uses packet ID's.

Blue = 0xff (BNCS packets all begin with this)
Red = 0x?? (This is the ID of the packet)
Green = 0x???? (This is the size of the packet, including the header)

shout

#12
June 29, 2005, 05:39 PM
A 3174182350ms ping!?

Banana fanna fo fanna

#13
June 29, 2005, 11:15 PM
You may be interested in "follow TCP stream". It's under one of the menus.

Adron

#14
June 30, 2005, 06:38 AM
Quote from: Shout on June 29, 2005, 05:39 PM
A 3174182350ms ping!?

They use to send GetTickCount() there...
Print
|
Go Up Pages1 2 3
User actions