• Welcome to Valhalla Legends Archive.
 

Reading Packets, Please Read

Started by Tazo, May 12, 2003, 03:56 PM

Previous topic - Next topic

Tazo

Okay. I need to know how to read packets (sry, excuse my newness). I need to know...
a) where to find and identify the packet [ i.e. 0x05 ]
b) how to find what is a dword, ntstring, etc.

This is a sample log I have taken, and I would appreciate it if you could analyze it and break it down, and show me how to read it.

0000   FF 1C 5F 00 00 00 00 00 00 00 00 00 02 00 01 00    .._.............
0010   1F 00 00 00 00 00 00 00 70 62 6F 74 74 65 73 74    ........pbottest
0020   69 6E 67 32 30 30 33 00 00 2C 34 34 2C 31 34 2C    ing2003..,44,14,
0030   36 2C 32 2C 32 2C 31 2C 36 32 30 65 33 63 31 33    6,2,2,1,620e3c13
0050   65 20 4C 6F 73 74 20 54 65 6D 70 6C 65 0D 00         e Lost Temple..

Tuberload

http://www.valhallalegends.com/arta/bnetdocs/

You can easily find the answers to all your questions with just a little bit of effort on your part.
Quote"Pray not for lighter burdens, but for stronger backs." -- Teddy Roosevelt
"Your forefathers have given you freedom, so good luck, see you around, hope you make it" -- Unknown

Tazo

I don't see anything on reading packets...

I don't want to know about BNET packets, I want to know how to read packets in general.

tA-Kane

Quote from: laurion on May 12, 2003, 04:05 PMI don't want to know about BNET packets, I want to know how to read packets in general.
That's really beyond the scope of Battle.net Bot Development and should be asked in the General Programming forum.
Macintosh programmer and enthusiast.
Battle.net Bot Programming: http://www.bash.org/?240059
I can write programs. Can you right them?

http://www.clan-mac.com
http://www.eve-online.com

iago

a DWORD is any 4 bytes beside each other
a WORD is any 2 bytes
a BYTE is .. a byte.
a ntstring is any length of characters with a null (00) at the end

That's the most basic, how to convert a dword to a decimal number is a little different, but I'll let somebody else answer that.
This'll make an interesting test for broken AV:
QuoteX5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*


Tazo

#5
OK, how would I identify the packet ID? i.e. 0x26

Would this be 0x1C? I saw the FF 1C, just a guess.

ALSO, Is there a program that will find the DWORDS, WORDS, NTSTRINGS, and all the other er uh 'things' :-p for me? I.e. it will analyze the data and say, "This is a DWORD", etc.

Noodlez

A program has no way of knowing what data type a packet is, unless of course it recognizes the packet.

What is so hard about this?

0000  FF 1C 5F 00 00 00 00 00 00 00 00 00 02 00 01 00    .._.............
0010  1F 00 00 00 00 00 00 00 70 62 6F 74 74 65 73 74    ........pbottest
0020  69 6E 67 32 30 30 33 00 00 2C 34 34 2C 31 34 2C    ing2003..,44,14,
0030  36 2C 32 2C 32 2C 31 2C 36 32 30 65 33 63 31 33    6,2,2,1,620e3c13
0050  65 20 4C 6F 73 74 20 54 65 6D 70 6C 65 0D 00        e Lost Temple..

The BNet packet header is 0xFF PacketID(BYTE) Length(WORD)...
which makes 0x1C the packet id, 0x5F00 the length, and everything after that the data.

A DWORD is 4 bytes, following FF 1C 5F 00 there is a possible dword (4 bytes) 00 00 00 00 which is displayed as .... in plain text format.

Camel

the first 4 bytes (FF 1C 5F 00) are the packet header
0xFF is always going to be the first byte in a BNCS packet
0x1C is the packet id
0x005F (in network order) is the packet length (including the packet header)

you want to look at the packet length (in this case, 0x5F is 95 in decimal), and count up that number of bytes
then, go to bnetdocs and look up s->c 0x1C
split up the packet based on the types


(Byte) FF
(Byte) 1C
(Word) 5F 00

(QWord) 00 00 00 00 00 00 00 00
(Word) 02 00
(Word) 01 00
(DWord) 1F 00 00 00
(DWord) 00 00 00 00
(NTString) 70 62 6F 74 74 65 73 74 69 6E 67 32 30 30 33 00 00 2C 34 34 2C 31 34 2C 36 2C 32 2C 32 2C 31 2C 36 32 30 65 33 63 31 33 65 20 4C 6F 73 74 20 54 65 6D 70 6C 65 0D 00

Tazo

Thanks a lot for all your help!

Skywing

Quote from: Camel on May 12, 2003, 08:23 PM
0x005F (in network order) is the packet length (including the packet header)
Every numerical value transmitted on the wire and not as a string representation of a number is little endian with the Battle.net protocol.

Camel

Quote from: Skywing on May 13, 2003, 07:28 AM
Quote from: Camel on May 12, 2003, 08:23 PM
0x005F (in network order) is the packet length (including the packet header)
Every numerical value transmitted on the wire and not as a string representation of a number is little endian with the Battle.net protocol.
more specificly, in network order ;)

iago

Isn't network order Big Endian?

Yes, this confirms it:
Quotenetwork order is the only one in this collection which contains the additional initials "pp"
network order is "big
network order is backed by the petals network guarantee of satisfaction
network order is big
network order is 0 1
network order is %u\n
network order is big endian page 17
network order is a list of attributes or value pairs set on the processes
network order is submitted to the ddmgateway process to execute a network order policy
network order is any order coming from a yahoo
network order is big endian
network order is little
network order is host order
network order is different on
network order is the same as host order
network order is > big endian without a formal proof
network order is submitted
network order is 13 episodes
network order is in hand
network order is assured
network order is equivalent to big
network order is different from intel's host byte order
network order is sparc order
network order is the same as sparc/motorola order
network order is bigendian
network order is used
network order is based on an expansion of the familiar class of series
network order is msb of each octet
network order is important mostly when transmitting data over a network
network order is be
network order is always
network order is always 296
network order is returned
network order is relevant
network order is big endian and intels aren't
network order is seen in experiments with mus musculus
network order is a pasted as "metricus can easy
network order is discussed
network order is msb of each octet first
network order is for 260 units of equipment
network order is always 00323
network order is msb of each byte first
network order is used for
network order is always * msb
network order is big endian so we can use htonl to make sure big really is * big endian */ big = htonl
network order is msb of each first
This'll make an interesting test for broken AV:
QuoteX5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*


Skywing

#12
Quote from: Camel on May 13, 2003, 07:57 AM
more specificly, in network order ;)
No, network byte order is just the opposite (big endian).  Using network byte order for the Battle.net protocol is exactly wrong.

Camel

Quote from: Skywing on May 13, 2003, 03:21 PM
Quote from: Camel on May 13, 2003, 07:57 AM
more specificly, in network order ;)
No, network byte order is just the opposite (big endian).  Using network byte order for the Battle.net protocol is exactly wrong.

hrm
STFU N00B!

-.-