• Welcome to Valhalla Legends Archive.
 

Trouble dealing with raw packets...

Started by djuhn, December 07, 2006, 06:41 AM

Previous topic - Next topic

djuhn

I've had no problems dealing with packets arriving via the winsock control in VB6,
but now i'm using a packet monitor for my current project...
Here is an example of an incoming SID_PING
00 08 02 64 F5 CD 00 0D  88 ED 01 7E 08 00 45 00
00 30 54 DB 00 00 70 06  A1 E5 3F F1 53 07 C0 A8
00 67 17 E0 E7 44 BD 87  83 73 5C 76 E0 2C 50 18
FF C8 7D DF 00 00 FF 25  08 00 A7 30 B2 FA 10 81

My problem is this, there is 54 bytes of TCP header (correct?), making the actual data I want:
FF 25  08 00 A7 30 B2 FA 10 81
but that's 2 bytes too long!
Sometimes theres extra data after packets, sometimes there isn't.
Problem comes when I'm parsing multiple packets coming in under 1 TCP header and i try to skip ahead bytes according to the packet length as specified in the packet...

Is there something big I'm missing out on in the TCP protocol that says there is gonna be some bytes at the end of the packet?

FrostWraith

Well, if you are finding the beginning of each packet successfully, then you should be in the clear. Just be sure that you are parsing each packet length correctly. I don't see why two extra bytes added onto the end of the packet would cause any trouble because you have the packet length handed to you.

warz

Are you only seeing this extra data in Ethereal, or are you seeing it from your emu client as well?

l2k-Shadow

Sometimes you get trailing data after the actual packet, this shouldn't make any difference for your program receiving of the data, though. Especially if you are using VB winsock control, the .GetData function will only retrieve the actual packet data, so you have nothing to worry about.
Quote from: replaced on November 04, 2006, 11:54 AM
I dunno wat it means, someone tell me whats ix86 and pmac?
Can someone send me a working bot source (with bnls support) to my email?  Then help me copy and paste it to my bot? ;D
Já jsem byl určenej abych tady žil,
Dával si ovar, křen a k tomu pivo pil.
Tam by ses povídaj jak prase v žitě měl,
Já nechci před nikym sednout si na prdel.

Já nejsem z USA, já nejsem z USA, já vážně nejsem z USA... a snad se proto na mě nezloběj.

djuhn

I have no problems dealing with the packet that comes in right after the TCP header, but,
I've noticed sometimes, 2 (or more) packets come under the one TCP header. I can't find an example with two smallish packets so I'll make one up (2x SID_PING)

(54 bytes of TCP header) FF 25 08 00 A7 30 B2 FA 10 81 FF 25 08 00 A7 30 B2 FA

I made my program find the actual data for the first packet by skipping 54 bytes, then I tried to make it find the next packet by skipping a further x bytes according to the packet length specified, but in the current example, that pointer is garbage. I can't seem to find any way of predicting it, sometimes there's no extra bytes and it works fine, but sometimes there is???

The winsock control does indeed give only the actual data, but I need to make use of WinPCap for what I'm working on, and the DLL I'm using to interface with WinPCap is handing me these extra bytes sometimes.

Any ideas?

Ersan

Split clumped packets by 0xFF, or use an efficient debuffer.

djuhn

Quote from: Ersan on December 08, 2006, 03:39 AM
Split clumped packets by 0xFF, or use an efficient debuffer.

whats a debuffer?
yeh thats the method im using now... get to end of packet then look for 0xff for battle.net messages and 0xf7 for warcraft in-game messages...
theres gotta be a better way?

Ersan

#7
A debuffer is essentially a pointer that keeps track of where you're at in the data buffer, discarding used data as needed.

djuhn

but is there a predictable way of discarding the bytes between packets other than searching for a 0xFF or 0xF7?

The additional bytes appear to be 0, 1, 2 or 4 bytes only...

warz

Quote from: djuhn on December 08, 2006, 07:36 AM
but is there a predictable way of discarding the bytes between packets other than searching for a 0xFF or 0xF7?

The additional bytes appear to be 0, 1, 2 or 4 bytes only...

Well, I've never experienced 'extra data', as you're describing. Although there is a way to discard that data, it might not be reliable. You know each packet begins with 0xFF, and contains the length in it. Given those two items you should be able to read only the intended data, discard whatevers left, and begin at the next 0xFF byte.

l2k-Shadow


The header for Battle.net packets is this:
(BYTE) 0xFF
(BYTE) Packet ID
(WORD) Length (including the header length)
(VOID) Packet Data

then follow what warz said.
Quote from: replaced on November 04, 2006, 11:54 AM
I dunno wat it means, someone tell me whats ix86 and pmac?
Can someone send me a working bot source (with bnls support) to my email?  Then help me copy and paste it to my bot? ;D
Já jsem byl určenej abych tady žil,
Dával si ovar, křen a k tomu pivo pil.
Tam by ses povídaj jak prase v žitě měl,
Já nechci před nikym sednout si na prdel.

Já nejsem z USA, já nejsem z USA, já vážně nejsem z USA... a snad se proto na mě nezloběj.

topaz

Quote from: Ersan on December 08, 2006, 05:46 AM
A debuffer is essentially a pointer that keeps track of where you're at in the data buffer, discarding used data as needed.

It's not a terribly good idea to dump used data.
RLY...?

warz

Quote from: topaz on December 08, 2006, 04:34 PMIt's not a terribly good idea to dump used data.

You like to store data that you've already processed?

l)ragon

Quote from: Ersan on December 08, 2006, 03:39 AM
Split clumped packets by 0xFF, or use an efficient debuffer.
Splitting by 0xFF is not a good idea, you should be processing via the packet length.
*^~·.,¸¸,.·´¯`·.,¸¸,.-·~^*ˆ¨¯¯¨ˆ*^~·.,l)ragon,.-·~^*ˆ¨¯¯¨ˆ*^~·.,¸¸,.·´¯`·.,¸¸,.-·~^*

topaz

Quote from: warz on December 08, 2006, 06:21 PM
Quote from: topaz on December 08, 2006, 04:34 PMIt's not a terribly good idea to dump used data.

You like to store data that you've already processed?

Thing is, sometimes you (I) want to go back to look at the data, and often the data isn't immediately useful. There's also the fact that dumping the data you've processed is the lazy way of not tracking the position you're at in the buffer and instead starting back at the top (imo). There's really no reason to dump it.
RLY...?