• Welcome to Valhalla Legends Archive.
 

Packet Logging Help

Started by Dale, February 18, 2007, 08:10 PM

Previous topic - Next topic

Dale

I don't really know how to understand how to use the data...

I'm trying to figure out what is sent to the server to connect. But there's all this 'junk' in the data...So how do I know what is actually sent and what is not?..


0000  00 18 f8 3f 4a b4 00 17  31 46 8b 27 08 00 45 00   ...?J... 1F.'..E.
0010  00 58 e2 cd 00 00 80 11  8f 7c 4c b3 f6 65 44 8e   .X...... .|L..eD.
0020  40 a4 08 da 69 86 00 44  23 94 56 53 30 31 18 00   @...i..D #.VS01..
0030  06 00 00 02 00 00 00 b6  bc d9 70 00 00 00 27 00   ........ ..p...'.
0040  00 00 01 00 00 00 70 00  00 00 18 00 00 00 cc 02   ......p. ........
0050  00 00 56 15 14 01 01 00  10 01 8f ec 18 00 01 44   ..V..... .......D
0060  4d 53 79 70 68 00                                  MSyph.           


DMSyph is my username.
How do I know what is sent to the server to connect?

Fyi, This is for Steam's Friends Network...

brew

Huh? What do you mean? Like, other packets sent/handled by other programs that aren't steam? Or within the packet you're looking at itself. Well, all that data is part of that packet therefore is ment to be something, so it's all important and not junk. I'm not really sure what you're asking sooooo.... sorry :/
It would also help to know what packetlogger you're using. Some of the higher end packetloggers have an option where you can, say, filter all out but one port.
<3 Zorm
Quote[01:08:05 AM] <@Zorm> haha, me get pussy? don't kid yourself quik
Scio te esse, sed quid sumne? :P

Barabajagal

You're gonna have a hell of a time if you rely on packet logging to understand a binary connection system. Your best bet is decompiling the system, or finding documentation someone else has done on it already.

MyndFyre

Quote from: [RealityRipple] on February 19, 2007, 12:18 AM
You're gonna have a hell of a time if you rely on packet logging to understand a binary connection system. Your best bet is decompiling the system, or finding documentation someone else has done on it already.

You'd be surprised.  About 30% of my work in WoW protocol emulation has come from packet logging.
QuoteEvery generation of humans believed it had all the answers it needed, except for a few mysteries they assumed would be solved at any moment. And they all believed their ancestors were simplistic and deluded. What are the odds that you are the first generation of humans who will understand reality?

After 3 years, it's on the horizon.  The new JinxBot, and BN#, the managed Battle.net Client library.

Quote from: chyea on January 16, 2009, 05:05 PM
You've just located global warming.

Dale

I can't rely on documentation, I've checked, no one's done it. That's also why it makes it interesting...I believe this would be an easy project for Mynd, or anyone with good programming skills, It just should be challeging for me.

@ Brew Ethereal, and It's UDP, and I logged out all the unwanted packets, it's just how I use the data I got I was confused with...

brew

#5
Uh... No offence dlStevens but that would be a hard project for anyone. I wouldn't even know where to start. What are you exactly trying to do? Emulate steam? lol. I don't blame you. Oh and by the way, ethereal is out of date. I prefer using PacketMon or something not as complex. www.analogx.com
And also UDP is pretty nasty.... hence {U}nreliable [D]atagram [P]rotocol lol. This is part of the reason why nobody got too far with in-game Starcraft protocol, like Kyro wants to do with his bot. SO if you are really serious about this, your best bet is to get a nice decompiler, like the one I use, called "rec200d". You can probably find it by googling. And also get OllyDbg. You're going to also need to learn a bit of assembly language perhaps to get an idea of what's going on inside steam.
And in your first post, did you mean connect? or log in? There is a huge difference between those two terms. To connect to a remote host is simple. But logging on is a different story. Also, nothing in that packet is "useless data" as you call it. All the data in a packet serves some purpose. Just because the data isn't in string literal form, doesn't mean it's useless. It all has a purpose, and you could make much better sense of it if there was any good documentation on steam login. But since that's not the case, just keep in mind all that data, although you can't nessisarily make sense of it yet, still means something. Possibly it could be a hash of your password, among other things. (i.e. language id, install date, number of games, games you downloaded, so on.) I myself don't use "Steam" so sorry if I'm a bit off on any of this.
Good luck, stevens!

EDIT*** to fix underline :/
<3 Zorm
Quote[01:08:05 AM] <@Zorm> haha, me get pussy? don't kid yourself quik
Scio te esse, sed quid sumne? :P

Dale

Alright, Thanks you helped a little bit :P ... I know UDP is unreliable..ect..ect and, What I want to do is, Inside STEAM's core, is a plugin. Which is 'friendsUI.dll' I want to make my own messenger, instead of using Steams messenger... It sucks, and most everyone hates it. I'm doing it because I think it'd be a neat project to do, but we'll see...

brew

#7
You could always just hook the socket onto the currently open one that sends the acual packets, kind of like how the starcraft window hook works. You can use the plugin for login, and your own messenger for everything else. The most advanced type of chat packet I would imagine is having the message UTF-8 encoded for multiple language support.
<3 Zorm
Quote[01:08:05 AM] <@Zorm> haha, me get pussy? don't kid yourself quik
Scio te esse, sed quid sumne? :P

Dale


Joe[x86]

First, Ethereal is not out of date. A packet logger can not get "out of date" -- it logs packets. It always has and always will. Nothing changes about doing it.

Second, UDP stands for User Datagram Protocol. Whoever taught you that it's name includes Unreliable should be dropkicked.

Third, you can't hook a UDP socket because UDP sockets don't exist. TCP and UDP are both types of communcation, but so are phonecalls and shouting. One can be wiretapped and one can't, although they can both be picked up by a nearby microphone or third party. This is analogous to TCP being able to be hooked and UDP not being able to, although packet loggers are still effective.
Quote from: brew on April 25, 2007, 07:33 PM
that made me feel like a total idiot. this entire thing was useless.

Grok

Quote from: Joex86] link=topic=16349.msg165460#msg165460 date=1172123793]
First, Ethereal is not out of date. A packet logger can not get "out of date" -- it logs packets. It always has and always will. Nothing changes about doing it.

Second, UDP stands for User Datagram Protocol. Whoever taught you that it's name includes Unreliable should be dropkicked.

Third, you can't hook a UDP socket because UDP sockets don't exist. TCP and UDP are both types of communcation, but so are phonecalls and shouting. One can be wiretapped and one can't, although they can both be picked up by a nearby microphone or third party. This is analogous to TCP being able to be hooked and UDP not being able to, although packet loggers are still effective.

I'm thinking brew is a troll.  I had started to respond and point out all his wrong points, but realized it was unlikely someone could be so wrong, all at once.  He's probably another member of the forum practicing his trolling out on others here.

brew

*sigh*
Didn't I make it apparent I was being sarcastic about what the U in UDP means? "hence {U}nreliable [D]atagram [P]rotocol lol." I wonder why I included a slight "lol".
And by a packet logger being out of date, I mean "a bit behind the others in features, and hasn't been updated in quite a while". There are such things as better packetloggers.

And third, I was assuming Steam uses some TCP connection in their logon sequence. Just because dlStevens pasted ONE packet that happened to be UDP doesn't mean all the rest that steam uses to really log in is, too.

@Grok: I am not a ...troll! I had the second post in this topic for gods sake. My understanding of the definition of "trolling" is when one posts nonsense meaningless posts when the person is already being helped.

oh and by the way, sorry for trolling :(
<3 Zorm
Quote[01:08:05 AM] <@Zorm> haha, me get pussy? don't kid yourself quik
Scio te esse, sed quid sumne? :P

Grok

Well if you're not, then I apologize.  I do, however, know what a troll is, as I was practicing and perfecting trolling many years ago on usenet.  It doesn't have to be an original post, replies are fine.  The best trolls are entirely subtle and believable as they hook their prey.  The more the merrier.  I've seen troll threads go on for years.  Anyway, glance at a dozen or so of your last posts from the view of someone else, it looks like you're posting misinformation to get arguments going.  If you genuinely are just wrong, I apologize for using the word troll.

Best Regards,
Grok

Joe[x86]

Quote from: Grok on February 22, 2007, 04:36 PM
Well if you're not, then I apologize.  I do, however, know what a troll is, as I was practicing and perfecting trolling many years ago on usenet.  It doesn't have to be an original post, replies are fine.  The best trolls are entirely subtle and believable as they hook their prey.  The more the merrier.  I've seen troll threads go on for years.  Anyway, glance at a dozen or so of your last posts from the view of someone else, it looks like you're posting misinformation to get arguments going.  If you genuinely are just wrong, I apologize for using the word troll.

Best Regards,
Grok

Nice job being entirely subtle and believable as you hook your prey. :)
Quote from: brew on April 25, 2007, 07:33 PM
that made me feel like a total idiot. this entire thing was useless.

Kp

Quote from: Joex86] link=topic=16349.msg165460#msg165460 date=1172123793]
First, Ethereal is not out of date. A packet logger can not get "out of date" -- it logs packets. It always has and always will. Nothing changes about doing it.

Actually, Ethereal is out of date.  The project was renamed to Wireshark, and several releases have been issued under the new name.  Each new release adds functionality, and many also fix security holes.  Wireshark is still free, and all users should upgrade to version 0.99.4.  Some anti-malware products are flagging part of 0.99.5 as a suspicious toolbar, which is probably a mistake but could still cause problems for users of the affected products.
[19:20:23] (BotNet) <[vL]Kp> Any idiot can make a bot with CSB, and many do!