Trouble reading ethereal correctly

DrFugly · July 24, 2007, 09:55 AM

Hey all, hope you can help me out with this.
I'm using ethereal to capture me connecting to battle.net but ten exiting before logging on (taking baby steps here)
but i can't understand the packets that ethereal caputure! I'm looking for 0x50 but i can't find it anywhere, all i'm getting is 0x0e from the server and the client is sending 0x40.
But then i noticed that i can't be reading the packets correctly because stuff just doesn't make sense. So please give a little bit of a guidance

here is my first message sent to battle.net

Code Select


0000   00 0e 08 e3 3c b4 00 40 f4 2d b2 9a 08 00 45 00  ....<[email protected].
0010   00 3c 9c 9f 40 00 40 06 d2 fe c0 a8 00 02 3f f0  .<..@.@.......?.
0020   ca 83 96 5b 17 e0 93 69 58 1f 00 00 00 00 a0 02  ...[...iX.......
0030   16 d0 07 c6 00 00 02 04 05 b4 04 02 08 0a 00 09  ................
0040   c4 80 00 00 00 00 01 03 03 05                    ..........

wouldn't the packet type be 0x0e? but isn't that a chat command? I'm so confuggled =( help please!

brew · July 24, 2007, 10:21 AM

Quote from: DrFugly on July 24, 2007, 09:55 AM
Hey all, hope you can help me out with this.
I'm using ethereal to capture me connecting to battle.net but ten exiting before logging on (taking baby steps here)
but i can't understand the packets that ethereal caputure! I'm looking for 0x50 but i can't find it anywhere, all i'm getting is 0x0e from the server and the client is sending 0x40.
But then i noticed that i can't be reading the packets correctly because stuff just doesn't make sense. So please give a little bit of a guidance

here is my first message sent to battle.net

Code Select Expand
0000 00 0e 08 e3 3c b4 00 40 f4 2d b2 9a 08 00 45 00 ....<[email protected]. 0010 00 3c 9c 9f 40 00 40 06 d2 fe c0 a8 00 02 3f f0 .<..@.@.......?. 0020 ca 83 96 5b 17 e0 93 69 58 1f 00 00 00 00 a0 02 ...[...iX....... 0030 16 d0 07 c6 00 00 02 04 05 b4 04 02 08 0a 00 09 ................ 0040 c4 80 00 00 00 00 01 03 03 05 ..........

wouldn't the packet type be 0x0e? but isn't that a chat command? I'm so confuggled =( help please!

Don't forget, ethereal by default includes the raw TCP header in the packet. However, it appears that this specific packet is not the C > S 0x50. Be sure you filtered out all packets except the ones with the destination port and source port 6112. Ethereal may be a bit more complex then you need it to be at this point-- I recommend you use AnalogX's PacketMon which you can get here.

DrFugly · July 24, 2007, 01:23 PM

gracias for taking a look brew, much appreciated

well the filter i am usiing right now is tcp.port == 6112 I'm positive that is a battle.net packet. I figured that it much have been the tcp packet header, but i can't seem to find a way to hide the header, is there an option for that somewhere?

Any idea which packet this is?

Barabajagal · July 24, 2007, 02:07 PM

Since it has no FF in it, it's not a battle.net packet used in BNCS.

DrFugly · July 24, 2007, 02:39 PM

so any idea how i can find the proper packets? What am i doing wrong?

edit: Ok so i took brew's advice and installed PacketMon. And i seem to be ok with the packets now... Except the first couple packets for the connect seem kinda weird. Some don't have data and some just don't look right (their type isn't documented) but then i catch the 0x50 packt so all is good i hope =). So what was i doing wrong in ethereal? And what are these extra packets?

Here is what is captured

Code Select


FF 50 3A 00 00 00 00 00 36 38 58 49 50 58 45 53  .P:.....68XIPXES
D1 00 00 00 53 55 6E 65 C0 A8 00 02 F0 00 00 00  ....SUne........
09 04 00 00 09 04 00 00 55 53 41 00 55 6E 69 74  ........USA.Unit
65 64 20 53 74 61 74 65 73 00

All good. Except after 0x50 i would expect 0xCF to follow (The product Id of SC:BW) but instead as you can see 0x3A is there... Is the product ID different now? Or am i missing something? Once again... THANK YOU!!!

edit2: hahah ooops Platform ID comes next.... but how is that stored??

brew · July 24, 2007, 02:52 PM

Quote from: DrFugly on July 24, 2007, 02:39 PM
so any idea how i can find the proper packets? What am i doing wrong?

edit: Ok so i took brew's advice and installed PacketMon. And i seem to be ok with the packets now... Except the first couple packets for the connect seem kinda weird. Some don't have data and some just don't look right (their type isn't documented) but then i catch the 0x50 packt so all is good i hope =). So what was i doing wrong in ethereal? And what are these extra packets?

Thanks everyone!

Those "weird packets" you're getting are just SYN and ACK packets. You should read up on TCP protocol. Also the 0x50 is NOT the "first" packet, persay. You need to send a raw 0x01 byte to the server (the protocol byte) to let it know you want to connect to a Battle.net chat server. Other possiblities include: 0x02, BNFTP, and 0x03 CHAT client (now defunct on the official battle.net servers.)

EDIT*** just noticed your post edit.
If you look closely, you'll notice that you're talking about all the information sent within the 0x50... the 0xCF is not the product id, but the version byte (confusing terminology here-- the version byte is actually a DWORD). Before patch 1.15 the version byte was 0xCF but now it's 0xD1, so add together the offsets and you *should* see a D1 00 00 00 in there.
If you're unsure of a packet it's always a good idea to analyze the information, like this:

Code Select


FF 50 3A 00 header
00 00 00 00 protocol id (always 0)
36 38 58 49 platform id
50 58 45 53  client id
D1 00 00 00 verbyte
53 55 6E 65 Product language (can be set to 0)
C0 A8 00 02 local/router IP (can be set to 0)
F0 00 00 00 Time zone bias (can be set to 0)
09 04 00 00 Locale ID (can be set to 0)
09 04 00 00 Language ID (can be set to 0)
55 53 41 00 country abbriviation "USA"
55 6E 69 74 65 64 20 53 74 61 74 65 73 00 country name "United States"

Just out of curiosity, what language are you coding this in?

iago · July 24, 2007, 02:53 PM

Add the filter:

tcp.port == 6112 && tcp.len > 0

That should show you only packets containing data.

Good luck!

DrFugly · July 24, 2007, 09:33 PM

oooh replies! everyone is so patient with me =) Thanks guys!
Yeah i'm being a real noob right now, i thought that i knew a lot more than i knew =(

right now it looks like i might make my first library with java since its my best language and its the one i have the most networking know how. But i'm hoping that once i understand enough i can eventually make a plug in for pidgin (or better known as GAIM) that will allow battle.net chatting with pidgin.

awesome!!!! This break down is what i REALLY needed, you guys are the best! I'll be sure to keep on posting my questions

iago · July 25, 2007, 08:13 AM

There was a plugin for Gaim that connected to Battle.net over chat, and the guys who wrote it were working on a binary plugin. I advised them a bit, but I don't think anything ever came of it. You might want to search for it, though, it might be helpful.

If you're interested in Java, there's full sourcecode to Java bots available with loose licenses, so you might be able to re-use some of the more tedious-to-write code.

Kp · July 29, 2007, 06:57 PM

Ethereal is deprecated. It has been renamed to Wireshark and there have been several security releases since then. If you want to use a network monitor, I strongly recommend that you remove Ethereal and upgrade to Wireshark. If you are happy with PacketMon, you are welcome to keep using it. Just do not use an old Ethereal release.

With regard to "what you did wrong": nothing. Wireshark always shows the full data. You can cause it to highlight particular sections of the packet (TCP layer, application layer, etc.) by selecting the appropriate item in the middle pane.

DrFugly · August 03, 2007, 02:53 PM

alright at least i feel like i'm getting somewhere now! thanks guys!

Trouble reading ethereal correctly

Barabajagal