• Welcome to Valhalla Legends Archive.
 

Pcap extraction of data from packet.

Started by ronh, September 09, 2009, 03:27 AM

Previous topic - Next topic

ronh

Hiya,

Coding in c++, winpcap.

How would I go about extracting the data part Diablo2 sends in the packets?
What I managed so far is filtering for packets that pass the "tcp port 6112 && len > 0" filter.

Now, as I get it, pcap passes you the full packet in u_char *packet, an array including any tcp/ip headers etc. The data part of the packet should be somewhere after the headers. This seems quite true, seeing that I get chat and ads text when I print the packet's chars. So I understand I will have to find out the length of each preceding header and add those as an offset from the beginning of the packet.

Going through some forum search results I got the impression Diablo2 packet data should begin with 0xff , followed by a varying id, then the rest of the data. Thing is - I can't find any relevant 0xff + id in the packets I receive. Has this thing changed? Plus the position of the chat logs, ad links etc, seems rather random in relation to the start of the packet.

I must be doing things very wrong. Would appreciate help pointing me in the right direction.
Thanks!

MysT_DooM

Don't know if you checked this site out: http://www.bnetdocs.org/ but it should help you out.

Here are some pgs withing that site you should look at:
http://www.bnetdocs.org/?op=doc&did=16
http://www.bnetdocs.org/?op=doc&did=10
http://www.bnetdocs.org/?op=doc&did=12
Then everything labeled "Packets" on the Left side

If you still have trouble, post some packet logs, and probably someone will help you identify certain parts of them


vb6, something about that combination of numbers and letters is sexy

ronh

Thanks.

I found out the problem really was with extracting the data part. When I printed the data I would actually start and end at random positions in the packet.
What I did eventually was downloading Wireshark. Helped me find out the bit posiotion of every header length specifier.
Will post the code once I'm back home and able to clean it up.

ronh

Ok, I uploaded the source to Google Code:
http://code.google.com/p/pcap-handler/

Hope anyone will find this useful.