Reading packets

[MoNksBaNe_Agahnim]

I have used several packet sniffers, and I just can't seem to understand how to read them and get information from it. Can anyone explain how to read packets or know a site, google hasn't be friendly with this topic recently for me. Any and all help is appreciated, thanks ^^

[hismajesty]

Here's something Feanor wrote a while ago, I dunno if it'll be of any help though.

Information on reading packetlog information (hex) and using DarkMinion's PacketBuffer Class.
-Writen by Feanor[xL] aka DaRk-FeAnOr

Most of battle.net connection is run with TCP packets. A good packet
logger to use is WPE packet logger or Usoft's packet logger
(found at www.usoft.com). When you packet log a program, you will get
a whole lot of hex, that for new programmers is difficult to
understand. Organized as follows:

1. Why packet log?
2. Anaylze Packet 0x1C
3. Explain different byte types



1: Why Packet Log?
Your first question is probably: Why is packet logging important?

The answer to this is, that in order to write about anything that has to do with battle.net,
you must packetlog it and emulate the packets that your computer sends to battle.net and
recieves from the server. For example, we will anaylze Packet 0x1C. You must send this packet to
battle.net in order to create a game.


2: Anaylze Packet 0x1C

Here is an example of packet: 0x1C (which is used to create games)
- Packet log taken from Barumonk[xL]'s Melee winbot.

0000 FF 1C 5B 00 00 00 00 00 00 00 00 00 02 00 01 00     ..[.............
0010 1F 00 00 00 00 00 00 00 53 6F 6D 65 47 61 6D 65     ........SomeGame
0020 4E 61 6D 65 00 00 2C 34 34 2C 31 34 2C 36 2C 32     Name..,44,14,6,2
0030 2C 32 2C 31 2C 36 38 36 34 34 37 30 33 2C 34 2C     ,2,1,68644703,4,
0040 2C 6E 65 74 77 6F 72 6B 7A 0D 54 68 65 20 4C 6F     ,networkz.The Lo
0050 73 74 20 54 65 6D 70 6C 65 0D 00 FF 10 04 00      st Temple......

The first collum of information with (0000, 0010, 0020 etc.) should be ignored and is used for indexing.
The hex begins with the packet FF. Most battle.net packets (BNCS packets) begin with FF and the Pbuffer class
writen by DarkMinion, takes this into account when sending packets. The next packet after FF is
the name of the packet that you are sending. The Visual Basic for this packet would look like:

With PacketBuf
    .InsertDWORD &H0
    .InsertDWORD &H0
    .InsertWORD &H2
    .InsertWORD &H1
    .InsertDWORD &H1
    .InsertDWORD &H0
    .InsertNTString gamename
    .InsertNTString gamename
    .InsertNonNTString gameinfo
    .sendPacket &H1C
End With

Now compare this to the hex you see above. Lets brake the hex down:

FF 1C (header of hex)
5B 00 (ignore) - taken this is the size of the packet recieved
00 00 00 00 (first DWord)      .InsertDWORD &H0
00 00 00 00 (Second DWord)     .InsertDWORD &H0
02 00 (first Word)                 .InsertWORD &H1
01 00 (second word)      .InsertWORD &H1
1F 00 00 00 (third DWord)     .InsertDWORD &H1F
00 00 00 00 (forth DWord)      .insertDWord &H0

The wrest of the information is the gamename and gameinfo writen into the hex.
FF 10 04 00 (start of next packet)-
sometimes you get two packets being sent in the same packet log.


3: Explain different byte types
You might be asking yourself what a DWORD and word is. Here is how it works

DWord is the inserted byte, followed by three 0s.
Example:
.InsertDWORD &H1

in the hex it translates to
01 00 00 00

Word inserts the byte, followed by one 0.
Example:
.insertWord &H1
01 00

Some other functions are:
.insertbyte &H1
Which inserts the selected byte followed by no 0s
.insertbytes "01 00 00 00"
which inserts a bitch load of bytes at the same time
Insertbytes is good to use if you are too lazy to put everything into DWords and words.

Also, for inserting strings to hex you can use
.insertNTstring "hey"
and
.insertnonNTstring "hey"
The difference between a NTstring and a NonNTString is that an NTString is followed by a 0x00 (null byte) and an NonNTString
is not.

[UserLoser.]

here or here could help

[Grok]

Arta, I think, made something useful for this?

[Newby]

Arta, I think, made something useful for this?

Why, whatever could this utopia of a packet information site be?!

[Spht]

Note that my two documentations were wrote three years ago when I was just learning the protocol and it was merely notes of mine that I put together.

Feanor generalizes too much, so that may throw you off.

http://forum.valhallalegends.com/phpbbs/index.php?board=17;action=display;threadid=4594 for BNCSMon.

[MoNksBaNe_Agahnim]

wow thanks guys this has been helping me a ton, very much appreciate it ^^

[MoNksBaNe_Agahnim]

what is the .insert -- equivilant in C++?

[UserLoser.]

what is the .insert -- equivilant in C++?

The PacketBuffer is a class someone made.. You have to either make your own to be like that or go find someone else's PacketBuffer class

[MyndFyre]

Something else that I wrote using C# is a class called IncomingPacketStream.  It is basically the reverse of the PacketBuffer class (or in my API, the abstract Packet class).  The interface is:

Code Select Expand


   public interface IIncomingPacketStream
   {
      virtual bool CanRead { get; }
      virtual bool CanSeek { get; }
      virtual bool CanWrite { get; }
      virtual long Length { get; }
      virtual long Position { get; }

      virtual void Close();
      override bool Equals(object o);
      virtual bool Equals(IIncomingPacketStream iips);
      virtual void Flush();
      virtual void Seek(long newPosition);

      virtual byte PeekByte();
      virtual short PeekWord();
      virtual int PeekDword();
      virtual string PeekNonNTString();
      virtual string PeekNTString();

      virtual byte ReadByte();
      virtual short ReadWord();
      virtual int ReadDword();
      virtual string ReadNonNTString();
      virtual string ReadNTString();
   }

It's ALMOST like a standard .NET Stream -- I was thinking about making it derive from Stream - but in the end I decided not to.  In my implementation, CanRead and CanSeek always return true, CanWrite always returns false.  ReadNonNTString() returns up to a four-character string (shorter if the provided DWORD is shorter -- for example, the clan tag AoA is represented by 00 41 6F 41 -- rather than return a four-character string with the null-terminator, it just returns a three-character string).  All of the Peek...() methods read the next group of the specified characters; the Read...() methods advance the current position.

The constructor receives a reference to the incoming byte array to be parsed.  That makes this stream not particularly thread-safe, but that's not a particularly big deal thus far.

[MoNksBaNe_Agahnim]

what is he using the insert function for? I saw DM used something similar, is the insert inputing the values for the variables used in the statements? Just confused what the insert is supposed to do not necessarly how to code it

[TheMinistered]

The "insert" method usually takes a parameter of x data type and dumps it into a buffer which can be sent by some method later on once a packet is fully constructed in the buffer.

Visual Basic doesn't support polymorphism so you have to create seperate functions for each x data type (i.e.)

Code Select Expand


Public Sub InsertDWORD(ByVal lngData as Long)
   'copy data into a buffer
End Sub

Public Sub InsertWORD(ByVal intData as Integer)
   'copy data into a buffer
End Sub

Public Sub InsertString(ByVal strData as String)
   'copy data into buffer
End Sub


whereas, in c++ you have polymorphism (which is very nice)

Code Select Expand


void insert(char* data) {
   // copy data into buffer
}

void insert(short* data) {
   // copy data into buffer
}

void insert(long* data) {
   // copy data into buffer
}


[MoNksBaNe_Agahnim]

ahhh ok, thanks for everyone who helped I have learned and still am learning a lot, appreciate it a ton

[Kp]

whereas, in c++ you have polymorphism (which is very nice)

I agree, but even in C++, not everyone uses that for packetbuffers.  I find the extra casting more annoying than just modifying the names slightly -- insertdw, insertw, insertb, etc.  It can go either way, but it's usually made clear by context.

[K]

whereas, in c++ you have polymorphism (which is very nice)

I agree, but even in C++, not everyone uses that for packetbuffers.  I find the extra casting more annoying than just modifying the names slightly -- insertdw, insertw, insertb, etc.  It can go either way, but it's usually made clear by context.

I agree with you.  Overloading the insertion operator is supposed to make it easier, not harder.  However:

Code Select Expand



Packet<BNCSHeader> p;

// using individually named functions:
p.dInsert(0x04);

// using overloaded functions:
p.Insert((DWORD)0x04); // p.Insert(static_cast<DWORD>(0x04));


not to mention that using visual studio's completion you can simply type

p.d[control+space] so there's no extra typing involved with individually naming functions (as long as you put the type before Insert and not after).