How to get started (1 Viewer)

[x333]

Although I'm still a newbie to these forums, I haven't seen a good guide on how to get started with packet sniffing. I have a modest grasp of programming but don't have much knowledge of network technology. Would anyone care to give a newbie who is willing to learn a push in the right direction? I'm not asking for source or hand holding but just where to begin would be nice.

Thanks,

 

[tsguy]

I know zero about packet sniffing, but a word of caution. It appears there has been a good bit of banning recently. I would start by spending some time reading the boards. Folks are saying in different places to be cautious w/playing with packets. Just a heads up.

 

[x333]

Thanks for the warning. This is why I ask because I'm not sure what I might get myself into. Packet sniffing is inobtrusive though so there isn't any problems with it but to generate the type of traffic I want to sniff could get me in a fair bit of trouble.

 

[rawwar]

Removed to lack of Brain cells while writing it .....

 

[Kukmuk]

There is nothing wrong with packet sniffing. All packet sniffing is, is looking at the data coming into your PC via your network card (you select which interface inside of the packet analyzer software). SOE has no way of seeing you doing this, unless you modify outbound packets, which is a completely and totally different thing in itself.

If you are interested in getting started, check out Wireshark,its the packet sniffer (Protocol Analyzer is the more professional term) that I prefer.

http://www.wireshark.org/

Be advised, it will look very weird, because the contents of packets aren't usually human readable. Try logging outbound packets while talking on some kind of instant messenger to test things out.

 

[Pugs]

I personally use http://www.ethereal.com/ to do my sniffing for classes etc..

 

[x333]

Ok, I've taken a few days getting acquainted with the GUI for wireshark(which is the same as ethereal as it turns out "Sniff free or die!"). I've gotten a grasp of what it does, how to filter the packets to show what I really want to see. I've also found the packets exchange going between my EQ client and the EQ server.

How should I continue from here? The packets do not make much sense as kukmuk stated above, I did notice that wireshark had a longish list of decoders but I'm not sure if one would be able to make any sense out of the EQ packets or if I'm even approaching this in the right way.

One thing I noticed was, when standing idle in a location with no other NPC/PCs and no environmental changes(some corner in PoTranq) there was a pattern of packets being sent. I determined this solely based on the size of the data in the payload. Remembering back to a college networking class these could just be fragmented packages sent through the pipe and I'm probably way off in the assumption that they form a pattern at all.

Would really appreciate another push in the right direction!

 

[thez]

Those packets are the movepacket and movepackettracker. They are sent every half second (iirc, might be every 5th of a second?), alternating. While we *can* still alter them, both the server and the client are now counting the packets sent / received number, and if they don't match up, bad stuff can happen.

 

[x333]

How do you go about determining the purpose of the packet?

I have seen people posting structures of packets with what each byte represents. How is this determined? Is it just brute force try until you figure it out type of thing?

Thanks again for all the help.