[REQUEST]Packet Sniffing tutorial(ANALYZING)

Hi
I wanna to request if any 1 can do or learn me sniffing tutorial for SRO

I have founded topic about it in epvp it talks about packets Sniffing but for "Beginners"
[Only registered and activated users can see links. Click Here To Register...]
Also i searched for that on epvp by search button and i didnt found any tutorial

So i readed that tutorial too much (that i gived link at)
But i still decode it as well

Thanks
I hope any 1 do tutorial soon
Or give me link
Because also i try google it too much

Quote:

Originally Posted by ZeraPain [Only registered and activated users can see links. Click Here To Register...]

This didnt help me at all

Because first , how to send notice by C#
I just wanna packet sniffing (ANALYZE)

I just wanna how to analyze packets..

well, if you are using autoit then just go and use:

$recv = TCPRecv($Socket, 2048)

and you can receive packets from the server and analyze them by urself

Quote:

Originally Posted by ZeraPain well, if you are using autoit then just go and use: $recv = TCPRecv($Socket, 2048) and you can receive packets from the server and analyze them by urself

I get packets from server by wireshark
my problem is in analyzing
i need help in that

using wireshark is not really the best way...

packets are build like this:

1. packetsize (2 byte)
2. opcode (2 byte)
3. security (2 byte)
4. packet data (packetsize)

the packet data contains everything from byte to qword
(1 byte, 2 byte, 4 byte, 8 byte)

example for packets:

pm packet:

0D00 datalength
2570 opcode
0100 security
0202 pm code
0600 name length
53617A756B65 name
0100 message length
61 message

notice packet:

0700 datalength
2630 opcode
0100 security
07 notice code
0400 notice length
61616161 notice message

I'm not the best at packet sniffing, in fact, I think they're boring as hell but this is what I do.

These are just 2 methods that works for me:

Method 1
I run a proxy (nuconnector + an analyzer or my frankenstein app slip) then move to a place in which you're alone (Constantinople's shipyard area is a good place).
Trigger events (start doing stuff like casting skills look for all the C-S {client to server packets} and look what S-C are sent back). Usually for every C-S packet's OP code his server counter-part shares the last byte (please note the 'usually' there and for example, movement 0x7021 is replied by the server with 0xB021 on RSRO).

I think that might be the pretty 'rustic' way of doing it but it works and its logarithmic equal to the complex of what you're looking for.


Method 2
Use [Only registered and activated users can see links. Click Here To Register...].
That's a kick ass system in which you first record a complete play session and you can play it back later packet by packet.
Seriously, it's the best way in my opinion.

And not a way that I've tried but edxSilkroadLoader version 5 has an 'autoparser' feature which uses silkroad's client to get the packets parsed (you will see what's a 8 byte, 4 byte, 2 byte and byte values).

I'd recommend you to capture several packets of what you're interested in to then analyse them and have an accurate packet structure.

Oh, and my last advice, start developing your sniffing skills at RSRO. It's a good place to research as it doesn't have any anti cheat system.

Edit:
I forgot to add something that helped me too.
If you get a value that you don't know what it's, for example:

9E 3A 00 00 (00 00 3A 9E)

Quick way of guessing what it's is convert it back to decimal as it's hexadecimal. You'll get 15006. Search for all the characterdata_*, skilldata_*, itemdata_* (they're under server_dep inside Media.pk2) luckily you will end up with this line:

Quote:

1 15006 MOB_EU_THIEF_NPC_0139 0139 ?? ????(????) MOB_EU_THIEF_NPC_0001 SN_MOB_THIEF_NPC xxx 0 1 1 2 1 2 5000 3 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 -1 0 -1 0 -1 0 -1 0 12 0 0 0 0 0 20 54 100 0 4 0 xxx xxx xxx xxx xxx 14 0 470 0 0 0 0 0 0 0 0 0 0 0 32 70 14 14 53 0 53 2 329 336860180 3 3000 10898 12298 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0

See the 15006? That's the ID column, so that '00 00 3A 9E' refers to a thief npc (lol, I took the worst case) now the question is, were you doing something with a thief npc? if so, then you've found that 00 00 3A 9E points to an ID.

If all that has failed then start playing with bits. That means, start searching for a meaning of that value, bitwise operations gives a lot of answers most of the times.

Well, that's all I can think about, hope you have got the idea.

In my opinion the best application to use is edxSilkroadLoader5.
By hooking the read functions in the sro_client it knows when the client reads a byte or a word, dword, qword.

So the only thing left then is to check what each value means. For that, read what bootdisk posted.

And well, after that, it's pretty easy. (ok, not always...)

Thanks all for replays

@For all
I dont wanna a program for sniffing or something
i have edxloader + wireshark

I just wanna a tutorial or thing that help me analyze the packets
Like this that post bootdisk


I captured the packets from zszc and i find that it contain ip and port
but the other values i dont know what it is
This is the packets

Quote:

0000 00 0e 2e 4b c1 13 00 1d 7d d4 3a 01 08 00 45 00 0010 00 2e 2d 85 40 00 80 06 7a 41 c0 a8 02 64 43 cd 0020 4c 2a 05 11 3d a3 82 ef 58 4d 92 fe cd 38 50 18 0030 ff 04 53 24 00 00 00 00 02 20 45 24

0xdf40
sd-proxy > 15779
This is the port which is 15779
This is the ip of zszc

What about the other Dword values?

Quote:

Originally Posted by saif1999 Thanks all for replays @For all I dont wanna a program for sniffing or something i have edxloader + wireshark I just wanna a tutorial or thing that help me analyze the packets Like this that post bootdisk I captured the packets from zszc and i find that it contain ip and port but the other values i dont know what it is This is the packets 0xdf40 sd-proxy > 15779 This is the port which is 15779 This is the ip of zszc What about the other Dword values?

Don't use wireshark, use edxloader's built-in autoparser. You don't have to figure everything out by yourself then.

Quote:

Originally Posted by lesderid Don't use wireshark, use edxloader's built-in autoparser. You don't have to figure everything out by yourself then.

First what is edxloader autoparser

second
I dont have Rsro (:facepalm: )

Quote:

Originally Posted by saif1999 First what is edxloader autoparser second I dont have Rsro (:facepalm: )

edxSilkroadLoader5 has an internal autoparser that splits the packet for you into byte, word etc.
So you don't have to guess how long a value is (how many bytes).

Also, it works for all sro versions. Private sro versions need some changes though.

Quote:

Originally Posted by lesderid edxSilkroadLoader5 has an internal autoparser that splits the packet for you into byte, word etc. So you don't have to guess how long a value is (how many bytes). Also, it works for all sro versions. Private sro versions need some changes though.

Hmm
ok i have edxloader5

What i tick to start capturing packets?
Hook input?

Quote:

Originally Posted by saif1999 Hmm ok i have edxloader5 What i tick to start capturing packets? Hook input?

"Packet Auto-Parser (new SRO only)"