elllo all I deceided I'd try and make a bot, once I realised this was very complicated I took the "information" posts advice and got a packet logger to investigate the packets thatve accumulated during the time of connection.

My question is, how do I relate the information i see in wireshark to the packet information I see for example, on bnetdocs. I want to be able to understand what stage the connection is at, but i dont know how to differentiate the accumulation of packet.

Thank you for your time.

it's pretty straight forward.
tcp.port == 612 and tcp.len > 0 will give you bncs packets that actually have data in them.
Then it's the data segment you have to pay attention to. Wireshark shows the tcp headers as well, I wish there was a way to turn it off, but I havent used in a while so I don't know.
But from that its pretty straight forward.

6112*

Also, keep in mind how data is displayed...
A byte is a single value: 10
A word is two bytes (reversed order): 10 00
A dword is four bytes (reversed order): 10 00 00 00
A string is a series of bytes followed by a null terminator: 31 30 00
That's about it. Filetimes are two dwords, non-nt strings are simply arrays of bytes/words/dwords, etc..

Is that 01, 00 01 stuff at the very beginning of the huge block of hex numbers?

On Wireshark, you'll see all the protocol details, not just Battle.net. That's the parts used for session control, routing, etc. You have to get used to looking for what you want.

In the "filter" dialog near the top, after doing the capture, put in the expression "tcp.port == 6112 && tcp.len > 0" (without the quotes). That'll filter out some of the stuff.

Then, for each packet you click on, a summary will display in the middle window, which will include things like "Internet Protocol". At the bottom, there should be one that says "data (xxx bytes)". Click on that. It should highlight the last part of the packet, and that's the actual data being sent to/from Battle.net.

Since you caught me on a really boring morning, I took a quick little screenshot:
http://www.javaop.com/~ron/images/screenshots/wireshark.png

Hope that helps!

Isn't there a Follow TCP stream like there was in Ethereal?

[quote author=Andy link=topic=17607.msg179351#msg179351 date=1219001372]
Isn't there a Follow TCP stream like there was in Ethereal?
[/quote]

Wireshark is Ethereal. They stopped referring to it as Ethereal a couple years ago.

[quote author=Yegg link=topic=17607.msg179355#msg179355 date=1219026484]
[quote author=Andy link=topic=17607.msg179351#msg179351 date=1219001372]
Isn't there a Follow TCP stream like there was in Ethereal?
[/quote]

Wireshark is Ethereal. They stopped referring to it as Ethereal a couple years ago.
[/quote]

Yeah, the name changed. And yes, there's a "Follow TCP Stream", but I personally only use it when examining ASCII data. You can miss things when using it to reverse engineer, especially if the program makes a secondary connection (like to BNFTP).

Meh... I just use WPE for everything and modify the memory permissions of the things it "can't read".

[quote author=Andy link=topic=17607.msg179359#msg179359 date=1219040911]
Meh... I just use WPE for everything and modify the memory permissions of the things it "can't read".
[/quote]

Probably the best idea for beginners considering how much extra info Wireshark displays.

how about writing a wireshark plugin that parses the bncs and ingame packets? has anyone ever written a wireshark plugin?

Is anyone still interested in such a plugin? (btw, im not asking for it. just measuring the need :) )

Sure.

Plugin sounds useful.
Wish they would add "tabbed views" to the GUI already also (Its on there wishlist http://wiki.wireshark.org/WishList#head-71481751b5dbe70881096b76745d3e4bc12818ad)

Good :)

Now that Wireshark has Lua support this task is much easier. I've been playing with it and came up with a very basic dissector. Currently only one packet is fully displayed, but headers are shown for every packet.

The good thing is that adding more packets doesn't take much work. It just need to be described like in the following sample

[code]
-- Packets form server to client
SPacketDescription = {
[SID_AUTH_INFO] = {
WProtoField.uint32("","Logon Type",base.DEC, {
[0x00] = "Broken SHA-1 (STAR/SEXP/D2DV/D2XP)",
[0x01] = "NLS version 1 (War3Beta)",
[0x02] = "NLS Version 2 (WAR3/W3XP)",
}),
WProtoField.uint32("","Server Token",base.HEX),
WProtoField.uint32("","UDPValue",base.HEX),
WProtoField.uint64("","MPQ Filetime",base.HEX),
WProtoField.stringz("","IX86 Filename"),
WProtoField.stringz("","Value String"),
},
}
[/code]

I would like a more strightforward way of describing packets though.

For those familiar with Lua dissectors, WProtoField is a wrapper around Wireshark's ProtoField which handles field registration and provides other information like size. The return value of its methods is a table structured in the following way

[code]
{
    [pf] = The real ProtoField object
    [size] = Function returning field size
}
[/code]

and it can be expanded for whatever unxplored purpose (like conditional or encoded fields).

Describing all the packets will be a tough task. Has bnetdocs some database that could be used to programatically generate the descriptions? I believe some regexp could be used for that.

There are also some problems with the logic
  1. TCP reassembly needs to be done
  2. Error recovery. Currently errors are mostly ignored. That not a big problem as Whireshark display them nicely (but with very thecnical messages) in the detailed view.
  3. Smarter packet direction detection. Currently it check whether src or dst port is 6112. Which doesnt work when they are the same like in (some) UDP packets.
  4. UDP support.
  5. Many more... :P

I don't kown how to upload it. Oh, thank god code block have scrollbars, hehe. Ok, the following code block has the script.

To use it, Lua has to be enabled by editting init.lua which can be found at wireshark directory (one of the first lines has to be commented) and bnetp.lua has to be loaded by a dofile at the end of init.lua.

Test it. Have a look at it. Suggestions, contributions and anything else are very welcomed ;D

bnetp.lua:
[code]
do
-- Forward declarations
local
packet_names,
noop_handler,
handlers_by_type,
pid_label,
CPacketDescription,
SPacketDescription,
dissect_packet

local p_bnetp = Proto("bnetp","Battle.net Protocol");

local f_type = ProtoField.uint8("bnetp.type","Header Type",base.HEX, {
[0x1] = "Game protocol request",
[0x2] = "FTP protocol request",
[0x3] = "Chat protocol request",
[0xF7] = "W3IGP",
[0xFF] = "BNCS",
})
local f_pid = ProtoField.uint8("bnetp.pid")
local f_plen = ProtoField.uint16("bnetp.plen","Packet Length",base.DEC)

p_bnetp.fields = {
-- Header fields
--    Type
f_type,
--    Packet Info
f_pid,
f_plen,
}

function p_bnetp.dissector(buf,pkt,root)
if pkt.columns.protocol then
pkt.columns.protocol:set("BNETP")
end

if pkt.columns.info then
pkt.columns.info:clear()
end

if root then
local bnet_node = root:add(p_bnetp, buf(0))
bnet_node:add(f_type, buf(0, 1))
handlers_by_type[buf(0,1):uint()](buf(1):tvb(), pkt, bnet_node)
end
end

local udp_encap_table = DissectorTable.get("udp.port")
local tcp_encap_table = DissectorTable.get("tcp.port")
udp_encap_table:add(6112,p_bnetp)
tcp_encap_table:add(6112,p_bnetp)

-- Boilerplate

noop_handler = function (buf, pkt, root) return end

pid_label = function (pid, name)
return string.format("Packet ID: %s (0x%x)", name, pid)
end

handlers_by_type = {
[0x1] = noop_handler,
[0x2] = noop_handler,
[0x3] = noop_handler,
[0xF7] = function (buf, pkt, root)
root:add(f_pid, buf(0, 1))
root:add_le(f_plen, buf(1, 2))
end,
[0xFF] = function (buf, pkt, root)
local pidnode = root:add(f_pid, buf(0, 1))
local pid = buf(0,1):uint()
local type_pid = ((0xFF * 256) + pid)
pidnode:set_text(pid_label(pid,packet_names[type_pid]))
root:add_le(f_plen, buf(1, 2))

local pdesc
if pkt.src_port == 6112 then
-- process server packet
pdesc = SPacketDescription[type_pid]
else
-- process client packet
pdesc = CPacketDescription[type_pid]
end

if pdesc then
dissect_packet(buf(3):tvb(), root, pdesc)
else
error("Unssuported packet: " .. packet_names[type_pid])
end
end,
}

-- Packet dissector
function dissect_packet(buf, root, pdesc)
local cursor = 0
for k,v in pairs(pdesc) do
local size = v.size(buf(cursor):tvb())
root:add_le(v.pf, buf(cursor, size))
cursor = cursor + size
end
end

packet_names = {
-- Battle.net Messages Names
[0xFF00] = "SID_NULL",
[0xFF02] = "SID_STOPADV",
[0xFF04] = "SID_SERVERLIST",
[0xFF05] = "SID_CLIENTID",
[0xFF06] = "SID_STARTVERSIONING",
[0xFF07] = "SID_REPORTVERSION",
[0xFF08] = "SID_STARTADVEX",
[0xFF09] = "SID_GETADVLISTEX",
[0xFF0A] = "SID_ENTERCHAT",
[0xFF0B] = "SID_GETCHANNELLIST",
[0xFF0C] = "SID_JOINCHANNEL",
[0xFF0E] = "SID_CHATCOMMAND",
[0xFF0F] = "SID_CHATEVENT",
[0xFF10] = "SID_LEAVECHAT",
[0xFF12] = "SID_LOCALEINFO",
[0xFF13] = "SID_FLOODDETECTED",
[0xFF14] = "SID_UDPPINGRESPONSE",
[0xFF15] = "SID_CHECKAD",
[0xFF16] = "SID_CLICKAD",
[0xFF18] = "SID_REGISTRY",
[0xFF19] = "SID_MESSAGEBOX",
[0xFF1A] = "SID_STARTADVEX2",
[0xFF1B] = "SID_GAMEDATAADDRESS",
[0xFF1C] = "SID_STARTADVEX3",
[0xFF1D] = "SID_LOGONCHALLENGEEX",
[0xFF1E] = "SID_CLIENTID2",
[0xFF1F] = "SID_LEAVEGAME",
[0xFF21] = "SID_DISPLAYAD",
[0xFF22] = "SID_NOTIFYJOIN",
[0xFF25] = "SID_PING",
[0xFF26] = "SID_READUSERDATA",
[0xFF27] = "SID_WRITEUSERDATA",
[0xFF28] = "SID_LOGONCHALLENGE",
[0xFF29] = "SID_LOGONRESPONSE",
[0xFF2A] = "SID_CREATEACCOUNT",
[0xFF2B] = "SID_SYSTEMINFO",
[0xFF2C] = "SID_GAMERESULT",
[0xFF2D] = "SID_GETICONDATA",
[0xFF2E] = "SID_GETLADDERDATA",
[0xFF2F] = "SID_FINDLADDERUSER",
[0xFF30] = "SID_CDKEY",
[0xFF31] = "SID_CHANGEPASSWORD",
[0xFF32] = "SID_CHECKDATAFILE",
[0xFF33] = "SID_GETFILETIME",
[0xFF34] = "SID_QUERYREALMS",
[0xFF35] = "SID_PROFILE",
[0xFF36] = "SID_CDKEY2",
[0xFF3A] = "SID_LOGONRESPONSE2",
[0xFF3C] = "SID_CHECKDATAFILE2",
[0xFF3D] = "SID_CREATEACCOUNT2",
[0xFF3E] = "SID_LOGONREALMEX",
[0xFF3F] = "SID_STARTVERSIONING2",
[0xFF40] = "SID_QUERYREALMS2",
[0xFF41] = "SID_QUERYADURL",
[0xFF44] = "SID_WARCRAFTGENERAL",
[0xFF45] = "SID_NETGAMEPORT",
[0xFF46] = "SID_NEWS_INFO",
[0xFF4A] = "SID_OPTIONALWORK",
[0xFF4B] = "SID_EXTRAWORK",
[0xFF4C] = "SID_REQUIREDWORK",
[0xFF4E] = "SID_TOURNAMENT",
[0xFF50] = "SID_AUTH_INFO",
[0xFF51] = "SID_AUTH_CHECK",
[0xFF52] = "SID_AUTH_ACCOUNTCREATE",
[0xFF53] = "SID_AUTH_ACCOUNTLOGON",
[0xFF54] = "SID_AUTH_ACCOUNTLOGONPROOF",
[0xFF55] = "SID_AUTH_ACCOUNTCHANGE",
[0xFF56] = "SID_AUTH_ACCOUNTCHANGEPROOF",
[0xFF57] = "SID_AUTH_ACCOUNTUPGRADE",
[0xFF58] = "SID_AUTH_ACCOUNTUPGRADEPROOF",
[0xFF59] = "SID_SETEMAIL",
[0xFF5A] = "SID_RESETPASSWORD",
[0xFF5B] = "SID_CHANGEEMAIL",
[0xFF5C] = "SID_SWITCHPRODUCT",
[0xFF5D] = "SID_REPORTCRASH",
[0xFF5E] = "SID_WARDEN",
[0xFF60] = "SID_GAMEPLAYERSEARCH",
[0xFF65] = "SID_FRIENDSLIST",
[0xFF66] = "SID_FRIENDSUPDATE",
[0xFF67] = "SID_FRIENDSADD",
[0xFF68] = "SID_FRIENDSREMOVE",
[0xFF69] = "SID_FRIENDSPOSITION",
[0xFF70] = "SID_CLANFINDCANDIDATES",
[0xFF71] = "SID_CLANINVITEMULTIPLE",
[0xFF72] = "SID_CLANCREATIONINVITATION",
[0xFF73] = "SID_CLANDISBAND",
[0xFF74] = "SID_CLANMAKECHIEFTAIN",
[0xFF75] = "SID_CLANINFO",
[0xFF76] = "SID_CLANQUITNOTIFY",
[0xFF77] = "SID_CLANINVITATION",
[0xFF78] = "SID_CLANREMOVEMEMBER",
[0xFF79] = "SID_CLANINVITATIONRESPONSE",
[0xFF7A] = "SID_CLANRANKCHANGE",
[0xFF7B] = "SID_CLANSETMOTD",
[0xFF7C] = "SID_CLANMOTD",
[0xFF7D] = "SID_CLANMEMBERLIST",
[0xFF7E] = "SID_CLANMEMBERREMOVED",
[0xFF7F] = "SID_CLANMEMBERSTATUSCHANGE",
[0xFF81] = "SID_CLANMEMBERRANKCHANGE",
[0xFF82] = "SID_CLANMEMBERINFORMATION",
}

local SID_NULL = 0xFF00
local SID_STOPADV = 0xFF02
local SID_SERVERLIST = 0xFF04
local SID_CLIENTID = 0xFF05
local SID_STARTVERSIONING = 0xFF06
local SID_REPORTVERSION = 0xFF07
local SID_STARTADVEX = 0xFF08
local SID_GETADVLISTEX = 0xFF09
local SID_ENTERCHAT = 0xFF0A
local SID_GETCHANNELLIST = 0xFF0B
local SID_JOINCHANNEL = 0xFF0C
local SID_CHATCOMMAND = 0xFF0E
local SID_CHATEVENT = 0xFF0F
local SID_LEAVECHAT = 0xFF10
local SID_LOCALEINFO = 0xFF12
local SID_FLOODDETECTED = 0xFF13
local SID_UDPPINGRESPONSE = 0xFF14
local SID_CHECKAD = 0xFF15
local SID_CLICKAD = 0xFF16
local SID_REGISTRY = 0xFF18
local SID_MESSAGEBOX = 0xFF19
local SID_STARTADVEX2 = 0xFF1A
local SID_GAMEDATAADDRESS = 0xFF1B
local SID_STARTADVEX3 = 0xFF1C
local SID_LOGONCHALLENGEEX = 0xFF1D
local SID_CLIENTID2 = 0xFF1E
local SID_LEAVEGAME = 0xFF1F
local SID_DISPLAYAD = 0xFF21
local SID_NOTIFYJOIN = 0xFF22
local SID_PING = 0xFF25
local SID_READUSERDATA = 0xFF26
local SID_WRITEUSERDATA = 0xFF27
local SID_LOGONCHALLENGE = 0xFF28
local SID_LOGONRESPONSE = 0xFF29
local SID_CREATEACCOUNT = 0xFF2A
local SID_SYSTEMINFO = 0xFF2B
local SID_GAMERESULT = 0xFF2C
local SID_GETICONDATA = 0xFF2D
local SID_GETLADDERDATA = 0xFF2E
local SID_FINDLADDERUSER = 0xFF2F
local SID_CDKEY = 0xFF30
local SID_CHANGEPASSWORD = 0xFF31
local SID_CHECKDATAFILE = 0xFF32
local SID_GETFILETIME = 0xFF33
local SID_QUERYREALMS = 0xFF34
local SID_PROFILE = 0xFF35
local SID_CDKEY2 = 0xFF36
local SID_LOGONRESPONSE2 = 0xFF3A
local SID_CHECKDATAFILE2 = 0xFF3C
local SID_CREATEACCOUNT2 = 0xFF3D
local SID_LOGONREALMEX = 0xFF3E
local SID_STARTVERSIONING2 = 0xFF3F
local SID_QUERYREALMS2 = 0xFF40
local SID_QUERYADURL = 0xFF41
local SID_WARCRAFTGENERAL = 0xFF44
local SID_NETGAMEPORT = 0xFF45
local SID_NEWS_INFO = 0xFF46
local SID_OPTIONALWORK = 0xFF4A
local SID_EXTRAWORK = 0xFF4B
local SID_REQUIREDWORK = 0xFF4C
local SID_TOURNAMENT = 0xFF4E
local SID_AUTH_INFO = 0xFF50
local SID_AUTH_CHECK = 0xFF51
local SID_AUTH_ACCOUNTCREATE = 0xFF52
local SID_AUTH_ACCOUNTLOGON = 0xFF53
local SID_AUTH_ACCOUNTLOGONPROOF = 0xFF54
local SID_AUTH_ACCOUNTCHANGE = 0xFF55
local SID_AUTH_ACCOUNTCHANGEPROOF = 0xFF56
local SID_AUTH_ACCOUNTUPGRADE = 0xFF57
local SID_AUTH_ACCOUNTUPGRADEPROOF = 0xFF58
local SID_SETEMAIL = 0xFF59
local SID_RESETPASSWORD = 0xFF5A
local SID_CHANGEEMAIL = 0xFF5B
local SID_SWITCHPRODUCT = 0xFF5C
local SID_REPORTCRASH = 0xFF5D
local SID_WARDEN = 0xFF5E
local SID_GAMEPLAYERSEARCH = 0xFF60
local SID_FRIENDSLIST = 0xFF65
local SID_FRIENDSUPDATE = 0xFF66
local SID_FRIENDSADD = 0xFF67
local SID_FRIENDSREMOVE = 0xFF68
local SID_FRIENDSPOSITION = 0xFF69
local SID_CLANFINDCANDIDATES = 0xFF70
local SID_CLANINVITEMULTIPLE = 0xFF71
local SID_CLANCREATIONINVITATION = 0xFF72
local SID_CLANDISBAND = 0xFF73
local SID_CLANMAKECHIEFTAIN = 0xFF74
local SID_CLANINFO = 0xFF75
local SID_CLANQUITNOTIFY = 0xFF76
local SID_CLANINVITATION = 0xFF77
local SID_CLANREMOVEMEMBER = 0xFF78
local SID_CLANINVITATIONRESPONSE = 0xFF79
local SID_CLANRANKCHANGE = 0xFF7A
local SID_CLANSETMOTD = 0xFF7B
local SID_CLANMOTD = 0xFF7C
local SID_CLANMEMBERLIST = 0xFF7D
local SID_CLANMEMBERREMOVED = 0xFF7E
local SID_CLANMEMBERSTATUSCHANGE = 0xFF7F
local SID_CLANMEMBERRANKCHANGE = 0xFF81
local SID_CLANMEMBERINFORMATION = 0xFF82

-- ProtoField wrapper
function readOnly (t)
      local proxy = {}
      local mt = {      -- create metatable
        __index = t,
        __newindex = function (t,k,v)
          error("attempt to update a read-only table", 2)
        end
      }
      setmetatable(proxy, mt)
      return proxy
    end

local WProtoField = readOnly(
(function ()
local typemap = {
["uint64"] = {
["size"] = function(...) return 8 end,
},
["uint32"] = {
["size"] = function(...) return 4 end,
},
["uint16"] = {
["size"] = function(...) return 2 end,
},
["uint8"]  = {
["size"] = function(...) return 1 end,
},
["int64"]  = {
["size"] = function(...) return 8 end,
},
["int32"]  = {
["size"] = function(...) return 4 end,
},
["int16"]  = {
["size"] = function(...) return 2 end,
},
["int8"]  = {
["size"] = function(...) return 1 end,
},
["ipv4"]  = {
["size"] = function(...) return 4 end,
},
["stringz"] = {
["size"] = function(...)
local buf = arg[1]
return string.format("%s", buf(0):string()):len() + 1
end,
},
["sockaddr"] = {
["size"] = function(...) return 16 end,
["alias"] = "bytes",
},
}
return function(t,k)
return function (...)
local typeinfo = typemap[k]
local field = (typeinfo and (
(typeinfo.alias and ProtoField[typeinfo.alias]) or
(ProtoField[k])))

if typeinfo and field then
local tmp = {
["pf"] = field(unpack(arg)),
["size"]=typeinfo.size,
}
-- Add the field to the protocol field list
local n = table.getn(p_bnetp.fields) + 1
p_bnetp.fields[n] = tmp.pf
return tmp
end
error("unsupported field type: " .. k)
end
end
end)())

-- Packets form server to client
SPacketDescription = {
[SID_AUTH_INFO] = {
WProtoField.uint32("","Logon Type",base.DEC, {
[0x00] = "Broken SHA-1 (STAR/SEXP/D2DV/D2XP)",
[0x01] = "NLS version 1 (War3Beta)",
[0x02] = "NLS Version 2 (WAR3/W3XP)",
}),
WProtoField.uint32("","Server Token",base.HEX),
WProtoField.uint32("","UDPValue",base.HEX),
WProtoField.uint64("","MPQ Filetime",base.HEX),
WProtoField.stringz("","IX86 Filename"),
WProtoField.stringz("","Value String"),
},
[SID_NULL] = {},
[SID_SERVERLIST] = {
WProtoField.uint32("","Server version"),
WProtoField.stringz("","[] Server list"),
},
[SID_CLIENTID] = {
WProtoField.uint32("","Registration Version"),
WProtoField.uint32("","Registration Authority"),
WProtoField.uint32("","Account Number"),
WProtoField.uint32("","Registration Token"),
},
[SID_STARTVERSIONING] = {
WProtoField.uint64("","MPQ Filetime"),
WProtoField.stringz("","MPQ Filename"),
WProtoField.stringz("","ValueString"),
},
[SID_REPORTVERSION] = {
WProtoField.uint32("","Result"),
WProtoField.stringz("","Patch path"),
},
[SID_STARTADVEX] = {
WProtoField.uint32("","Status"),
},
[SID_GETADVLISTEX] = {
WProtoField.uint32("","Number of games"),
},
[SID_ENTERCHAT] = {
WProtoField.stringz("","Unique name"),
WProtoField.stringz("","Statstring"),
WProtoField.stringz("","Account name"),
},
[SID_GETCHANNELLIST] = {
WProtoField.stringz("","[TODO: array] Channel names"),
},
[SID_CHATEVENT] = {
WProtoField.uint32("","Event ID"),
WProtoField.uint32("","User's Flags"),
WProtoField.uint32("","Ping"),
WProtoField.uint32("","IP Address (Defunct)"),
WProtoField.uint32("","Account number (Defunct)"),
WProtoField.uint32("","Registration Authority (Defunct)"),
WProtoField.stringz("","Username"),
WProtoField.stringz("","Text"),
},
[SID_FLOODDETECTED] = {},
[SID_CHECKAD] = {
WProtoField.uint32("","Ad ID"),
WProtoField.uint32("","File extension"),
WProtoField.uint64("","Local file time"),
WProtoField.stringz("","Filename"),
WProtoField.stringz("","Link URL"),
},
[SID_REGISTRY] = {
WProtoField.uint32("","Cookie"),
WProtoField.uint32("","HKEY"),
WProtoField.stringz("","Registry path"),
WProtoField.stringz("","Registry key"),
},
[SID_MESSAGEBOX] = {
WProtoField.uint32("","Style"),
WProtoField.stringz("","Text"),
WProtoField.stringz("","Caption"),
},
[SID_STARTADVEX3] = {
WProtoField.uint32("","Status"),
},
[SID_LOGONCHALLENGEEX] = {
WProtoField.uint32("","UDP Token"),
WProtoField.uint32("","Server Token"),
},
[SID_PING] = {
WProtoField.uint32("","Ping Value"),
},
[SID_READUSERDATA] = {
WProtoField.uint32("","Number of accounts"),
WProtoField.uint32("","Number of keys"),
WProtoField.uint32("","Request ID"),
WProtoField.stringz("","[TODO: array] Requested Key Values"),
},
[SID_LOGONCHALLENGE] = {
WProtoField.uint32("","Server Token"),
},
[SID_LOGONRESPONSE] = {
WProtoField.uint32("","Result"),
},
[SID_CREATEACCOUNT] = {
WProtoField.uint32("","Result"),
},
[SID_GETICONDATA] = {
WProtoField.uint64("","Filetime"),
WProtoField.stringz("","Filename"),
},
[SID_GETFILETIME] = {
WProtoField.uint32("","Request ID"),
WProtoField.uint32("","Unknown"),
WProtoField.uint64("","Last update time"),
WProtoField.stringz("","Filename"),
},
[SID_QUERYREALMS] = {
WProtoField.uint32("","Unknown"),
WProtoField.uint32("","Count"),
},
[SID_PROFILE] = {
WProtoField.uint32("","Cookie"),
WProtoField.uint8("","Success"),
WProtoField.stringz("","ProfileDescription value"),
WProtoField.stringz("","ProfileLocation value"),
WProtoField.uint32("","Clan Tag"),
},
[SID_CDKEY2] = {
WProtoField.uint32("","Result"),
WProtoField.stringz("","Key owner"),
},
[SID_LOGONRESPONSE2] = {
WProtoField.uint32("","Result"),
WProtoField.stringz("","Reason"),
},
[SID_CHECKDATAFILE2] = {
WProtoField.uint32("","Result"),
},
[SID_NEWS_INFO] = {
WProtoField.uint8("","Number of entries"),
WProtoField.uint32("","Last logon timestamp"),
WProtoField.uint32("","Oldest news timestamp"),
WProtoField.uint32("","Newest news timestamp"),
},
[SID_OPTIONALWORK] = {
WProtoField.stringz("","MPQ Filename"),
},
[SID_REQUIREDWORK] = {
WProtoField.stringz("","ExtraWork MPQ FileName"),
},
[SID_TOURNAMENT] = {
WProtoField.uint8("","Unknown"),
WProtoField.uint8("","Unknown, maybe number of non-null strings sent?"),
WProtoField.stringz("","Description"),
WProtoField.stringz("","Unknown"),
WProtoField.stringz("","Website"),
WProtoField.uint32("","Unknown"),
WProtoField.stringz("","Name"),
WProtoField.stringz("","Unknown"),
WProtoField.stringz("","Unknown"),
WProtoField.stringz("","Unknown"),
WProtoField.uint32("","(TODO [5]) Unknown"),
},
[SID_AUTH_CHECK] = {
WProtoField.uint32("","Result"),
WProtoField.stringz("","Additional Information"),
},
[SID_AUTH_ACCOUNTCREATE] = {
WProtoField.uint32("","Status"),
},
[SID_AUTH_ACCOUNTLOGON] = {
WProtoField.uint32("","Status"),
WProtoField.uint8("","(TODO [32]) Salt (s)"),
WProtoField.uint8("","(TODO [32]) Server Key (B)"),
},
[SID_AUTH_ACCOUNTLOGONPROOF] = {
WProtoField.uint32("","Status"),
WProtoField.uint8("","(TODO [20]) Server Password Proof (M2)"),
WProtoField.stringz("","Additional information"),
},
[SID_AUTH_ACCOUNTCHANGE] = {
WProtoField.uint32("","Status"),
WProtoField.uint8("","[32] Salt (s)"),
WProtoField.uint8("","[32] Server key (B)"),
},
[SID_AUTH_ACCOUNTCHANGEPROOF] = {
WProtoField.uint32("","Status code"),
WProtoField.uint8("","[20] Server password proof for old password (M2)"),
},
[SID_AUTH_ACCOUNTUPGRADE] = {
WProtoField.uint32("","Status"),
WProtoField.uint32("","Server Token"),
},
[SID_AUTH_ACCOUNTUPGRADEPROOF] = {
WProtoField.uint32("","Status"),
WProtoField.uint32("","[5] Password proof"),
},
[SID_WARDEN] = {},
[SID_GAMEPLAYERSEARCH] = {
WProtoField.uint8("","Number of players"),
WProtoField.stringz("","[] Player names"),
},
[SID_FRIENDSLIST] = {
WProtoField.uint8("","Number of Entries"),
},
[SID_FRIENDSUPDATE] = {
WProtoField.uint8("","Entry number"),
WProtoField.uint8("","Friend Location"),
WProtoField.uint8("","Friend Status"),
WProtoField.uint32("","ProductID"),
WProtoField.stringz("","Location"),
},
[SID_FRIENDSADD] = {
WProtoField.stringz("","Account"),
WProtoField.uint8("","Friend Type"),
WProtoField.uint8("","Friend Status"),
WProtoField.uint32("","ProductID"),
WProtoField.stringz("","Location"),
},
[SID_FRIENDSREMOVE] = {
WProtoField.uint8("","Entry Number"),
},
[SID_FRIENDSPOSITION] = {
WProtoField.uint8("","Old Position"),
WProtoField.uint8("","New Position"),
},
[SID_CLANFINDCANDIDATES] = {
WProtoField.uint32("","Cookie"),
WProtoField.uint8("","Status"),
WProtoField.uint8("","Number of potential candidates"),
WProtoField.stringz("","[] Usernames"),
},
[SID_CLANINVITEMULTIPLE] = {
WProtoField.uint32("","Cookie"),
WProtoField.uint8("","Result"),
WProtoField.stringz("","[] Failed account names"),
},
[SID_CLANCREATIONINVITATION] = {
WProtoField.uint32("","Cookie"),
WProtoField.uint32("","Clan Tag"),
WProtoField.stringz("","Clan Name"),
WProtoField.stringz("","Inviter's username"),
WProtoField.uint8("","Number of users being invited"),
WProtoField.stringz("","[] List of users being invited"),
},
[SID_CLANDISBAND] = {
WProtoField.uint32("","Cookie"),
WProtoField.uint8("","Result"),
},
[SID_CLANMAKECHIEFTAIN] = {
WProtoField.uint32("","Cookie"),
WProtoField.uint8("","Status"),
},
[SID_CLANINFO] = {
WProtoField.uint8("","Unknown (0)"),
WProtoField.uint32("","Clan tag"),
WProtoField.uint8("","Rank"),
},
[SID_CLANQUITNOTIFY] = {
WProtoField.uint8("","Status"),
},
[SID_CLANINVITATION] = {
WProtoField.uint32("","Cookie"),
WProtoField.uint8("","Result"),
},
[SID_CLANREMOVEMEMBER] = {
WProtoField.uint32("","Cookie"),
WProtoField.uint8("","Status"),
},
[SID_CLANINVITATIONRESPONSE] = {
WProtoField.uint32("","Cookie"),
WProtoField.uint32("","Clan tag"),
WProtoField.stringz("","Clan name"),
WProtoField.stringz("","Inviter"),
},
[SID_CLANRANKCHANGE] = {
WProtoField.uint32("","Cookie"),
WProtoField.uint8("","Status"),
},
[SID_CLANMOTD] = {
WProtoField.uint32("","Cookie"),
WProtoField.uint32("","Unknown (0)"),
WProtoField.stringz("","MOTD"),
},
[SID_CLANMEMBERLIST] = {
WProtoField.uint32("","Cookie"),
WProtoField.uint8("","Number of Members"),
WProtoField.stringz("","Username"),
WProtoField.uint8("","Rank"),
WProtoField.uint8("","Online Status"),
WProtoField.stringz("","Location"),
},
[SID_CLANMEMBERREMOVED] = {
WProtoField.stringz("","Clan member name"),
},
[SID_CLANMEMBERSTATUSCHANGE] = {
WProtoField.stringz("","Username"),
WProtoField.uint8("","Rank"),
WProtoField.uint8("","Status"),
WProtoField.stringz("","Location"),
},
[SID_CLANMEMBERRANKCHANGE] = {
WProtoField.uint8("","Old rank"),
WProtoField.uint8("","New rank"),
WProtoField.stringz("","Clan member who changed your rank"),
},
[SID_CLANMEMBERINFORMATION] = {
WProtoField.uint32("","Cookie"),
WProtoField.uint8("","Status code"),
WProtoField.stringz("","Clan name"),
WProtoField.uint8("","User's rank"),
WProtoField.uint64("","Date joined"),
},
}

-- Packets form client to server
CPacketDescription = {
[SID_AUTH_INFO] = {
WProtoField.uint32("","Protocol ID",base.DEC),
WProtoField.uint32("","Platform ID",base.HEX),
WProtoField.uint32("","Product ID",base.HEX),
WProtoField.uint32("","Version Byte",base.DEC),
WProtoField.uint32("","Product Laguage",base.HEX),
WProtoField.ipv4("","Local IP"),
WProtoField.uint32("","Timezone Bias", base.HEX),
WProtoField.uint32("","Locale ID", base.HEX),
WProtoField.uint32("","Language ID", base.HEX),
WProtoField.stringz("","Country Abbreviation"),
WProtoField.stringz("","Country"),
},
[SID_NULL] = {},
[SID_STOPADV] = {},
[SID_CLIENTID] = {
WProtoField.uint32("","Registration Version"),
WProtoField.uint32("","Registration Authority"),
WProtoField.uint32("","Account Number"),
WProtoField.uint32("","Registration Token"),
WProtoField.stringz("","LAN Computer Name"),
WProtoField.stringz("","LAN Username"),
},
[SID_STARTVERSIONING] = {
WProtoField.uint32("","Platform ID"),
WProtoField.uint32("","Product ID"),
WProtoField.uint32("","Version Byte"),
WProtoField.uint32("","Unknown (0)"),
},
[SID_REPORTVERSION] = {
WProtoField.uint32("","Platform ID"),
WProtoField.uint32("","Product ID"),
WProtoField.uint32("","Version Byte"),
WProtoField.uint32("","EXE Version"),
WProtoField.uint32("","EXE Hash"),
WProtoField.stringz("","EXE Information"),
},
[SID_STARTADVEX] = {
WProtoField.uint32("","Password protected (32-bit)"),
WProtoField.uint32("","Unknown"),
WProtoField.uint32("","Unknown"),
WProtoField.uint32("","Unknown"),
WProtoField.uint32("","Unknown"),
WProtoField.uint32("","Port"),
WProtoField.stringz("","Game name"),
WProtoField.stringz("","Game password"),
WProtoField.stringz("","Game stats - flags, creator, statstring"),
WProtoField.stringz("","Map name - 0x0d terminated"),
},
[SID_GETADVLISTEX] = {
WProtoField.uint16("","Product-specific condition 1"),
WProtoField.uint16("","Product-specific condition 2"),
WProtoField.uint32("","Product-specific condition 3"),
WProtoField.uint32("","Product-specific condition 4"),
WProtoField.uint32("","List count"),
WProtoField.stringz("","Game name"),
WProtoField.stringz("","Game password"),
WProtoField.stringz("","Game stats"),
},
[SID_ENTERCHAT] = {
WProtoField.stringz("","Username *"),
WProtoField.stringz("","Statstring **"),
},
[SID_GETCHANNELLIST] = {
WProtoField.uint32("","Product ID"),
},
[SID_JOINCHANNEL] = {
WProtoField.uint32("","Flags"),
WProtoField.stringz("","Channel"),
},
[SID_CHATCOMMAND] = {
WProtoField.stringz("","Text"),
},
[SID_LEAVECHAT] = {},
[SID_LOCALEINFO] = {
WProtoField.uint64("","System time"),
WProtoField.uint64("","Local time"),
WProtoField.uint32("","Timezone bias"),
WProtoField.uint32("","SystemDefaultLCID"),
WProtoField.uint32("","UserDefaultLCID"),
WProtoField.uint32("","UserDefaultLangID"),
WProtoField.stringz("","Abbreviated language name"),
WProtoField.stringz("","Country name"),
WProtoField.stringz("","Abbreviated country name"),
WProtoField.stringz("","Country (English)"),
},
[SID_UDPPINGRESPONSE] = {
WProtoField.uint32("","UDPCode"),
},
[SID_CHECKAD] = {
WProtoField.uint32("","Platform ID"),
WProtoField.uint32("","Product ID"),
WProtoField.uint32("","ID of last displayed banner"),
WProtoField.uint32("","Current time"),
},
[SID_CLICKAD] = {
WProtoField.uint32("","Ad ID"),
WProtoField.uint32("","Request type"),
},
[SID_REGISTRY] = {
WProtoField.uint32("","Cookie"),
WProtoField.stringz("","Key Value"),
},
[SID_STARTADVEX2] = {
WProtoField.uint32("","Password Protected"),
WProtoField.uint32("","Unknown"),
WProtoField.uint32("","Unknown"),
WProtoField.uint32("","Unknown"),
WProtoField.uint32("","Unknown"),
WProtoField.uint32("","Port"),
WProtoField.stringz("","Game name"),
WProtoField.stringz("","Game password"),
WProtoField.stringz("","Unknown"),
WProtoField.stringz("","Game stats - Flags, Creator, Statstring"),
},
[SID_GAMEDATAADDRESS] = {
WProtoField.sockaddr("","Address"),
},
[SID_STARTADVEX3] = {
WProtoField.uint32("","State"),
WProtoField.uint32("","Time since creation"),
WProtoField.uint16("","Game Type"),
WProtoField.uint16("","Parameter"),
WProtoField.uint32("","Unknown (1F)"),
WProtoField.uint32("","Ladder"),
WProtoField.stringz("","Game name"),
WProtoField.stringz("","Game password"),
WProtoField.stringz("","Game Statstring"),
},
[SID_CLIENTID2] = {
WProtoField.uint32("","[TODO: Broken] Server Version"),
},
[SID_LEAVEGAME] = {},
[SID_DISPLAYAD] = {
WProtoField.uint32("","Platform ID"),
WProtoField.uint32("","Product ID"),
WProtoField.uint32("","Ad ID"),
WProtoField.stringz("","Filename"),
WProtoField.stringz("","URL"),
},
[SID_NOTIFYJOIN] = {
WProtoField.uint32("","Product ID *"),
WProtoField.uint32("","Product version"),
WProtoField.stringz("","Game Name"),
WProtoField.stringz("","Game Password"),
},
[SID_PING] = {
WProtoField.uint32("","Ping Value"),
},
[SID_READUSERDATA] = {
WProtoField.uint32("","Number of Accounts"),
WProtoField.uint32("","Number of Keys"),
WProtoField.uint32("","Request ID"),
WProtoField.stringz("","[] Requested Accounts"),
WProtoField.stringz("","[] Requested Keys"),
},
[SID_WRITEUSERDATA] = {
WProtoField.uint32("","Number of accounts"),
WProtoField.uint32("","Number of keys"),
WProtoField.stringz("","[] Accounts to update"),
WProtoField.stringz("","[] Keys to update"),
WProtoField.stringz("","[] New values"),
},
[SID_LOGONRESPONSE] = {
WProtoField.uint32("","Client Token"),
WProtoField.uint32("","Server Token"),
WProtoField.uint32("","[5] Password Hash"),
WProtoField.stringz("","Username"),
},
[SID_CREATEACCOUNT] = {
WProtoField.uint32("","[5] Hashed password"),
WProtoField.stringz("","Username"),
},
[SID_SYSTEMINFO] = {
WProtoField.uint32("","Number of processors"),
WProtoField.uint32("","Processor architecture"),
WProtoField.uint32("","Processor level"),
WProtoField.uint32("","Processor timing"),
WProtoField.uint32("","Total physical memory"),
WProtoField.uint32("","Total page file"),
WProtoField.uint32("","Free disk space"),
},
[SID_GAMERESULT] = {
WProtoField.uint32("","Game type"),
WProtoField.uint32("","Number of results - always 8"),
WProtoField.uint32("","[8] Results"),
WProtoField.stringz("","[8] Game players - always 8"),
WProtoField.stringz("","Map name"),
WProtoField.stringz("","Player score"),
},
[SID_GETICONDATA] = {},
[SID_CHECKDATAFILE] = {
WProtoField.uint32("","[5] File checksum"),
WProtoField.stringz("","File name"),
},
[SID_GETFILETIME] = {
WProtoField.uint32("","Request ID"),
WProtoField.uint32("","Unknown"),
WProtoField.stringz("","Filename"),
},
[SID_QUERYREALMS] = {
WProtoField.uint32("","Unused (0)"),
WProtoField.uint32("","Unused (0)"),
WProtoField.stringz("","Unknown (empty)"),
},
[SID_PROFILE] = {
WProtoField.uint32("","Cookie"),
WProtoField.stringz("","Username"),
},
[SID_CDKEY2] = {
WProtoField.uint32("","Spawn (0/1)"),
WProtoField.uint32("","Key Length"),
WProtoField.uint32("","CDKey Product"),
WProtoField.uint32("","CDKey Value1"),
WProtoField.uint32("","Server Token"),
WProtoField.uint32("","Client Token"),
WProtoField.uint32("","[5] Hashed Data"),
WProtoField.stringz("","Key owner"),
},
[SID_LOGONRESPONSE2] = {
WProtoField.uint32("","Client Token"),
WProtoField.uint32("","Server Token"),
WProtoField.uint32("","[5] Password Hash"),
WProtoField.stringz("","Username"),
},
[SID_CHECKDATAFILE2] = {
WProtoField.uint32("","File size in bytes"),
WProtoField.uint32("","File hash [5]"),
WProtoField.stringz("","Filename"),
},
[SID_WARCRAFTGENERAL] = {
WProtoField.uint8("","Subcommand ID"),
},
[SID_NETGAMEPORT] = {
WProtoField.uint16("","Port"),
},
[SID_NEWS_INFO] = {
WProtoField.uint32("","News timestamp"),
},
[SID_EXTRAWORK] = {
WProtoField.uint16("","Game type"),
WProtoField.uint16("","Length"),
WProtoField.stringz("","Work returned data"),
},
[SID_AUTH_CHECK] = {
WProtoField.uint32("","Client Token"),
WProtoField.uint32("","EXE Version"),
WProtoField.uint32("","EXE Hash"),
WProtoField.uint32("","Number of CD-keys in this packet"),
WProtoField.uint32("","Spawn CD-key"),
},
[SID_AUTH_ACCOUNTCREATE] = {
WProtoField.uint8("","[32] Salt (s)"),
WProtoField.uint8("","[32] Verifier (v)"),
WProtoField.stringz("","Username"),
},
[SID_AUTH_ACCOUNTLOGON] = {
WProtoField.uint8("","[32] Client Key ('A')"),
WProtoField.stringz("","Username"),
},
[SID_AUTH_ACCOUNTCHANGE] = {
WProtoField.uint8("","[32] Client key (A)"),
WProtoField.stringz("","Username"),
},
[SID_AUTH_ACCOUNTCHANGEPROOF] = {
WProtoField.uint8("","[20] Old password proof"),
WProtoField.uint8("","[32] New password's salt (s)"),
WProtoField.uint8("","[32] New password's verifier (v)"),
},
[SID_AUTH_ACCOUNTUPGRADE] = {},
[SID_AUTH_ACCOUNTUPGRADEPROOF] = {
WProtoField.uint32("","Client Token"),
WProtoField.uint32("","[5] Old Password Hash"),
WProtoField.uint8("","[32] New Password Salt"),
WProtoField.uint8("","[32] New Password Verifier"),
},
[SID_REPORTCRASH] = {
WProtoField.uint32("","0x10A0027"),
WProtoField.uint32("","Exception code"),
WProtoField.uint32("","Unknown"),
WProtoField.uint32("","Unknown"),
},
[SID_WARDEN] = {},
[SID_GAMEPLAYERSEARCH] = {},
[SID_FRIENDSLIST] = {},
[SID_FRIENDSUPDATE] = {
WProtoField.uint8("","Friends list index"),
},
[SID_CLANFINDCANDIDATES] = {
WProtoField.uint32("","Cookie"),
WProtoField.uint32("","Clan Tag"),
},
[SID_CLANINVITEMULTIPLE] = {
WProtoField.uint32("","Cookie"),
WProtoField.stringz("","Clan name"),
WProtoField.uint32("","Clan tag"),
WProtoField.uint8("","Number of users to invite"),
WProtoField.stringz("","[] Usernames to invite"),
},
[SID_CLANCREATIONINVITATION] = {
WProtoField.uint32("","Cookie"),
WProtoField.uint32("","Clan tag"),
WProtoField.stringz("","Inviter name"),
WProtoField.uint8("","Status"),
},
[SID_CLANDISBAND] = {
WProtoField.uint32("","Cookie"),
},
[SID_CLANMAKECHIEFTAIN] = {
WProtoField.uint32("","Cookie"),
WProtoField.stringz("","New Cheiftain"),
},
[SID_CLANINVITATION] = {
WProtoField.uint32("","Cookie"),
WProtoField.stringz("","Target User"),
},
[SID_CLANREMOVEMEMBER] = {
WProtoField.uint32("","Cookie"),
WProtoField.stringz("","Username"),
},
[SID_CLANINVITATIONRESPONSE] = {
WProtoField.uint32("","Cookie"),
WProtoField.uint32("","Clan tag"),
WProtoField.stringz("","Inviter"),
WProtoField.uint8("","Response"),
},
[SID_CLANRANKCHANGE] = {
WProtoField.uint32("","Cookie"),
WProtoField.stringz("","Username"),
WProtoField.uint8("","New rank"),
},
[SID_CLANSETMOTD] = {
WProtoField.uint32("","Cookie"),
WProtoField.stringz("","MOTD"),
},
[SID_CLANMOTD] = {
WProtoField.uint32("","Cookie"),
},
[SID_CLANMEMBERLIST] = {
WProtoField.uint32("","Cookie"),
},
[SID_CLANMEMBERINFORMATION] = {
WProtoField.uint32("","Cookie"),
WProtoField.uint32("","User's clan tag"),
WProtoField.stringz("","Username"),
},
}
end
[/code]



PD: I highlighted the question just in case it gets lost. With so much text around  that would certainly happen  ;D

EDIT 1: I made the forum too wide :(
EDIT 2: Hope it's fixed now.
EDIT 3: New  packets extracted from bnetdocs with some perl magic.

How to install this?

nitroxs, if this plugin is incomplete, there is an option to make it opensource and post it eg on google code or sf.net.

As for decoding TCP stream, i think it is impossible, and it is one of main drawbacks of sniffers. Decoding only 1 frame at once brings a problem if bnet packet is fragmented between frames.

Imho you should not use magic in packet codes - better use it as separate field and alert if it is not FF.

[quote]To use it, Lua has to be enabled by editting init.lua which can be found at wireshark directory (one of the first lines has to be commented) and bnetp.lua has to be loaded by a dofile at the end of init.lua.[/quote]
What does it mean? Can you give strings that should be edited?

I managed to load it on the other way, but it always gives me an error
[code]Lua Error: [string "bnetp.lua"]:34: attempt to index field 'columns' (a nil value)[/code]

Better upload it somewhere as file, i lost 1st line by selecting it with opera :)

[quote author=xpeh link=topic=17607.msg183291#msg183291 date=1251478283]
How to install this?
[/quote]

It's like:

1. Install Wireshark at some directory. Let say InstallPath.
2. Open IntallPath/init.lua and replace (~ lines 28 and 29)

[code]
-- Lua is disabled by default, comment out the following line to enable Lua support.
disable_lua = true; do return end;
[/code]

with

[code]
-- Lua is disabled by default, comment out the following line to enable Lua support.
-- disable_lua = true; do return end;
[/code]

And insert

[code]
dofile("bnetp.lua")
[/code]

at the end of the file.

3. Create InstallPath/bnetp.lua and put the code.

[quote]
nitroxs, if this plugin is incomplete, there is an option to make it opensource and post it eg on google code or sf.net.
[/quote]

It's already open source (even though it looks unlicensed  :P).

[quote]
As for decoding TCP stream, i think it is impossible, and it is one of main drawbacks of sniffers. Decoding only 1 frame at once brings a problem if bnet packet is fragmented between frames.
[/quote]

It is possible actually. You have to ask wireshark for the next segment by returning the amount of bytes needed from the dissection function. Then  Wireshark calls you again with the rest of the packet.

However, the current code... basically cannot record from where to start disecting when Wireshark calls again.

[quote]
Imho you should not use magic in packet codes - better use it as separate field and alert if it is not FF.
[/quote]

It should do that already (or I didn't undertood your sentence :p) .

[quote]
I managed to load it on the other way,
[/quote]

Could you explain "the other way"?

[quote]
but it always gives me an error
[code]Lua Error: [string "bnetp.lua"]:34: attempt to index field 'columns' (a nil value)[/code]

Better upload it somewhere as file, i lost 1st line by selecting it with opera :)
[/quote]

That sounds bad ;D Ok, i will upload it to [1] untill some project is created. (Google code is ok?)

[1] http://nitroxs.netii.net/noncool/packet-bnetp/bnetp.lua

[quote author=nitroxs link=topic=17607.msg183294#msg183294 date=1251516004]
[quote]
Imho you should not use magic in packet codes - better use it as separate field and alert if it is not FF.
[/quote]

It should do that already (or I didn't undertood your sentence :p) .
[/quote]
As far i understood your code, you print message "unknown packet" even if magic is not FF. I propose you to print separate message for wrong magic because it always points to protocol error.


[quote author=nitroxs link=topic=17607.msg183294#msg183294 date=1251516004]
[quote]
I managed to load it on the other way,
[/quote]
Could you explain "the other way"?
[/quote]
wireshark.exe -X lua_script:bnetp.lua

Btw, http://wiki.wireshark.org/Lua - as far i understand, official site for Lua in Wireshark
[quote]However, some things remain unclear:
How to install/use lua?[/quote]
Is it typical for opensource?


[quote author=nitroxs link=topic=17607.msg183294#msg183294 date=1251516004]
(Google code is ok?)
[/quote]
Why not? It doesn't really matter.

I meant it were nice put it in a place where people who dont look here can found this plugin among with installation notes.

[quote]
but it always gives me an error
[code]Lua Error: [string "bnetp.lua"]:34: attempt to index field 'columns' (a nil value)[/code]
[/quote]
Still have this error, can you fix this?


[code]-- Lua is disabled by default, comment out the following line to enable Lua support.
disable_lua = true; do return end;
[/code]

My wireshark (Version 0.99.3 (SVN Rev 19011), 24.08.06) has this line already commented out.

Another error: if i open capture file with right click -> open with -> wireshark, i get this error
[code]Lua: Error during loading:
cannot open bnetp.lua: No such file or directory[/code]
seems like current directory issue.

To answer your question in your opening post: Don Cullen (author of BnetDocs: Redux) was going to make an XML-generator for people who wish to use the BnetDocs as a database in their programs, like your describing. The problem is, he hasn't found a standardized version of the XML format he wishes to use, and I haven't spent time on it (he's given me Administrative-privileges). So currently there is no way for that to really work. I think he may have an old thread laying around that discusses the XML format he wanted to use, which had pros and cons about it from him and others. I'd most likely do a Google search, or a forum search.

So I gave this little lua script/plugin a try. I downloaded and saved to bnetp.lua, and edited init.lua to add a dofile and enable lua in wireshark. I told Wireshark to filter to "bnetp && bnetp.pid = 0x0F", which gave me only SID_CHATEVENT's just as I wanted (good work!).

I made a small change to the code however. It appeared that the SID_CHATEVENT packet did not have the Event ID names added to it, so I went ahead and added them.[code] WProtoField.uint32("","Event ID",base.HEX, {
[0x01] = "EID_USERSHOW",
[0x02] = "EID_USERJOIN",
[0x03] = "EID_USERLEAVE",
[0x04] = "EID_WHISPERRECEIVED",
[0x06] = "EID_BROADCAST",
[0x05] = "EID_USERTALK",
[0x07] = "EID_CHANNEL",
[0x09] = "EID_USERUPDATE",
[0x0A] = "EID_WHISPERSENT",
[0x0D] = "EID_CHANNELFULL",
[0x0E] = "EID_CHANNELDOESNOTEXIST",
[0x0F] = "EID_CHANNELRESTRICTED",
[0x12] = "EID_INFO",
[0x13] = "EID_ERROR",
[0x17] = "EID_EMOTE",
}),[/code]

You may also want to have the defunct fields be base.HEX, instead of just nothing (or base.DEC as it appears). This would help people see what Battle.net is actually throwing, because for the account number and registration authority, Battle.net throws 0xbaadf00d which would be a large decimal number instead without base.HEX.

Another suggestion, try to make flags like for SID_CHATEVENT and other packets, actually be defined. This would help distinguish between a normal user, an administrator, etc. or in the case of SID_JOINCHANNEL, a forceful join, or a first join. Yes, I admit, most would not need this, especially if they have the knowledge to even use this script, but it would still be useful to those who don't feel like calculating bitwise flags.

Good work, -Jailout2000

[quote author=xpeh link=topic=17607.msg183296#msg183296 date=1251522972]
As far i understood your code, you print message "unknown packet" even if magic is not FF. I propose you to print separate message for wrong magic because it always points to protocol error.
[/quote]

Yes thats right. I did that because some packets don't carry a magic of FF.


[quote]
wireshark.exe -X lua_script:bnetp.lua
[/quote]

Ok, I will check if it works for me that way.

[quote]
Btw, http://wiki.wireshark.org/Lua - as far i understand, official site for Lua in Wireshark
[quote]However, some things remain unclear:
How to install/use lua?[/quote]
Is it typical for opensource?
[/quote]

The missing documentation I guess it is :P. As for Lua, I don't know. It's mainly used for scripting tasks inside games for its compact interpreter.

Looking at Ohloh, they say the earliest usage of Lua was on 1998. And there are only 905 projects created since then. So, I guess its not very popular.

[quote]
[quote author=nitroxs link=topic=17607.msg183294#msg183294 date=1251516004]
(Google code is ok?)
[/quote]
Why not? It doesn't really matter.
[/quote]

When I was creating the project I thought "private protocol, EULA, ...hmm I better ask first" ;D

[quote]
[quote]
but it always gives me an error
[code]Lua Error: [string "bnetp.lua"]:34: attempt to index field 'columns' (a nil value)[/code]
[/quote]
Still have this error, can you fix this?

Another error: if i open capture file with right click -> open with -> wireshark, i get this error
[code]Lua: Error during loading:
cannot open bnetp.lua: No such file or directory[/code]
seems like current directory issue.
[/quote]

I will download your version of wireshark and try to fix them. Btw, I have version 1.2.1 (SVN Rev 29141). May be they fixed those issues.

[quote]
[code]-- Lua is disabled by default, comment out the following line to enable Lua support.
disable_lua = true; do return end;
[/code]

My wireshark (Version 0.99.3 (SVN Rev 19011), 24.08.06) has this line already commented out.
[/quote]

Is that code what you found at init.lua? If it is then you have to add "--" in front of the second line:

[code]
disable_lua = true; do return end; <-- this one
[/code]

EDIT: nevermind. its enabled by default on that wireshark version but lua plugin needs to be selected during setup.
The columns error should be gone now.
The path issue is still there. It may be avoided by giving the full path to the dofile instruction.(with backslashes escaped: \\)
       

[quote author=Jailout2000 link=topic=17607.msg183297#msg183297 date=1251525590]
I made a small change to the code however. It appeared that the SID_CHATEVENT packet did not have the Event ID names added to it, so I went ahead and added them.[code] WProtoField.uint32("","Event ID",base.HEX, {
[0x01] = "EID_USERSHOW",
[0x02] = "EID_USERJOIN",
[0x03] = "EID_USERLEAVE",
[0x04] = "EID_WHISPERRECEIVED",
[0x06] = "EID_BROADCAST",
[0x05] = "EID_USERTALK",
[0x07] = "EID_CHANNEL",
[0x09] = "EID_USERUPDATE",
[0x0A] = "EID_WHISPERSENT",
[0x0D] = "EID_CHANNELFULL",
[0x0E] = "EID_CHANNELDOESNOTEXIST",
[0x0F] = "EID_CHANNELRESTRICTED",
[0x12] = "EID_INFO",
[0x13] = "EID_ERROR",
[0x17] = "EID_EMOTE",
}),[/code]
[/quote]
Thanks I will add that.

[quote]
You may also want to have the defunct fields be base.HEX, instead of just nothing (or base.DEC as it appears). This would help people see what Battle.net is actually throwing, because for the account number and registration authority, Battle.net throws 0xbaadf00d which would be a large decimal number instead without base.HEX.

Another suggestion, try to make flags like for SID_CHATEVENT and other packets, actually be defined. This would help distinguish between a normal user, an administrator, etc. or in the case of SID_JOINCHANNEL, a forceful join, or a first join. Yes, I admit, most would not need this, especially if they have the knowledge to even use this script, but it would still be useful to those who don't feel like calculating bitwise flags.

[/quote]

yeah, I still have to go throught the packets one by one checking for things the perl script couldn't extract from "bnetdocs.txt". That text file is really buggy  :'( 

http://depositfiles.com/files/81apif0si this is my version.

Here is the project: http://code.google.com/p/packet-bnetp/  ;D

I edited your version. There are 2 files in archive, use compare by content in TC or something like this to find the changes.

http://depositfiles.com/files/n23jgpksg

Can i upload to SVN? So you can see it and accept changes.

Btw it's not very handly to edit a 50 kb file with a text editor with only possibility to find errors when i run wireshark.

I have installed newest version of wireshark, now anything works ok. Another change, it became real fat, 120 mb RAM.

So i go to sleep. I write more later.

[quote author=xpeh link=topic=17607.msg183307#msg183307 date=1251709015]
Can i upload to SVN? So you can see it and accept changes.
[/quote]

Sure, just send me the google account you use.

Platform/Product IDs are shown in hex; can you make it show 'IX86' or whatever?

Various fields of binary data are displayed as strings.

SID_CDKEY2/SID_LOGONRESPONSE2 only recognize the first DWORD for hashed data (there are 5!) - or display as 20 bytes of hex.

If two BNCS packets are sent in one TCP sequence, only the first packet is picked up. Presumably, a packet split over more than one sequence would break too?

[quote author=Camel link=topic=17607.msg183309#msg183309 date=1251740598]
SID_CDKEY2/SID_LOGONRESPONSE2 only recognize the first DWORD for hashed data (there are 5!) - or display as 20 bytes of hex.
[/quote]

Array fields or fixed length strings are not implemented right now. But they will be soon (I hope) available.

[quote]
If two BNCS packets are sent in one TCP sequence, only the first packet is picked up. Presumably, a packet split over more than one sequence would break too?
[/quote]

Hmm.. that should work since the last update. Check the project page or use the file posted by xpeh on his last post.

If it is still broken, post any error message shown.

[quote author=Camel link=topic=17607.msg183309#msg183309 date=1251740598]
Presumably, a packet split over more than one sequence would break too?
[/quote]
No, funny, but it works.
Btw, this "sequences" are called frames.

nitroxx

You should add following types:

- ip (network byte order, opposite to intel). For some reason lua's built-in ipv4 uses inter order (lol?)
- windows (?) file time, used in sid_getfiletime
- unips file time
- string-dword (swap dword and output as string)
- statstring decoder
- user flag decoder
- array of any basic type
- iterator (cdkey/gamelist)
- exe version decoder
- sid_checkad: extension: string[4]


Stop decoding UDP!
Even war3 uses udptest? lol

Wow, you did tcp frames merging?
If many packets in 1 frame, only 1 is decoded.

Dont try to decode packets with wrong magic (not 0x01-0x03 or 0xff). You  need to find another way to handle fragmented packets, dont search for first 0xff.

output strings in ""?

Is it possible to print short hex values (0x10 instead of 0x00000010)? Rounded to whole bytes.

If you want help, show me how to use lua in dissector. How can i display different data types?

Use info field. Like [C>S] 0x33, 0x33, 0x33. Or use packet names instead, or together.
The same for field in packet decoder window (near "Battle.net protocol")

0x14 sid_udppingresponce
udpcode: dwordstr

0x3a sid_logonresponce
reason: only by 0x06 code?

product id (maybe all ID's): DwordStr

s>0x09 sid_getadvlist
if number of games = 0, show status

I had a weird problem. Syntactically correct dissector hangs wireshark, it freezes and consumes memory until there was nothing left.

Please upload my edit so we dont have version conflicts.

Btw, what time zone do you have?

Is it generally possible to allow anyone to upload to SVN, but changes need to be commited by admin to appear?

[quote author=xpeh link=topic=17607.msg183311#msg183311 date=1251750613]
You  need to find another way to handle fragmented packets, dont search for first 0xff.
[/quote]
That's what battle.snp does.

[quote author=xpeh link=topic=17607.msg183311#msg183311 date=1251750613]
Is it possible to print short hex values (0x10 instead of 0x00000010)? Rounded to whole bytes.
[/quote]
I think that would go against convention; I'd say leave it wide.

[quote author=Camel link=topic=17607.msg183312#msg183312 date=1251751739]
[quote author=xpeh link=topic=17607.msg183311#msg183311 date=1251750613]
You  need to find another way to handle fragmented packets, dont search for first 0xff.
[/quote]
That's what battle.snp does.
[/quote]
The only correct behaviour is to search for magic after the end of previous packet.
I think, this behaviour cause processor and RAM consume on non-bnet data (bnftp etc).

[quote author=Camel link=topic=17607.msg183312#msg183312 date=1251751739]
[quote author=xpeh link=topic=17607.msg183311#msg183311 date=1251750613]
Is it possible to print short hex values (0x10 instead of 0x00000010)? Rounded to whole bytes.
[/quote]
I think that would go against convention; I'd say leave it wide.
[/quote]
There are fields like game type or verbyte, which are using many bytes, but actually never exceede one.

[quote author=xpeh link=topic=17607.msg183311#msg183311 date=1251750613]
- ip (network byte order, opposite to intel). For some reason lua's built-in ipv4 uses inter order (lol?)
[/quote]

ips (or any other type) can be shown in both byte orders. For what I could learn, to show a field in the detailed view a dissector must,

1. Declare (?) the field type by adding it to its fields table. i.e.
[code]
-- The protocol object construction.
dis = Proto( ... )
-- The field construction
--            ipv4: an AF_INET address
--  short name: this is how you reference the field on wireshark filters
--        caption: this is the first part of the text showed in the detailed view
--            base: base for numeric types
-- value names: descriptive names for numeric values
--                ...  : other parameters i dont remember :P
field = ProtoField.ipv4(short name, caption, base, value names, ...)

-- Add the field to the fields table
dis.fields = { field }
[/code]

2. Add the field to the tree.
[code]
-- root is the tree object sent by wireshar to the dissector entry point (dis.dissector)
-- buf is the buffer object sent by wireshar to the dissector entry point (dis.dissector)
-- This adds a field in little endian byte order associated with the given range of the buffer
root:add_le(field, buf(offset, len)
-- This adds a field in little endian byte order associated with the given range of the buffer
root:add_le(field, buf(offset, len))
-- This adds a field in big endian byte order associated with the given range of the buffer
root:add(field, buf(offset, len))
[/code]

Conclusion: the problem is that dissect_packet function adds every field as little endian because I guessed that wuold be the most frequent order use in the packets and there is yet no way to tell from the packet descriptions what order to use.

[quote]
- windows (?) file time, used in sid_getfiletime
[/quote]

I tried :P but I didn't understood the FILETIME structure. It has two DWORDS but no idea what are them. I have to read a bit more.

[quote]
Stop decoding UDP!
Even war3 uses udptest? lol
[/quote]

I don't know :P War3 uses UDP for LAN game broadcasting packets.

[quote]
Wow, you did tcp frames merging?
If many packets in 1 frame, only 1 is decoded.
[/quote]

When many packets are present in a tcp segment multiple "Battle.net Protocol" items should appear in the detailed view (btw. i don't know if i am calling it properly.. it's the panel at the middle of the window between the packet list and the hex dump)

[quote]
Dont try to decode packets with wrong magic (not 0x01-0x03 or 0xff).
[/quote]

Its marked as a todo :P

[quote]
You  need to find another way to handle fragmented packets, dont search for first 0xff.
[/quote]

The way of identifing packets is more or less
1. Read first byte value and display it as "Header Type"
2. Using that value, index the headers_by_type table and call the function
3. If no function is found reject the packet so other dissector can handle it. (Ideally :p) But now it is not rejected, so a bunch of "Header Type"'s appear till an FF value is found... oh oh

[quote]
I had a weird problem. Syntactically correct dissector hangs wireshark, it freezes and consumes memory until there was nothing left.
[/quote]

I've just find out why that may happen  ;D

[quote]
printf ....
output strings in ""?
[/quote]

string.format should be like C printf but I don't know if it works exactly like it.

[quote]
Is it possible to print short hex values (0x10 instead of 0x00000010)? Rounded to whole bytes.

If you want help, show me how to use lua in dissector. How can i display different data types?
[/quote]

It should be possible. When a field is added like shown above a description is automatically generated. But it can be overriden just like with the packet type

[code]
-- This adds a field in big endian byte order associated with the given range of the buffer.
-- It returns the node added to the tree.
node = root:add(field, buf(offset, len))
-- Lets set the text
-- read the value
value1 = buf(offset, len):uint() -- big endian
value2 = buf(offset, len):le_uint() -- little endian
text = string.format("The field value: %d %d", value1, value2)
node:set_text(text)
[/code]

In this dissector, reads on the buffer are done through a State object so it can handle TCP segment merging. It has two methods for accessing the buffer

read(number of bytes): reads the requested number of bytes starting from the cursor position ( the state.used field) and advances the cursor
peek(number of bytes): as read but without advancing the cursor

Both return the same object as the corresponding buf(cursor, number of bytes) call.

[quote]
Btw, what time zone do you have?
[/quote]

My time zone is GMT-3. (argentina)

[quote]
Please upload my edit so we dont have version conflicts.
Is it generally possible to allow anyone to upload to SVN, but changes need to be commited by admin to appear?
[/quote]

I don't think so... hmm.. I don't know...

But I can add you to the committers list of the project so you can use the svn. I just need your
[quote author="Google Code"]
Instructions:
Specify each project participant by his or her Google Account email address. Each person must have already created a Google Account with that email address.

Separate addresses with commas and/or newlines[/quote]

For now, I will upload the changes you sent.

[quote author=xpeh link=topic=17607.msg183311#msg183311 date=1251750613]
Is it generally possible to allow anyone to upload to SVN, but changes need to be commited by admin to appear?
[/quote]

Maybe that could be possible with Mercurial but I never used it.

Plugin is stable and works fine. All are welcome to test.

Hi,
I have this error:

"Lua: Error during loading:
C:\Program Files\Wireshark\packet-bnetp.lua:14: attempt to index global 'base' (a nil value)"

Windows XP 32bit, Wireshark version 1.2.1 (SVN Rev 29141)

[quote author=Naki-BoT link=topic=17607.msg183327#msg183327 date=1251984437]
Hi,
I have this error:

"Lua: Error during loading:
C:\Program Files\Wireshark\packet-bnetp.lua:14: attempt to index global 'base' (a nil value)"

Windows XP 32bit, Wireshark version 1.2.1 (SVN Rev 29141)
[/quote]

Did you comment out the line "disable_lua = true; do return end;" at init.lua?

Yes, sure.. and added line: " dofile("packet-bnetp.lua") " - same error with starting wireshark from command line: " -X lua_script:packet-bnetp.lua "

Hmm thats strange. init.lua should provide the global base. is it defined in that file?

Btw,

someone just sucked a delicious dick

https://davnit.net/bnet/vL/index.php?topic=17853.msg181898#msg181898

[quote author=nitroxs link=topic=17607.msg183330#msg183330 date=1252083896]
Hmm thats strange. init.lua should provide the global base. is it defined in that file?
[/quote]

Thanks it works on Windows 7 in home, and start working on XP after computer restart Oo.

[quote author=nitroxs link=topic=17607.msg183314#msg183314 date=1251755750]
2. Add the field to the tree.
[code]
-- root is the tree object sent by wireshar to the dissector entry point (dis.dissector)
-- buf is the buffer object sent by wireshar to the dissector entry point (dis.dissector)
-- This adds a field in little endian byte order associated with the given range of the buffer
root:add_le(field, buf(offset, len)
-- This adds a field in little endian byte order associated with the given range of the buffer
root:add_le(field, buf(offset, len))
-- This adds a field in big endian byte order associated with the given range of the buffer
root:add(field, buf(offset, len))
[/code]

Conclusion: the problem is that dissect_packet function adds every field as little endian because I guessed that wuold be the most frequent order use in the packets and there is yet no way to tell from the packet descriptions what order to use.
[/quote]
If bnetdocs is the problem, you can tell me which packets need to be updated. I have full privileges there, including database, so I can change almost anything there. Tell me which packets don't use Little-endian for everything, and I can note it in the description.

All Battle.net packets use little-endian, so it doesn't matter.

[quote author=rabbit link=topic=17607.msg183470#msg183470 date=1254782065]
All Battle.net packets use little-endian, so it doesn't matter.
[/quote]
[s]This is true. One 'exception' is any packet containing a sockaddr structure, since the port is in network byte order (big endian). It's simply memcpy'd from the packet and is ment to be read as the whole structure, so it's not really an issue.[/s]
Oops, I posted without reading the whole thread. What I just said was mentioned already.

[quote author=Jailout2000 link=topic=17607.msg183450#msg183450 date=1254612602]
If bnetdocs is the problem, you can tell me which packets need to be updated. I have full privileges there, including database, so I can change almost anything there. Tell me which packets don't use Little-endian for everything, and I can note it in the description.
[/quote]

I had a hard time trying to understand my own post. :P I would say I was referring to the way packets are described in the plugin.

bnetdocs is fine. (except for the "Download BNETDocs as Text" feature which is missing a lot of packets)

[quote="nitroxs"]bnetdocs is fine. (except for the "Download BNETDocs as Text" feature which is missing a lot of packets)[/quote]The download BnetDocs as text feature is a caching system.

There is a file on the server that has a last modified date on it, and the generator uses this for caching.

If the file is less than 12 hours old, it gives you the file, if the file is 12 hours or more old, then it'll give you a generated page along with writing to the file (updating it from 12 hours or more old to new). I don't see how this does not contain all of the packets, because I see all the packets in this text that I see on the main page of BnetDocs.

[quote author=Jailout2000 link=topic=17607.msg183478#msg183478 date=1254850095]
I don't see how this does not contain all of the packets, because I see all the packets in this text that I see on the main page of BnetDocs.
[/quote]

Look at this section of the file:

[code]
C > S [0x3C] SID_CHECKDATAFILE2
**************************************

Used By: Starcraft Shareware, Starcraft Broodwar, Warcraft II, Starcraft, Starcraft Japanese

Format:
(DWORD) File size in bytes
(DWORD) File hash [5]
(STRING) Filename

Remarks:
Verifies that a file is authentic, by producing a hash of that file and sending it to the server for comparison to the
original.

The hash is produced by hashing 64-byte chunks of the file. Each time after the first, the result of the previous hash
is used to initialize for example, "Orc Peon" is 'opeo') (BYTE) Number of ladder records to read; this will be between 0
and 3.  For each ladder record: (DWORD) Ladder type; valid types are 'SOLO', 'TEAM', or 'FFA ' (where the last
character of 'FFA ' is a space, 0x20). (WORD) Number of wins (WORD) Number of losses (BYTE) Level (BYTE) Hours until XP
decay, if applicable* (WORD) Experience (DWORD) Rank (will be 0 if unranked)  (BYTE) Number of race records to read;
this will be 5 for WAR3 and 6 for W3XP. For each race record: (WORD) Wins (WORD) Losses  (BYTE) Number of team records
to read.  For each team record: (DWORD) Type of team; valid types are '2VS2', '3VS3', and '4VS4'. (WORD) Number of wins
(WORD) Number of losses (BYTE) Level (BYTE) Hours until XP decay, if applicable* (WORD) Experience (DWORD) Rank (will be
0 if unranked) (FILETIME) Time of last game played (BYTE) Number of partners (STRING)[] Names of partners 
For subcommand 0x08 (Clan stats request): (DWORD) Cookie (BYTE) Number of ladder records to read; this will be between
0 and 3.  For each ladder record: (DWORD) Ladder type; valid types are 'SOLO', 'TEAM', or 'FFA ' (where the last
character of 'FFA ' is a space, 0x20). (WORD) Number of wins (WORD) Number of losses (BYTE) Level (BYTE) Hours until XP
decay, if applicable* (WORD) Experience (DWORD) Rank (will be 0 if unranked)  (BYTE) Number of race records to read;
this will be 5 for WAR3 and 6 for W3XP.  For each race record: (WORD) Wins (WORD) Losses 

For subcommand 0x09 (Icon list request): (DWORD) Cookie (DWORD) Unknown (BYTE) Tiers (BYTE) Count  For each Icon:
(DWORD) Icon (DWORD) Name (BYTE) Race (WORD) Wins required (BYTE) Unknown 

Remarks:
This message is still being researched!

This message is used for multiple purposes on Warcraft III. Known and validated purposes are listed here.

* The field "Hours until XP decay" is unconfirmed; however, testing numbers correspond to values expected within the
"Days until XP decay" displayed on the live Battle.net ladder website. It is also included but unused (ignored) in the
Clan Stats Request command (0x08).

~~~~~~~~~~~~~~~~

C > S [0x44] SID_WARCRAFTGENERAL
**************************************
[/code]

Everything between C>S SID_CHECKDATAFILE2 and S>C SID_WARCRAFTGENERAL is not there. You can see part of the  S_WG description merged into S_CDF2 remarks section.

Hmmmmm. That is weird. The code doesn't show anything that would do that, so I don't really know what's happening. I'll have to ask the person who coded it (Don Cullen) about it later, and perhaps try and find out other information on my own.

Literally the way it prints that out is by making a query into the database and echoing it out onto a buffer, then giving you the buffer. Unless there is somehow a screw up in the way that it is printing, I don't see how that would happen, so I'll have to look closely in the code when I'm trying to find what's happening.

Back on topic... this plugin is working great. I use it a lot in what I'm doing, and it is very useful. It saves me the hassle of having to read the data for myself (well, mostly anyway, there's still some unfinished packets).

You could always just wget the website.

Is someone still interested?