NetPro: Packet Analysis and Visualization tool

Have you created a useful tool? or Do you want to get help building one? This is the right place!
Forum rules
READ NOW: L2j Forums Rules of Conduct
Post Reply
impos89
Posts: 41
Joined: Sat Apr 26, 2008 6:54 am
Location: Poland

Re: NetPro: Packet Analysis and Visualization tool

Post by impos89 »

Currently I'm trying to go through the eu classic game/server packets. To do so I've just forced I/O protocol manually so far.
However the packet definition retrieved from SendProtocolVersion packet is absolutely wrong (-1195362304). In classic version it's mapped to 0x00 opcode. I thought that the packet structure has been changed for classic server.
To fix this i've just commented out this (IMO) weird check and now everything is displaying properly (for the known and correctly mapped packets).
(I'm trying to learn everything. I started from scratch and I didn't expect to give solution on a plate).

My goal is to write a working wireshark packet parsing utility for netpro - When it will be done, then i will leave you merge request.
Next goal is to write an utility simillar to ol' l2wh tool working for L2 eu classic, to produce data based on analisys.

Before I will let my dreams comes true, I need a few things.

1. Does wireshark collects full packet or it can be delivered in few parts ?
2. I see that every first 2 bytes in every CM contains invalid length value. e.g. for 0x00 SendProtocolVersion is 2446. SM packets are correct e.g. 2A00
- i need a clue what it may be the cause. Maybe it's associated to my first question?
3. Something wrong is going after SM 0x0B CharacterSelected packet. Any next packet content is invalid. It looks like the packet mapping is completely different.
The biggest problem is that I cannot nowhere the board or something with current classic packet mapping. Maybe there's no such place...

Anyway If someone can help me by answering my questions I would be very happy :)

[UPDATED]
Client packet decryption is incorrect on my side. I need to check it once again...

When I've tried to connect with netpro to eu classic server, the login server connection works like a harm, but the gameserver tab appears, and display the first packet SendProtocolVersion, but after that the game has been disconnected. I'm not quite sure it's configuration issue or something more. It looks like the netpro isn't sending the game client packet.
SaveGame
Posts: 121
Joined: Thu Oct 30, 2014 9:54 pm

Re: NetPro: Packet Analysis and Visualization tool

Post by SaveGame »

I remember that last time I was asked to investigate EU by a former l2jfree member, in the end it was observed that frost seems to initiate a separate connection to C&C to negotiate encryption applied on top of the lineage 2 protocol. (EDIT: yes, login up to server selection would work fine)

As far as classic is concerned, yes, you are correct, there are no packet mappings done for it. Primary reason is that those would be exclusively for KR client protocol versions, which typically aren't used anywhere else -> so the opcodes will likely differ from EU/NA/TW; possibly structure as well. Also, since KR gets much more intermediate updates… You get the idea: much more work tracking changes and in the end you can only try to adapt it +/- for classic servers intended for other regions.

Another issue with this is that KR uses an incompatible GG version, so ever since NA started forcing GG again, I can't just keep both NA and KR clients open at the same time, and that is annoying due to afk fishing.

Wireshark operates in layers, but if you take app layer packets (past TCP), you will see whatever was actually sent/received by the application. The NC proprietary protocol is essentially a stream of data, so yes, technically an app could receive multiple packets in one data chunk, or only half the packet. The size field in NC packet header (the only field in header) is then used to split received data into chunks or to mark it as 'partial' to await next chunk for merging.



As far as l2wh is concerned, do you have an idea how did they deal with things like a lot of people using the same drop analysis app, and let's say a CC of 50 people on Teon kill a raid boss (world OID = X), all of which have this app, while at the same time a newbie on Franz kills a Gremlin (world OID = X), and he also has this app. As OID is the same and time would be roughly the same (latency, yeah), you can't use them to differentiate. Does that mean that if you kill a raid with 100 people, the drop chance for items dropped will be inferred to be 4 times as high as for items that were dropped if the same raid was killed by 25 people? Because this way collected data is hardly worth anything aside from knowing which items are dropped by what NPC.
Image
impos89
Posts: 41
Joined: Sat Apr 26, 2008 6:54 am
Location: Poland

Re: NetPro: Packet Analysis and Visualization tool

Post by impos89 »

Thank you for this answer - to me it's a lot of important informations. I noticed that after importing my *.pcap file, I see that netpro is capable to translate most of the packets from game lobby (character selection info, character selected etc.) with correct values. After that next packets are seems to be wrong. It means, the frost doesn't affect on packet enctyption.

The last packet captured in wireshark during a game session with netpro gives me this response:

Code: Select all

Transmission Control Protocol, Src Port: 7777 (7777), Dst Port: 54415 (54415), Seq: 1, Len: 0
    Source Port: 7777
    Destination Port: 54415
    [Stream index: 114]
    [TCP Segment Len: 0]
    Sequence number: 1    (relative sequence number)
    Acknowledgment number: 296854252
        [Expert Info (Note/Protocol): The acknowledgment number field is nonzero while the ACK flag is not set]
            [The acknowledgment number field is nonzero while the ACK flag is not set]
            [Severity level: Note]
            [Group: Protocol]
    Header Length: 20 bytes
    Flags: 0x004 (RST)
        000. .... .... = Reserved: Not set
        ...0 .... .... = Nonce: Not set
        .... 0... .... = Congestion Window Reduced (CWR): Not set
        .... .0.. .... = ECN-Echo: Not set
        .... ..0. .... = Urgent: Not set
        .... ...0 .... = Acknowledgment: Not set
        .... .... 0... = Push: Not set
        .... .... .1.. = Reset: Set
        .... .... ..0. = Syn: Not set
        .... .... ...0 = Fin: Not set
        [TCP Flags: *********R**]
    Window size value: 0
    [Calculated window size: 0]
    [Window size scaling factor: 256]
    Checksum: 0x888e [validation disabled]
    Urgent pointer: 0

With KR, JP or EU packets, it seems that adding a region selection would be a way to handle it.

Droplist - By collecting the packets we can assume what server it is. So collecting data may be isolated.
With raidbosses and loot spam. Each raidboss have significant respawn time 6-12 hours. It would be enough to collect data from first one and lock updates for a perion of time.
Actually KR or EU have their own droplist presented on official wiki website and IMO It's more than enough. There's existing tool for parsing data from wiki, and it's available on github.
More important information, what I want to catch is game economy like sell/buy prizes. Someone with a little knowledge can use that tool to have a lot of fun with it. If I'm not wrong long time ago the l2wh shared this data on generated charts on item details view.
SaveGame
Posts: 121
Joined: Thu Oct 30, 2014 9:54 pm

Re: NetPro: Packet Analysis and Visualization tool

Post by SaveGame »

impos89 wrote:Thank you for this answer - to me it's a lot of important informations. I noticed that after importing my *.pcap file, I see that netpro is capable to translate most of the packets from game lobby (character selection info, character selected etc.) with correct values. After that next packets are seems to be wrong. It means, the frost doesn't affect on packet enctyption.
After looking at the issue with EU, it seems that the game server immediately terminates any connection, regardless of what data is sent (e.g. completing a login with NP, but disabling connection to the correct GS IP and doing a manual connection to send the same data that the client sent to NP will still get the connection killed).

This brings us back to speculation that something is being handled behind the scenes.

Would probably make sense to test within a VM, as that's the easiest way to monitor what sockets are being created (the game server must get the information about "certified" sessions somehow).
Image
impos89
Posts: 41
Joined: Sat Apr 26, 2008 6:54 am
Location: Poland

Re: NetPro: Packet Analysis and Visualization tool

Post by impos89 »

Thank you very much. If you need any anything, then I will gladly help you.
User avatar
Zealar
L2j Veteran
L2j Veteran
Posts: 1236
Joined: Sun Jul 15, 2007 10:29 am

Re: NetPro: Packet Analysis and Visualization tool

Post by Zealar »

Just check how much left till javafx :geek:

Btw why not use github for the project? :think:
SaveGame
Posts: 121
Joined: Thu Oct 30, 2014 9:54 pm

Re: NetPro: Packet Analysis and Visualization tool

Post by SaveGame »

Zealar wrote:Just check how much left till javafx :geek:

Btw why not use github for the project? :think:
Quite much actually, had a lot of unrelated stuff going on this February and March. I'm going to compile a list of what still needs porting (or even redesign/reimplementation) before I continue.
However, it seems to be going somewhat faster than I would have imagined.

Well, I guess with git, I could use github in addition to bitbucket at no extra effort (it's just another remote to push to). I just think there are more important things to do right now before deciding on where to host the repo. When I get to the point I can work on the wiki, then perhaps I'll reevaluate these options.
Image
User avatar
UnAfraid
L2j Veteran
L2j Veteran
Posts: 4199
Joined: Mon Jul 23, 2007 4:25 pm
Location: Bulgaria
Contact:

Re: NetPro: Packet Analysis and Visualization tool

Post by UnAfraid »

It looks really nice on JavaFX, btw you can make TreeTableView for packet data rendering
Image
SaveGame
Posts: 121
Joined: Thu Oct 30, 2014 9:54 pm

Re: NetPro: Packet Analysis and Visualization tool

Post by SaveGame »

Zealar wrote:Btw why not use github for the project? :think:
Well, I guess https://github.com/github/dmca/blob/mas ... -NCZ0ft.md shows that it's best to keep a low(er) profile :mrgreen:
Image
User avatar
Zealar
L2j Veteran
L2j Veteran
Posts: 1236
Joined: Sun Jul 15, 2007 10:29 am

Re: NetPro: Packet Analysis and Visualization tool

Post by Zealar »

Thaw was unexpected. :wtf:
SaveGame
Posts: 121
Joined: Thu Oct 30, 2014 9:54 pm

Re: NetPro: Packet Analysis and Visualization tool

Post by SaveGame »

Version 1.4 released, 1.5 will be for Helios definitions only, full focus on 2.0 from now on.

1.4 does no longer require a JDK for script compilation; it will use ECJ (JDT Batch Compiler) when executed on a JRE. Bear in mind that ECJ will be much slower, perhaps due to all the warnings it checks for by default (and it does write more to the log files).

In any case, I would recommend against using ECJ if you can, as it has some very strange ideas implemented as far as JavaFileObject and JavaFileManager are concerned, such as charset-less source files as norm (Charset == null)/other methods using platform default charset, using custom class naming schemes despite the fact that every Java developer knows the standard FQCN, inability to interpret the classpath the way a JRE does (using literal classpath instead) and more.
Image
nache
Posts: 34
Joined: Fri Jul 15, 2011 11:11 pm

Re: NetPro: Packet Analysis and Visualization tool

Post by nache »

and script to extract npc stats?
Norin3ko
Posts: 2
Joined: Sun Mar 26, 2017 1:24 am

Re: NetPro: Packet Analysis and Visualization tool

Post by Norin3ko »

Hello!

How can i setup Netpro to use with NA server? Tried different configurations, none of them worked.

Current config disconnects me on server selection.
<gameWorldSockets> <!-- injected into ServerList -->
<gameWorldSocket clientAddressPrefix="0.0.0.0/0" ip="127.0.0.1" port="7776" />
</gameWorldSockets>

<authorizationSockets>
<authorizationSocket>
<listen ip="0.0.0.0" port="2106" />
<service host="64.25.35.104" port="2106" />
</authorizationSocket>
</authorizationSockets>
</sockets>
hosts config
127.0.0.1 L2authd.Lineage2.com
User avatar
LasTravel
Posts: 888
Joined: Tue Jan 05, 2010 12:08 am
Location: Spain

Re: NetPro: Packet Analysis and Visualization tool

Post by LasTravel »

QUICKSTART on NA
================
1. Add "127.0.0.1 l2authd.lineage2.com" to hosts file
2. Open config/serviceconfig.xml
3. Remove the first <authorizationSocket>
4. Remove 'disabled="true"' from the remaining <authorizationSocket>
5. Run NetPro
6. Run Lineage II client
7. Login
Norin3ko
Posts: 2
Joined: Sun Mar 26, 2017 1:24 am

Re: NetPro: Packet Analysis and Visualization tool

Post by Norin3ko »

I recieve same configuration file doing all described in USAGE.txt. But game client hangs on sending [C] RequestServerLogin packet.
Post Reply