Gnutella Forums

Gnutella Forums (https://www.gnutellaforums.com/)
-   General Discussion (https://www.gnutellaforums.com/general-discussion/)
-   -   Incoming searches in traffic capture? (https://www.gnutellaforums.com/general-discussion/81755-incoming-searches-traffic-capture.html)

dddkkk February 22nd, 2008 09:47 PM
Incoming searches in traffic capture?
 
Im capturing Gnutella network traffic sent to my laptop using Wireshark Network Analyzer (Seemed like a fun thing to do on a Friday night while drinking a beer):super:

I can see the incoming searches in the "Search Monitor" in plain text, however when I try to locate those packets in the network analyzer, I cant identify them. I think they are UDP?

I know the Gnutella syn packet headers are in plain text. How can I identify the incoming search packets? Is there a way that they are human readable?

Dave

GregorK February 23rd, 2008 01:38 AM
Connection traffic is usually compressed. Add the following to your phexCorePrefs.properties file:

Connection.AcceptDeflateConnection = false

dddkkk February 23rd, 2008 07:55 AM
Well..that did work. Could you elaborate a little on what that did to make incoming data plain text at the NIC?:confused:

Also...in the Search Monitor,...is the "routed from" ip address the actual host conducting the seacrh, or just the last hop it took? I dont see any additional IP addresses in the data.

GregorK February 23rd, 2008 03:16 PM
Quote:
Originally Posted by dddkkk (Post 309157)
Well..that did work. Could you elaborate a little on what that did to make incoming data plain text at the NIC?:confused:
Gnutella network traffic can be deflated using zlib, this is negotiated during the handshake. With this option you turn this feature off.
SourceForge.net Repository - [phex] View of /phex/trunk/docs/Gnutella/proposals/GNET compression.txt

Quote:
Originally Posted by dddkkk (Post 309157)
Also...in the Search Monitor,...is the "routed from" ip address the actual host conducting the seacrh, or just the last hop it took? I dont see any additional IP addresses in the data.
It only shows the IP of the last hop. The IP of the host conducting the search is not part of the standard query protocol.

dddkkk February 24th, 2008 09:15 AM
I was under the impression that each time a search term query took a hop, it would say something like "who has this search...tell 192.168.1.1 (original host)"

If the searching host ip address isnt sent along with the data, how does the host with the matching files three hops away know who is asking?

arne_bab February 25th, 2008 11:22 PM
The results gets sent back along the chain.

That's why it suffices to get the connection to your Ultrapeers through your firewalls to be able to search. Sadly it doesn't work as well for downloads (passing them along the chain would kill the network - instead a non-firewalled third party is used to route the downloads (Push Proxy).

This is different for OOB results (out of band) as far as I know.


All times are GMT -7. The time now is 03:21 PM.

Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2024, vBulletin Solutions, Inc.
SEO by vBSEO 3.6.0 ©2011, Crawlability, Inc.

Copyright © 2020 Gnutella Forums.
All Rights Reserved.