Gnutella Forums

Gnutella Forums (https://www.gnutellaforums.com/)
-   Open Discussion topics (https://www.gnutellaforums.com/open-discussion-topics/)
-   -   Can't detect queries when using wireshark (https://www.gnutellaforums.com/open-discussion-topics/91400-cant-detect-queries-when-using-wireshark.html)

mikejim March 20th, 2009 04:30 PM
Can't detect queries when using wireshark
 
Hello,

I am writing a program I want to use to detect queries using the libraries from Wireshark (a network protocol analyzer). The problem is not the program, but the Limewire I want to detect queries from.

I have Limewire 4.18.3, which after a few hours of being up is connected as an Ultrapeer. I make a search through the user interface and get some results. I use at the same time Wireshark (for testing purposes) to capture the packets sent to my computer so that I can trace the query sent by Limewire and the queryhits sent by the other peers/leafs. Most of the packets flow through TCP connections, I assume the same connections established with my peers/leafs. Some queryhits arrive through UDP.

The problem is that I can't recognize any of the messages (query and queryhits), because they look like encrypted (in the TCP case). None of the messages I capture follow the Gnutella specification. They just have garbage (to me, but not to Limewire). The only way to recognize something (at least parts of it, in which case the packet follow the Gnutella specification) is when the queryhit arrives through UDP. I don't have a clue why this is happening because Gnutella is open and I should see all the fields of the protocol in the packet trace and easily recognize a queryhit. The same case for a query.

Do any of you have a clue why this is happening? I have done this with Bearshare and the same happens. Is there something I am missing here? I know queryhits might flow through the TCP connections, but encrypted??

thanks all!
Mike

yodoloi04 May 4th, 2009 04:43 AM
Hi Mike,

I have the same problem as you with wireshark and the packets return by my gnutella client (gtk-gnutella).

The data are not encrypted but compressed with zlib.

As someone a solution to see easily the gnutella protocol packets in wireshark or should I write some code to decompress the stream received from the ultrapeers ?

Thanks in advance for your answers.

Regards
Yodoloi

mikejim May 4th, 2009 08:54 AM
RE:
 
hello Yodoloi,
I didn't recall the deflate option used at the beginning of the handshake by the time I wrote this post. What I did is that I used the Limewire source and modified the source for it to send everything not compressed.
I was lazy enough to write the code to decompress it. A cool thing would be though if the libraries used by Wireshark (libpcap or winpcap) had the option of decompressing the payload of a packet, like you said. That would save a lot. And it doesn't sound unreasonable. I actually wrote a program to detect gnutella traffic. I will try to find something like that and post it here.
Mike

yodoloi04 May 13th, 2009 02:52 AM
hello Mike,

Could you tell me which file did you modify on the limewire code.
I tried to search some library for wireshark and to recompile wireshark on my linux computer with differents options, but without success to decompress the packets on wireshark. :bangh:

Actually I'm trying to write a littel client (juste with the basic fonctionality ping, pong, query, query hit, bye) in C# for my Master project, and I think in the beginning I will not use the deflate option, I don't know if it's a good idea but for the moment it's the fatest way to have a prototype working in a short time.
Juan

mikejim May 13th, 2009 07:56 AM
Re:
 
Hello Juan,
the file is the following:
LimeWire/core/com/limegroup/gnutella/settings/ConnectionSettings.java

Two lines I changed:

157:
FACTORY.createBooleanSetting("ACCEPT_GNUTELLA_DEFL ATE", true);
I changed the true for a false
FACTORY.createBooleanSetting("ACCEPT_GNUTELLA_DEFL ATE", false);

167:
FACTORY.createBooleanSetting("ENCODE_GNUTELLA_DEFL ATE", true);
I changed the true for a false
FACTORY.createBooleanSetting("ENCODE_GNUTELLA_DEFL ATE", false);

I don't recall changing anything else.

I know also is not the best idea, but I am on the same situation, for prototype purposes.

Hope it helps!
mikejim

yodoloi04 June 10th, 2009 02:58 PM
Hello Mikejim,

Thanks for your help,

I modified the limewire files and took some captures with wireshark to "try" to understand how the gnutella protocol works.

Regards
Juan

hustnn March 22nd, 2010 07:05 PM
query
 
Hi, the query and query hit is transmit using udp or tcp?

Where can I know which message using tcp or udp of limewire,I just find little udp message such as ping ,pong when bootstrap and handshake,why?

If the limewire using tls encryption,then we don't see the content using wireshark,isn't it?


All times are GMT -7. The time now is 12:16 PM.

Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2024, vBulletin Solutions, Inc.
SEO by vBSEO 3.6.0 ©2011, Crawlability, Inc.

Copyright © 2020 Gnutella Forums.
All Rights Reserved.