Difference between revisions of "Dumping Network Traffic"
| Line 1: | Line 1: | ||
| − | In November 2012 [[Wiimm]] started to dump the | + | In November 2012 [[Wiimm]] started to dump the network traffic of [[Mario Kart Wii]]'s online races. The goal was to have enough information to create a set of Nintendo WFC servers, if necessary. In March 2014, Nintendo announced the shutdown of the server for May 2014 due to GameSpy — much earlier than ever thought. |
| − | This article | + | This article explains how to capture packets, and create logs so you know what happened at the time of the dump. |
| Line 37: | Line 37: | ||
=== Port Mirroring === | === Port Mirroring === | ||
| − | The best and cleanest way to capture the network traffic is a managed switch<ref>Wikipedia: [http://en.wikipedia.org/wiki/Managed_switch#Configuration_options Network Switch Options]</ref>, that | + | The best and cleanest way to capture the network traffic is a managed switch<ref>Wikipedia: [http://en.wikipedia.org/wiki/Managed_switch#Configuration_options Network Switch Options]</ref>, that supports port mirroring<ref>Wikipedia: [http://en.wikipedia.org/wiki/Port_mirroring Port Mirroring]</ref>. |
| − | You place the managed switch between Wii and router. Then you connect a PC, | + | You need to place the managed switch between the Wii and the router. Then you connect it to a PC on another port, so you can capture the network data. Set the switch so you mirror the traffic from and to the Wii to the PC port. After doing this setup, all traffic of the Wii is mirrored to the PC. Normally the PC will drop the unwanted network packets. But use a capture tool see the data. |
A typical capturing command: | A typical capturing command: | ||
| Line 49: | Line 49: | ||
=== Router captures === | === Router captures === | ||
| − | Many routers (like Fritzbox) allow to capture network traffic and to store it as a file. Using a Linux, Mac or Windows PC as router between Wii and the | + | Many routers (like Fritzbox) allow to capture network traffic and to store it as a file. Using a Linux, Mac or Windows PC as a router between Wii and the router is also possible. All current operating systems support the capturing of network data, but you will probably need root/administrator rights. |
| + | |||
| + | === Custom router & Linux Machine === | ||
| + | |||
| + | If you have a linux machine with SSH you can packet capture live using any router that has TCPDump, saving to the linux machine. You will need to install sshpass on your Linux machine, and tcpdump on your router. Once installed, type this command in: | ||
| + | sshpass -p "<PASSWORD>" ssh -o StrictHostKeyChecking=no root@<routerIP> tcpdump i eth0 -U -s0 -w - host <IP of Wii> > <location to store to locally> | ||
| + | Once this says it's begun, leave that terminal (Use a screen so it stays opem). | ||
| + | |||
=== ARP spoofing === | === ARP spoofing === | ||
| − | ARP spoofing<ref>Wikipedia: [http://en.wikipedia.org/wiki/ARP_spoofing ARP spoofing]</ref> is a method to redirect data from and to the Wii. But it has a big disadvantage: The Wii | + | ARP spoofing<ref>Wikipedia: [http://en.wikipedia.org/wiki/ARP_spoofing ARP spoofing]</ref> is a method to redirect data from and to the Wii. But it has a big disadvantage: The Wii generates ARP requests frequently. And the delay between the correct answer and the ''spoofed'' one means that one is sent directly, and the other is lost. |
== Logging == | == Logging == | ||
| − | To have a dump very | + | To have a packet dump is very good, but for analysis you must know what happened wile you were packet du,pimg. Therefore you must have a good log with timestamps, so you know the events, even months later. Without that you have no way to assign network packets to event. |
=== Videos === | === Videos === | ||
| − | A | + | A recording of what happened while dumping is the best type of log. If you find a reference point between both the video and the dump, you can use relative time values to find very exactly the corresponding place of the network dump. |
| − | A disadvantage of videos is the large disk size. But a high quality is not needed for this kind of logging. So you can reduce the pixel size, the frame rate and/or the compression quality of the video. You can also cut off the audio stream. The following ffmeg<ref>Wikipedia: [http://en.wikipedia.org/wiki/Ffmpeg ffmeg], | + | A disadvantage of videos is the large disk size. But a high quality is not needed for this kind of logging. So you can reduce the pixel size, the frame rate and/or the compression quality of the video. You can also cut off the audio stream. The following ffmeg<ref>Wikipedia: [http://en.wikipedia.org/wiki/Ffmpeg ffmeg], a universal video transcoding tool</ref> command will reduce a video enormous and creates a video in acceptable quality: |
ffmpeg -i INPUT -r 10 -b:v 50k -s 360x240 \ | ffmpeg -i INPUT -r 10 -b:v 50k -s 360x240 \ | ||
-preset slow -crf 30.0 -vcodec libx264 -an -y OUTPUT.avi | -preset slow -crf 30.0 -vcodec libx264 -an -y OUTPUT.avi | ||
Revision as of 04:48, 29 August 2015
In November 2012 Wiimm started to dump the network traffic of Mario Kart Wii's online races. The goal was to have enough information to create a set of Nintendo WFC servers, if necessary. In March 2014, Nintendo announced the shutdown of the server for May 2014 due to GameSpy — much earlier than ever thought.
This article explains how to capture packets, and create logs so you know what happened at the time of the dump.
Get the data
If capturing network data, it is important to capture the complete traffic from and to the Wii. To keep the dumps small, filter out all unrelated traffic of other network devices. The filtering is very important, if you plan to give the dumps away, because it may contains passwords and other private data.
Linux computer as a router
If you have a linux computer, you can use that as router for your Wii to make the Wii send all data through your computer. You must also be able to add static routes to your router. The disadvantage of this solution is that your computer needs to be turned on for the Wii to go online.
You should only do this if you are good at networking with linux so you are able to fix your network connection if something goes wrong. It may also be a good idea to export your router's configuration before doing the next steps.
To set that up, first give your computer another IP in a new subnet, for example with the following entry in /etc/network/interfaces (if your LAN interface is eth0):
auto eth0:1 iface eth0:1 inet static address 10.0.20.1 netmask 255.255.255.0 broadcast 10.0.20.255
This adds a virtual interface "eth0:1" with the IP 10.0.20.1 (this IP must not be in your router's subnet!).
Then, enable routing by editing the file /etc/sysctl.conf and adding a line "net.ipv4.ip_forward = 1" (if it is already present, change from 0 to 1) and reboot your computer. Then, go to your router's web interface, search for the option "static route" (in a FRITZ!Box this is at "Network" -> "Network settings" -> "IPv4 routes") and add a route for network "10.0.20.0" with Subnet mask 255.255.255.0 (/24) and enter your computer's IP (not the 10.0.20.1, but the local IP you'd normally use) as "gateway".
Last step: Edit your wii's LAN connection and enter IP 10.0.20.2, subnet mask 255.255.255.0, gateway 10.0.20.1.
If you did everything correctly, you can now see the wii's traffic on your computer and capture that with tcpdump.
Port Mirroring
The best and cleanest way to capture the network traffic is a managed switch[1], that supports port mirroring[2].
You need to place the managed switch between the Wii and the router. Then you connect it to a PC on another port, so you can capture the network data. Set the switch so you mirror the traffic from and to the Wii to the PC port. After doing this setup, all traffic of the Wii is mirrored to the PC. Normally the PC will drop the unwanted network packets. But use a capture tool see the data.
A typical capturing command:
tcpdump -w <DEST_FILE> -U -i eth1 host <MY_WII> or arp
- <DEST_FILE>
- The filename, where the dump is stored. If using - as file name, stdout (standard output) is used.
- <MY_WII>
- Replace this by the IP or DNS name of the captured Wii.
- or arp
- These keywords enable capturing of ARP packets. ARP packets are only needed, if your Wii has network troubles.
Router captures
Many routers (like Fritzbox) allow to capture network traffic and to store it as a file. Using a Linux, Mac or Windows PC as a router between Wii and the router is also possible. All current operating systems support the capturing of network data, but you will probably need root/administrator rights.
Custom router & Linux Machine
If you have a linux machine with SSH you can packet capture live using any router that has TCPDump, saving to the linux machine. You will need to install sshpass on your Linux machine, and tcpdump on your router. Once installed, type this command in: sshpass -p "<PASSWORD>" ssh -o StrictHostKeyChecking=no root@<routerIP> tcpdump i eth0 -U -s0 -w - host <IP of Wii> > <location to store to locally> Once this says it's begun, leave that terminal (Use a screen so it stays opem).
ARP spoofing
ARP spoofing[3] is a method to redirect data from and to the Wii. But it has a big disadvantage: The Wii generates ARP requests frequently. And the delay between the correct answer and the spoofed one means that one is sent directly, and the other is lost.
Logging
To have a packet dump is very good, but for analysis you must know what happened wile you were packet du,pimg. Therefore you must have a good log with timestamps, so you know the events, even months later. Without that you have no way to assign network packets to event.
Videos
A recording of what happened while dumping is the best type of log. If you find a reference point between both the video and the dump, you can use relative time values to find very exactly the corresponding place of the network dump.
A disadvantage of videos is the large disk size. But a high quality is not needed for this kind of logging. So you can reduce the pixel size, the frame rate and/or the compression quality of the video. You can also cut off the audio stream. The following ffmeg[4] command will reduce a video enormous and creates a video in acceptable quality:
ffmpeg -i INPUT -r 10 -b:v 50k -s 360x240 \
-preset slow -crf 30.0 -vcodec libx264 -an -y OUTPUT.avi
However, the result depends very much from the input quality and the noise of the input. The best way to trim the command is to change the video bitrate -b:v 50k.
After trimming open the video with any video tool. Go to the event and find out the timestamp. VirtualDub[5] is for example a good and free video utility for this task.
Analysing with mkw-ana
mkw-ana is a network packet hex dumper and more. The advantage of mkw-ana is, that it knows about the protocols and packet types and give you additional information about the packets. There are also many commands for statistical analysis and data collecting. mkw-ana supports also the integration of log messages and race analysis.
References
- ↑ Wikipedia: Network Switch Options
- ↑ Wikipedia: Port Mirroring
- ↑ Wikipedia: ARP spoofing
- ↑ Wikipedia: ffmeg, a universal video transcoding tool
- ↑ Wikipedia: VirtualDub, a free video utility.