Dumping Network Traffic
In November 2012 Wiimm started to dump the complete network traffic of Mario Kart Wii online meetings. The goal was to have enough information to create a own MKWii server if ever necessary. In March 2014 Nintendo announced the shutdown of the server for May 2014 — much earlier than ever thought.
This article will explain, how to get good dumps and good logs. Logs are necessary to remember, what happened during the dump time.
Get the data
If capturing network data, it is important to capture the complete traffic from and to the Wii. To keep the dumps small, filter out all unrelated traffic of other network devices. The filtering is very important, if you plan to give the dumps away, because it may contains passwords and other private data.
Port Mirroring
The best and cleanest way to capture the network traffic is a managed switch[1], that support port mirroring[2].
You place the managed switch between Wii and router. Then you connect a PC, that should capture the network traffic, to another port of the switch. In the switch setup you mirror the traffic from and to the Wii to the PC port. After doing this setup once, all traffic of the Wii is mirrored to the PC. Normally the PC will drop the unwanted network packets. But a capture tool see the data.
A typical capturing command:
tcpdump -w <DEST_FILE> -U -i eth1 host <MY_WII> or arp
- <DEST_FILE>
- The filename, where the dump is stored. If using - as file name, stdout (standard output) is used.
- <MY_WII>
- Replace this by the IP or DNS name of the captured Wii.
- or arp
- These keywords enable capturing of ARP packets. ARP packets are only needed, if your Wii has network troubles.
Router captures
Many routers (like Fritzbox) allow to capture network traffic and to store it as a file. Using a Linux, Mac or Windows PC as router between Wii and the DSL-Router is also possible. All current operating systems support the capturing of network data, but often you need root/administrator rights.
ARP spoofing
ARP spoofing[3] is a method to redirect data from and to the Wii. But it has a big disadvantage: The Wii generate ARP request frequently. And the time between the correct answer and the spoofed one, the data is sent directly to the correct destination and the packets are lost for capturing.
Logging
To have a dump very nice. But for analysis you must know, what happened during the dump time. Therefore you must have a good log with timestamps, that remembers you about the events. Without that you have nearly no chance to assign network packets to event.
Videos
A video creating during the game play is the best kind of a log. If you find a reference point, you can use relative time values to find very exactly the corresponding place of the network dump.
A disadvantage of videos is the large disk size. But a high quality is not needed for this kind of logging. So you can reduce the pixel size, the frame rate and/or the compression quality of the video. You can also cut off the audio stream. The following ffmeg[4] command will reduce a video enormous and creates a video in acceptable quality:
ffmpeg -i INPUT -r 10 -b:v 50k -s 360x240 \
-preset slow -crf 30.0 -vcodec libx264 -an -y OUTPUT.avi
However, the result depends very much from the input quality and the noise of the input. The best way to trim the command is to change the video bitrate -b:v 50k.
After trimming open the video with any video tool. Go to the event and find out the timestamp. VirtualDub[5] is for example a good and free video utility for this task.
Analysing with mkw-ana
???
Using log files
???
References
- ↑ MediaWiki: Network Switch Options
- ↑ MediaWiki: Port Mirroring
- ↑ MediaWiki: ARP spoofing
- ↑ MediaWiki: ffmeg, an universal video transcoding tool
- ↑ MediaWiki: VirtualDub, a free video utility.