Dumping Network Traffic

In November 2012, Wiimm started to dump the network traffic of Mario Kart Wii's online races. The goal was to have enough information to create a set of Nintendo WFC servers, if necessary. In March 2014, Nintendo announced the shutdown of the server for May 2014 due to GameSpy — much earlier than ever thought.

This article explains how to capture packets, and create logs so you know what happened at the time of the dump.

Get the data

If capturing network data, it is important to capture the complete traffic from and to the Wii. To keep the dumps small, filter out all unrelated traffic of other network devices. The filtering is very important, if you plan to give the dumps away, because it may contains passwords and other private data.

Linux computer as a router

If you have a Linux computer, you can use that as router for your Wii to make the Wii send all data through your computer. You must also be able to add static routes to your router. The disadvantage of this solution is that your computer needs to be turned on for the Wii to go online.

You should only do this if you are good at networking with Linux so you are able to fix your network connection if something goes wrong. It may also be a good idea to export your router's configuration before doing the next steps.

To set that up, first give your computer another IP in a new subnet, for example with the following entry in /etc/network/interfaces (if your LAN interface is eth0):

auto eth0:1
iface eth0:1 inet static
address 10.0.20.1
netmask 255.255.255.0
broadcast 10.0.20.255

This adds a virtual interface "eth0:1" with the IP 10.0.20.1 (this IP must not be in your router's subnet!).

Then, enable routing by editing the file /etc/sysctl.conf and adding a line "net.ipv4.ip_forward = 1" (if it is already present, change from 0 to 1) and reboot your computer. Then, go to your router's web interface, search for the option "static route" (in a FRITZ!Box this is at "Network" -> "Network settings" -> "IPv4 routes") and add a route for network "10.0.20.0" with Subnet mask 255.255.255.0 (/24) and enter your computer's IP (not the 10.0.20.1, but the local IP you'd normally use) as "gateway".

Last step: Edit your Wii's LAN connection and enter IP 10.0.20.2, subnet mask 255.255.255.0, gateway 10.0.20.1.

If you did everything correctly, you can now see the Wii's traffic on your computer and capture that with tcpdump.

Port Mirroring

The best and cleanest way to capture the network traffic is a managed switch^[1], that supports port mirroring^[2].

You need to place the managed switch between the Wii and the router. Then you connect it to a PC on another port, so you can capture the network data. Set the switch so you mirror the traffic from and to the Wii to the PC port. After doing this setup, all traffic of the Wii is mirrored to the PC. Normally the PC will drop the unwanted network packets. But use a capture tool see the data.

A typical capturing command:

tcpdump -w <DEST_FILE> -U -i eth1 host <MY_WII> or arp

<DEST_FILE>: The filename, where the dump is stored. If using - as file name, stdout (standard output) is used.
<MY_WII>: Replace this by the IP or DNS name of the captured Wii.
or arp: These keywords enable capturing of ARP packets. ARP packets are only needed, if your Wii has network troubles.

Router captures

Many routers (like Fritzbox) allow to capture network traffic and to store it as a file. Using a Linux, Mac or Windows PC as a router between Wii and the router is also possible. All current operating systems support the capturing of network data, but you will probably need root/administrator rights.

Some WLAN routers have built-in Ethernet ports. By activating promiscuous mode on an Ethernet adapter connected to an open port on your router, both WLAN and wired traffic can be captured.

Custom router & Linux Machine

If you have a Linux machine with SSH, you can packet capture live using any router that has TCPDump, saving to the Linux machine. You will need to install sshpass on your Linux machine, and tcpdump on your router. Once installed, type this command in: sshpass -p "<PASSWORD>" ssh -o StrictHostKeyChecking=no root@<routerIP> tcpdump i eth0 -U -s0 -w - host <IP of Wii> > <location to store to locally> Once this says it's begun, leave that terminal (Use a screen so it stays open).

ARP spoofing

ARP spoofing^[3] is a method to redirect data from and to the Wii. But it has a big disadvantage: The Wii generates ARP requests frequently. And the delay between the correct answer and the spoofed one means that one is sent directly, and the other is lost.

Internet Connection Sharing (ICS)

Starting with Windows 7 (and probably other Windows versions too) it is possible to create a "virtual" WLAN network alongside your existing Internet connection, even if said connection is also over Wi-Fi. You can connect to this network via your Wii's Internet settings, and all of your Wii's traffic will be routed to your PC.

Note: You need a WLAN adapter installed on your PC. Most modern laptops and some PCs have them built-in.

To set up ICS, run the following commands:

netsh wlan set hostednetwork mode=allow ssid=<Wifi SSID> key=<Password> keyUsage=persistent
netsh wlan start hostednetwork

Depending on your setup, you may also need a DHCP server. You can get one for free at http://dhcpserver.de.

Logging

To have a packet dump is very good, but for analysis you must know what happened wile you were packet dumping. Therefore you must have a good log with timestamps, so you know the events, even months later. Without that you have no way to assign network packets to event.

Videos

A recording of what happened while dumping is the best type of log. If you find a reference point between both the video and the dump, you can use relative time values to find very exactly the corresponding place of the network dump.

A disadvantage of videos is the large disk size. But a high quality is not needed for this kind of logging. So you can reduce the pixel size, the frame rate and/or the compression quality of the video. You can also cut off the audio stream. The following ffmeg^[4] command will reduce a video enormous and creates a video in acceptable quality:

ffmpeg -i INPUT -r 10 -b:v 50k -s 360x240 \
     -preset slow -crf 30.0 -vcodec libx264 -an -y OUTPUT.avi

However, the result depends very much from the input quality and the noise of the input. The best way to trim the command is to change the video bitrate -b:v 50k.

After trimming open the video with any video tool. Go to the event and find out the timestamp. VirtualDub^[5] is for example a good and free video utility for this task.

Analysing with mkw-ana

mkw-ana is a network packet hex dumper and more. The advantage of mkw-ana is, that it knows about the protocols and packet types and give you additional information about the packets. There are also many commands for statistical analysis and data collecting. mkw-ana supports also the integration of log messages and race analysis.

References

↑ Wikipedia: Network Switch Options
↑ Wikipedia: Port Mirroring
↑ Wikipedia: ARP spoofing
↑ Wikipedia: ffmeg, a universal video transcoding tool
↑ Wikipedia: VirtualDub, a free video utility.

Network Protocol

Information:
Nintendo's Servers – Friend Code – Nick – Dumping Network Traffic

Record Types:
HEADER – ROOM – SELECT – USER
RACEHEADER_1 – RACEHEADER_2 – RACEDATA – ITEM – EVENT
NATNEG – ANNOUNCE – QUIT – STATUS – PARAM-STRING

Wiimmfi Extensions:
Online Status – Connection Status – Wiimmfi packets – Server SV

Software:
Wiimms mkw-ana

[1] Wikipedia: Network Switch Options

[2] Wikipedia: Port Mirroring

[3] Wikipedia: ARP spoofing

[4] Wikipedia: ffmeg, a universal video transcoding tool

[5] Wikipedia: VirtualDub, a free video utility.

[1]

[2]

[3]

[4]

[5]