Difference between revisions of "Wiimms mkw-ana (tool)"

From Custom Mario Kart
Jump to navigation Jump to search
(mkw-ana v0.18)
m
(39 intermediate revisions by 9 users not shown)
Line 1: Line 1:
 
{| class="textbox float-right grid"
 
{| class="textbox float-right grid"
 
|+ Wiimms mkw-ana
 
|+ Wiimms mkw-ana
| colspan=2 style="text-align:center" | [[file:Wiimms-SZS-Tools.png]]
+
| colspan=2 style="text-align:center" | [[File:Wiimms SZS Tools Logo.png]]
 
|-
 
|-
 
! Author:
 
! Author:
Line 16: Line 16:
 
|-
 
|-
 
! Current Version:
 
! Current Version:
| v0.18, 2014-03-24
+
| v1.15, 2017-08-21
 +
|-
 +
! Homepage:
 +
| [http://mkw-ana.wiimm.de/ mkw-ana.wiimm.de]
 +
|-
 +
! Download:
 +
| [http://download.wiimm.de/mkw-ana/ download.wiimm.de]
 
|}
 
|}
  
The tools '''mkw-ana''' is a new project by [[Wiimm]] to analyze the network protocol of [[Mario Kart Wii]].
+
'''mkw-ana''' is a tool by [[Wiimm]] to analyze the network protocol of [[Mario Kart Wii]]. It can also print infos about current races and detect the usage of different cheats and used glitches.
  
  
Line 27: Line 33:
 
== Intention ==
 
== Intention ==
  
In November 2012, [[Wiimm]] decided to analyze the network protocol of [[Mario Kart Wii]]. The main goal was to discover online cheaters. Another goal is to set up his own server when [[Nintendo]] shuts down its servers on 20th May 2014.
+
In November 2012, [[Wiimm]] decided to analyze the network protocol of [[Mario Kart Wii]]. The main goal was to discover online cheaters. Another goal was to set up his own server if [[Nintendo]] ever shut down its servers, which eventually happened on May 20th, 2014.
 +
 
 +
The main feature is to dump the packets of a tcpdump (done by ''tcpdump'' or ''wireshark'') in a user-friendly format. After first experiments, it also became a ''live racing statistic tool''.
  
So the main feature is to dump the packets of a tcpdump (done by ''tcpdump'' or ''wireshark'') in a user-friendly format. After first experiments, it becomes also a ''live racing statistic tool''.
+
== The Tool ==
  
=== Terms and definition ===
+
Based on new knowledge made with [[Wiimmfi]] development, [[Wiimm]] has restructured '''mkw-ana'''. The important changes since v1.02 are:
 +
* New record analysis.
 +
* Improved detection of race type (racing, balloon, coin, team, global, private room) and race stages.
 +
* Improved detection of current active players.
 +
* Improved hex dumps.
 +
* Complete new RACE command:
 +
** It shows battles and normal races.
 +
** It shows the in-game players while in VIEW mode.
 +
** Log messages are printed in an own scroll region.
 +
**  special tables that shows client and racing slot usage.
 +
* Friend code calculation by Wii or by NDS mode.
 +
** Support of an internal database to find the correct friend code calculation. This database can be modified by external files.
 +
* Support of an internal secret database. It is needed to decode MS answers. This database can be modified by external files.
 +
* User defined race and statistics tables. The columns can be enabled and ordered by the new option --table. Alternatively the table definitions can be exported by '''mkw-ana tables'', edited and then read by option --tfile.
 +
* Configurable tables: Columns can be selected and ordered by options or definiton files.
 +
* A backend server:
 +
** The backend server is enabled by option --cmd <ADDRESS>:<PORT> or --cmd unix:<FILE>.
 +
** The number of backend clients is not limited.
 +
** The backend server work either in a simple stream modus (use e.g. '''ncat''' or '''netcat''' for it) or in interactive modus using telnet negotiations.
 +
** The server has an built-in help. Just type "HELP".
  
{{MKWii Network Terms}}
+
With v1.07, mkw-ana can send ban jobs to Wiimmfi if a not allowed cheat is detected and the user have the rights to ban.
 +
* Using of 19 different glitches is checked. Some of them may trigger an autnoatic ban.
 +
* Many item cheats are detected. Because of to less packets false positives are possible. But if really an item cheat is used, the item cheat counter goes >4 in a race.
 +
* Instant drift is detected. A relative rate is used as trigger to avoid false positives.
 +
* Moving around before race start is detected.
 +
* Enabling an item before race start is detected.
 +
* Manipulation of finish time is detected.
  
== The Tool ==
+
With v1.13, the GPCM server send extra message to inform the cleint about room players and their status. mkw-ana extract these infos and creates a room table. But the new room status is not used at the frontend yet and only available at by beackend comamnd »WIIMMFI«. Try »WATCH WIIMMFI«.
  
 
=== Change log ===
 
=== Change log ===
  
 
<pre>
 
<pre>
mkw-ana v0.18 r1836 - 2014-03-24
+
mkw-ana v1.15 r2787 - 2017-08-21
  
  - New command: FRIENDCODES: A friend code calculator. For each scanned
+
  - Backend command »WIIMMFI« improved. Try »WATCH WIIMMFI«.
  parameter a line with a decimal friend code, a hexadecimal friend code,
 
  a decimal player ID and a game ID is printed. As input, various formats
 
  are supported. The new option --gid defines a game ID for creating a FC
 
  from a player id.
 
  
  - New command: ANALYZE: Analyze the dump files for special information and
+
  - \wiimmfi\: New data about inactive clients scanned and used.
  print it a machine readable list, one line per record. The first paraneter
 
  a comma separated list of keywords: PARAM-NAMES, NICKS, ALL.
 
  See built-in help for details.
 
  
  - New letter ID scheme for clients. All IDs are used circulary:
+
  - New frontend command: BACKEND:
    0-9: Known Nintendo servers (detected by a previous DNS query).
+
  The frontend works like an interactive backend connection. (EXPERIMENTAL)
    A-Z: Home client (--ip or --wii or atuo detect).
 
    a-z: Other clients (players).
 
  
  - Internal statistics about UDP (old) and TCP (new) traffic (send+receive
+
  - Different minor updates.
  packtes+bytes). The client dumps print now a summary of TCP+UDP.
 
  
  - Command 'CLIENT' prints the clients in order of appearance. If option
+
  - Windows only: Cygwin update to v2.8.1, 2017-07-03.
  --long is set, a multi line list with more details is printed.
 
  
- The new command SERVERS prints a multi line list like 'CLIENTS --long',
 
  but only Nintendos servers are selected.
 
  
- Command COUNT will now count also ARP, DNS and TCP records.
+
mkw-ana v1.14 r2631 - 2016-12-08
  
  - All commands can be prefixed by a 'C' (e.g. 'CDUMP' instead of 'DUMP') to
+
  - Detection of GPCM \wiimmfi\...\final\ packets.
  force colorized output (= force option --color).
+
    - The statistics table is only available at the backend yet.
 +
    - Update of peer-connection flags.
  
  - Options --ip and --wii accept now an optional port number.
+
  - Bug fix: Command FLOWRATES failed sometimes.
  
  - Bug fix for 'A' detection of DNS replies.
+
  - Bug fix: Better detection of invalid STATUS packages. A warning is printed.
  
 +
- New option: --warn-mode=LIST: Define, which warnings are enabled:
 +
    - LENGTH  :  Racing records with wrong length.
 +
    - XLENGTH :  Like RACE but be more verbose.
 +
    - STATUS  :  Invalid STATUS records.
 +
    - EVENT  :  Unknown event found.
 +
    - DEFAULT := LENGTH | XLENGTH | STATUS
 +
    - ALL and NONE are also possible.
  
mkw-ana v0.17 r1786 - 2014-03-03
+
  - Command SILENT is now silent again. It also disables all warnings.
 
 
  - New modes for option --print:
 
    DELAY :  Print the delay in ms (difference between racing and real time).
 
    LAST  :  Timeout since last packet in ms.
 
    XTIME := TIME,DELAY,LAST
 
 
 
- New record type: QUIT: It is send, if a player quits the game.
 
  If --logmode=TEST is set, a log message is printed if QUIT occurs.
 
 
 
- Some minor optical and layout changes.
 
 
</pre>
 
</pre>
  
;Old change log:
+
&rarr; [http://mkw-ana.wiimm.de/changelog.html old logs]
<spoiler><pre>
 
mkw-ana v0.16 r1765 - 2014-01-18
 
 
 
- The tool accepts now the following dump formats:
 
    - PCAP v2.4: Big or little endian, micro- or nanoseconds format.
 
    - PCAP v2.4 modified: Like PCAP, but with an extended packet header.
 
    - PCAP-NG v1.0: Big or little endian. Only the `Enhanced Packet Block´ is
 
      supported to retrieve packets.
 
    - Optional bzip2 compression of all dump formats.
 
- Complete new handling of ARP, DNS and TCP packets. They will now be handled
 
  as records and are written to the output file, if option --write is set.
 
- New record types: ARP, DNS, TCP, QUERY, TPARAM, UPARAM.
 
- New global option: --wide[=width]: Usually hexdumps cover 16 bytes per
 
  line. If option --wide is set, 32 bytes per line are covered. Optional it
 
  is possible to enter a value.
 
- New keywords for option --log-mode:
 
    'QUERY'  : Dump database quers (DB,table,select,where).
 
    'REGION' : Dump region and world wide queries.
 
    'TCP'    : Shortcut for QUERY,REGION: Log all TCP related stuff.
 
- New options: Option --color forces colorized text (where supported).
 
  It is enabled by default for output to terminals. Option --no-color
 
  disables colorized text at all.
 
- New command: COLORS: Test colorized text by printing it in different modes
 
  (colors, bold, underline). Also test the options --color and --no-color.
 
- New command LIST: List all stage or record names.
 
- More options to filter packets for dumps: --and, --receive-mac (--rmac),
 
  --send-mac (--smac) and --transfer-mac (--tmac).
 
- New options to control MAC printing in dumps: --show-mac and --hide-mac.
 
- The new options --real-time-factor (--rtf) and --real-time-wait (--rtw)
 
  help to analyze old dumps in real time, time-laps or slow-motion.
 
 
 
mkw-ana v0.15 r1703 - 2014-01-04
 
 
 
- Cup index is now read from BMG.
 
- Update of BMG files.
 
- New option --log-mode=list (or short --lmd=list): Define, which elements
 
  are included into the log file or output. Allowed keywords are: STATUS,
 
  SELECT, DRIVER, RACE, EVENT, TOTAL, CHEATS, NONE and ALL (default).
 
  
mkw-ana v0.14 r1688 - 2013-10-19
 
 
- New option: --ct-code[=mode]: Enables or disables CT-CODE support (more
 
  than 32 tracks). Allowed keywords are DISABLED, AUTO (default), ENABLED.
 
  Without parameter, CT-CODE support is enabled.
 
 
mkw-ana v0.13 r1683 - 2013-09-07
 
 
- Improved built-in help system. Type "mkw-ana help help" for details.
 
- New option --ana=file: Opens a output file to store analysis data.
 
- New option: --ana-mode=list (short: --amd=list):
 
  Print only the specified events to the analysis file.
 
- New options --hms and --hms-info to print relative timestamps in HH:MM:SS.
 
</pre></spoiler>
 
 
=== Built-in Help ===
 
 
Let's start with the built-in help as an overview about the tool:
 
 
<spoiler><pre>
 
 
mkw-ana v0.18/x86_64 r1836 -- Dirk Clemens -- 2014-03-24
 
--------------------------------------------------------
 
 
mkw-ana : Analyze network dumps (created by tcpdump) and print summaries.
 
 
Syntax: mkw-ana [option]... command [option|parameter|file]...
 
 
 
Commands:
 
 
  VERSION          : Print program name and version and exit.
 
  HELP        | H  : Print help for commands and options.
 
  ARGTEST          : This debug command accepts all kinds of parameters and
 
                      prints one line for each parameter or option.
 
  TEST              : Test options: All options are allowed, some are printed.
 
  COLORS            : Ignore all parameters and print clored text as test.
 
  ERROR      | ERR : Translate exit codes to message names. If no exit code is
 
                      entered, print a table with all error messages.
 
  LIST              : List the keywords of a class. Allowed classes are:
 
                      STAGES, RECORDS and ALL.
 
  FRIENDCODES | FC  : Calculate friend codes and player ids. For each scanned
 
                      parameter a line with a decimal friend code, a
 
                      hexadecimal friend code, a decimal player ID and a game
 
                      ID is printed. Various formats are accepted for input.
 
 
  DUMP0      | D0  : Print a raw dump of all packets. This dump can be used
 
                      for all network dumps, not only for MKWii.
 
  DUMP1      | D1  : Packet based hex dumper.
 
  DUMP2      | D2  : First record based hex dumper.
 
  DUMP3      | D3  : New and improved variant of DUMP2 (record based).
 
  DUMP        | D  : Use the best/latest dumping mode (depends on options). At
 
                      the moment DUMP is an alias for DUMP3.
 
 
  FLOWRATES  | F  : Print flowrates of the data traffic. This command can be
 
                      used for all network dumps, not only for MKWii.
 
  DNS              : Print DNS and optional ARP packets in human readable
 
                      format. This command can be used for all network dumps,
 
                      not only for MKWii.
 
 
  SILENT      | SIL : Iterate and analyse the source files, but print nothing.
 
  ANALYZE    | ANA : Analyze the dump files for special information and print
 
                      it a machine readable list, one line per record.
 
                      Parameter MODELIST is a comma separated list of keywords.
 
                      Each keyword enables one kind of analysis:
 
                      * PARAM-NAMES: Print names of STRING-PARAM records, one
 
                      line for each LIST.
 
                      * NICKS: Collect data about user and their nicks and
 
                      friend lists.
 
                      * ALL: All of above.
 
  SERVERS    | SER : Print statistics about all servers.
 
  CLIENTS    | CLI : Print statistics about all clients.
 
  USERS      | U  : Print statistics about all users.
 
  RECORDS    | R  : Print all record names.
 
  COUNT      | CNT : Count the record types.
 
  STAGES      | S  : Print all stages.
 
  LOG        | L  : Print all stages including tables.
 
  TRACKS            : Print all track selections.
 
  TOTALS      | T  : Print all totals as text dump.
 
 
  RACE              : Live race table of all players. The screen is updated
 
                      every 0.5 seconds.
 
 
Type 'mkw-ana HELP command' to get command specific help.
 
 
Global options:
 
 
  -V --version      Stop parsing the command line, print a version info and
 
                    exit.
 
  -h --help          Print help and exit. If the first non option is a valid
 
                    command name, then a help for the given command is
 
                    printed.
 
    --xhelp        Stop parsing the command line and print a help message
 
                    with all commands included. Exit after printing.
 
    --width width  Define the width (number of columns) for help and some
 
                    other messages and disable the automatic detection of the
 
                    terminal width.
 
  -q --quiet        Be quiet and print only error messages. All previous
 
                    --verbose are canceled. Multiple usage is possible. The
 
                    impact is command dependent.
 
  -v --verbose      Be verbose and print more progress information. All
 
                    previous --quiet are canceled. Multiple usage is possible.
 
                    The impact is command dependent.
 
  -A --allow-all    Usually commands accept only options with impact to the
 
                    command. All other options fire a syntax error. But if
 
                    --allow-all is set, all commands accept all options.
 
                      This makes changing the command of a long command line
 
                    without removing useless options easier. It also helps to
 
                    override wrong option permissions.
 
    --de            Use german names.
 
    --ct-code [=mode]
 
                    Define the CT-CODE support modus. Allowed keywords are
 
                    DISABLED, AUTO (default) and ENABLED. Without parameter,
 
                    CT-CODE support is enabled.
 
    --color        Force colorized text. This is the default, if an output
 
                    file is a terminal.
 
    --no-color      Deactive colorized text. This is the default, if an output
 
                    file is not a terminal.
 
    --old          Use old implementation if available. All previous --new
 
                    are canceled.
 
    --new          Use new implementation if available. All previous --old
 
                    are canceled.
 
 
    --bmg file      Read a BMG text file to scan online chat messages and
 
                    track, driver and vehicle names. Disable auto load of BMG
 
                    files. Multiple usage is possible.
 
    --team file    Read a text file for team assignments and disable auto
 
                    load of team files. Multiple usage is possible.
 
    --origin x,y,z  Define an alternative origin for positions.
 
    --rel          Print timestamps as seconds relative to the beginning.
 
                    Dependent of option --long the formats are: 'SSSSS',
 
                    'SSSSS.s' or 'SSSSS.sss'
 
    --rel-info      Like --rel, but reset the origin whenever a reference time
 
                    is defined in the info file.
 
    --hms          Enable relative time stamps Like --rel, but print them in
 
                    HH:MM:SS instead in seconds only.
 
    --hms-info      Short cut for '--rel-info --hms'.
 
  -w --wide [=width] Usually hexdumps covers 16 bytes per line. If --wide is
 
                    set, 32 bytes per line are covered. Optional it is
 
                    possible to enter a value. This option is ignored if using
 
                    --one-line or --sep-lines.
 
  -a --ascii        Append an ASCII character dump behind the hexdump. This
 
                    option is ignored if using --one-line or --sep-lines.
 
    --ana file      Open a log file and dump text lines for further analysis.
 
                    The first word of each line classified the output type. If
 
                    first character of 'file' is a '+', append data to an
 
                    already existent file. If the filename is only '-', then
 
                    dump to stdout.
 
    --ana-mode list Print only the specified events to the analysis file.
 
                    --amd is a short cut. A comma separated list of keywords
 
                    is expected: CHEATS=IT-CHEATS, XCHEATS=CHEATS,IT-XCHEATS,
 
                    ITEM, EV-DLEN, EV-ALL-DLEN, EV-NAME. Also available:
 
                    CLEAR, DEFAULT and ALL. If flag SINGLE is set, repeat
 
                    count support is disabled. If flag FLUSH is set, the
 
                    output is flushed for each line.
 
 
Command specific options with common description:
 
 
 
    --adjust float  Adjust time stamps of the network dump by adding 'float'
 
                    seconds. This may help to synchronize different dumps.
 
    --skip float    Skip first 'float' seconds of each read network dump.
 
                    Negative values are relative to the end (or ignored for
 
                    pipes).
 
    --term float    Terminate each dump at 'float' seconds. Negative values
 
                    are relative to the end (or ignored for pipes).
 
    --combine      Logical combine network dumps to one single dump before
 
                    executing options --skip and --term.
 
    --checksum      Normally, UDP packets with wrong checksums are dropped. If
 
                    --checksum is set, the checksums are calculated, but no
 
                    packet is dropped. Some dumps will print a status info. If
 
                    set twice, checksums are never calculated and assumed to
 
                    be correct. --csum is a short cut.
 
  -f --follow        Don't close the last input dump on reaching end of file.
 
                    Instead wait for appended data. This works like the unix
 
                    tool 'tail -f'.
 
    --ip addr[:port]
 
                    Define an address (IP or DNS name) and optional a port for
 
                    filtering. Only packets from or to this host are accepted,
 
                    all others are ignored.
 
    --home addr    Define an address (IP or DNS name) as home client.
 
                      Without this options, the tool tries to determine the
 
                    home client by analysing sender and receiver of the first
 
                    non filtered packet. A local network (10/8, 172.16/12,
 
                    192.168/16, 169.254/16) has priority over a non local
 
                    network. If sender and receiver have the same priority,
 
                    the IP of the sender is used.
 
    --wii addr[:port]
 
                    Define an address (IP or DNS name) and optional a port as
 
                    home client and for filtering. This options is a shortcut
 
                    for '--home addr --ip addr:port'.
 
    --write file    Write filtered network packets as PCAP v2.4 to 'file' with
 
                    local endian and microseconds format.
 
    --real-time-factor factor
 
                    If set (>0.0), the time differences of the packet time is
 
                    compared with the real time difference. If a packet will
 
                    be served to early, the tool sleeps a while.
 
                      Value 1.0 force a real time dump. Values >1.0 force a
 
                    time-laps effect and values <1.0 a slow-motion effect.
 
                    --rtf is a short cut.
 
                      The intention of this option is to simulate a regular
 
                    input stream on already dumped and stored data in real
 
                    time. Use this option never for live incoming data,
 
                    because packets may be lost.
 
    --real-time-wait seconds
 
                    If set (>0.0) and the real time option --real-time-factor
 
                    is enabled, it defines the maximum real time between 2
 
                    packets. The default is 5 seconds. --rtw is a short cut.
 
 
  -p --no-proxy      Don't dump proxy packets (packets, which contains a PROXY
 
                    record).
 
    --and          If one or more filters are enabled by --receive, --send,
 
                    --receive-mac, --send-mac, --receive-ip or --send-ip, then
 
                    a packet or record is only dumped, if it match to at least
 
                    one of the enabled filters.
 
                      But if --and is set, a packet must match *all* enabled
 
                    filters.
 
  -r --receive      Dump only network packets received by the home client
 
                    (option --home). For combinations with other packet
 
                    filters see option --and.
 
  -s --send          Dump only network packets send by the home client (option
 
                    --home). For combinations with other packet filters see
 
                    option --and.
 
    --receive-mac addr
 
                    Dump only network packets received by the entered MAC
 
                    address. --rmac is a short cut for --receive-mac. For
 
                    combinations with other packet filters see option --and.
 
    --send-mac addr Dump only network packets send by the entered MAC address.
 
                    --smac is a short cut for --send-mac. For combinations
 
                    with other packet filters see option --and.
 
    --transfer-mac addr
 
                    Dump only network packets receiced or send by the entered
 
                    MAC address. --tmac is a short cut for --transfer-mac and
 
                    both are short cuts for '--rmac addr --smac addr'.
 
    --receive-ip addr
 
                    Dump only network packets received by the entered address
 
                    (IP or DNS name). --rip is a short cut for --receive-ip.
 
                    For combinations with other packet filters see option
 
                    --and.
 
    --send-ip addr  Dump only network packets send by the entered address (IP
 
                    or DNS name). --sip is a short cut for --send-ip. For
 
                    combinations with other packet filters see option --and.
 
    --transfer-ip addr
 
                    Dump only network packets receiced or send by the entered
 
                    address. --tip is a short cut for --transfer-ip and both
 
                    are short cuts for '--rip addr --sip addr'.
 
  -L --length ranges Dump only UDP packets with specified UDP data length. The
 
                    8 bytes long UDP header does not count.
 
                      The parameter is a comma separated list of INDEX,
 
                    INDEX1:, INDEX1:INDEX2 and INDEX#LENGTH elements.
 
  -S --stage list    Dump UDP packets only, if one of the entered stages is
 
                    active.
 
                      The parameter is a comma separated list of stage names,
 
                    optional preceeded by '+' (enable) or '.' (disable). Type
 
                    'mkw-ana test' for a list of stages or use the dumps to
 
                    identify stage names.
 
    --xevent        Support the XEVENT record type. It is an overlay over the
 
                    ITEM and EVENT records. --xeve is a shortcut. The option
 
                    is automatically set, if --type or --TYPE call the XEVENT
 
                    record.
 
  -t --type list    Dump UDP packets only, if at least one record of the
 
                    packet match the entered record list.
 
                      The parameter is a comma separated list of record names,
 
                    optional preceeded by '+' (enable) or '.' (disable). Type
 
                    'mkw-ana test' for a list of records or use the dumps to
 
                    identify record names.
 
  -T --TYPE list    Same as --type except for command DUMP3.
 
 
  -b --brief        If set once, the header (timestamp and client info) of
 
                    single line dumps becomes smaller. If set twice, timestamp
 
                    and client info are not printed. All previous --long are
 
                    canceled.
 
  -l --long          This option is relevant for single line dumps. Usually the
 
                    time format is printed as 'MM:SS.s' to keep the lines
 
                    small. If set once, 'HH:MM:SS.s' is used. If set twice,
 
                    'HH:MM:SS.sss' is used. All previous --brief are canceled.
 
    --list          Print a list of events instead of a summary.
 
  -1 --one-line      Print the hexdumps as one line for each record. This makes
 
                    the dumps horizontal very large, but it is good for
 
                    comparing objects of the same type. Very helpful is to
 
                    pipe the output to 'less -S', which supports horizontal
 
                    scrolling.
 
                      If set twice, some record types are not split into sub
 
                    records.
 
  -2 --sep-lines    Dump one line per record (like option --one-line) and an
 
                    empty line between packets.
 
    --show-mac      Show the MAC addresses of packets in some dumps. This is
 
                    enabled by default, if at least one MAC packet filter
 
                    (--receive-mac or {--send-mac) is enabled.
 
    --hide-mac      Hide the MAC addresses of packets in all dumps. This is
 
                    the default, if no MAC packet filter is enabled.
 
  -n --native        If set, some known values are printed in native format
 
                    instead as simple hex number. If set twice, some other
 
                    values, that will destroy the column layout of the
 
                    hexdump, will printed in native format too.
 
  -x --hex          Some records are printed as hex and string combination by
 
                    default. If --hex is set, then print the3se records as hex
 
                    dumps.
 
  -d --delta        If set, record data is compared with the data of the
 
                    previous record of same type and client. If a nibble (4
 
                    bits) is unchanged, a '-' is printed intead of a hex
 
                    digit.
 
  -I --index ranges  Dump only bytes with an index selected by the range list.
 
                    This make the hex dump smaller especially for one-line
 
                    dumps.
 
                      The parameter is a comma separated list of INDEX,
 
                    INDEX1:, INDEX1:INDEX2 and INDEX#LENGTH elements.
 
  -P --print list    Print only the specified columns of the output table. A
 
                    comma separated list of keywords is expected: RANK,
 
                    XTIME=TIME+DELAY+LAST, POS=X-POS+Y-POS+Z-POS, DIR,
 
                    SPEED=3D-SPEED,H-SPEED, STATUS, DRIFT=D-COUNT+D-CHEAT,
 
                    XDRIFT=DRIFT+D-MINTIME, ITEM=I-CHEAT+I-COUNT+I-SUMMARY,
 
                    CHEAT=D-CHEAT,I-CHEAT, FC, WHO=MINI-FC+NAME. Also
 
                    available: NONE, MIN, DEFAULT, MAX, ALL.
 
 
    --min-race num  This is a statistic option: If a Grand Prix (single or
 
                    team) is aborted, the results of the Grand Prix are only
 
                    used in the statistics, if NUM races has been completed.
 
                    The default is 2 and possible values are 0..4.
 
    --drift        Print drift statistics during logging.
 
 
    --log file      Log into the file using the same output as command LOG. If
 
                    first character of 'file' is a '+', append data to an
 
                    already existent file. If the filename is only '-', then
 
                    log to stdout.
 
    --log-mode list Define, which elements are included into the log file (see
 
                    --log). --lmd is a short cut. A comma separated list of
 
                    keywords is expected: STATUS, SELECT, DRIVER, RACE, EVENT,
 
                    TOTAL, CHEATS, TCP, QUERY, REGION, DEFAULT, XTCP, NONE and
 
                    ALL.
 
    --md file      Create a MakeDoc script with results after each race.
 
    --mdx file      Create a MakeDoc script with results after each race. Same
 
                    as --md, but replace %E, %R, %N and %T in the filename by
 
                    'event id', 'race id', 'total race' and 'event type' to
 
                    create different files.
 
    --php file      Create a php script with results after each race.
 
    --phpx file    Create a php script with results after each race. Same as
 
                    --php, but replace %E, %R, %N and %T in the filename by
 
                    'event id', 'race id', 'total race' and 'event type' to
 
                    create different files.
 
    --sleep float  Sleep 'float' seconds after a race has finished. This
 
                    option slows down a simulation run direct after logging
 
                    and printing the race statistics. Start with values of the
 
                    range from 3 to 15 seconds.
 
 
    --mii dir      Extract Miis to the already existing directory 'dir'.
 
                    Existing Mii files will be overwritten.
 
    --gid game_id  Define the game ID for friend code calculations. Up to 4
 
                    characters of the parameter replace the default value RMCJ
 
                    (Mario Kart Wii).
 
 
</pre></spoiler>
 
  
 
=== General Description ===
 
=== General Description ===
Line 487: Line 115:
 
The tool started as simple hex dumper reading network dumps in PCAP format. In the first phase of the tool, the textual dumps of ''wireshark'' and ''tcpdump'' were much better. But after only a few days, the tool learned to handle records, clients, users, friend codes and Miis. From this moment the tool was better to analyze the [[Mario Kart Wii]] traffic.
 
The tool started as simple hex dumper reading network dumps in PCAP format. In the first phase of the tool, the textual dumps of ''wireshark'' and ''tcpdump'' were much better. But after only a few days, the tool learned to handle records, clients, users, friend codes and Miis. From this moment the tool was better to analyze the [[Mario Kart Wii]] traffic.
  
Now, mkw-ana split the traffic into records and scans some data to detect stages of the online meeting. Stages are for example ''room'', ''prepare race'', ''count down'', ''racing'' and ''end of race''. It is able to separate races into events (''grand prix'' and ''team rand prix'') and to calculate racing tables. Racing data can also be exported to support live statistics.
+
Now, mkw-ana split the traffic into records and scans some data to detect stages of the online meetings. Stages are for example ''room'', ''prepare race'', ''count down'', ''racing'' and ''end of race''. It is able to separate races into events (''grand prix'' and ''team grand prix'') and to calculate racing tables. Racing data can also be exported to support live statistics.
 
 
At the moment there are three different kinds of hexdumps. All 3 are able to dump in one line mode to have large tables. Tool ''less'' is here a very good tool for vertical and horizontal scrolling. The stages are includes into the dump as comment lines. The dumped records can be filters by sending, receiving, proxy, record types, stage types and packet length. It is also possible to select the dumped bytes by indices and ranges.
 
  
=== Include logs into output ===
+
At the moment there are four different kinds of hexdumps. All 4 are able to dump in one line mode to have large tables. Tool ''less'' is here a very good tool for vertical and horizontal scrolling. The stages are includes into the dump as comment lines. The dumped records can be filters by sending, receiving, proxy, record types, stage types and packet length. It is also possible to select the dumped bytes by indices and ranges.
 
 
Another feature is, that ''mkw-ana'' can read comment files. If making videos of the dumped meetings, you can write such comment file. Each line starts with a timestamp followed by a comment. VirtualDub<ref>Wikipedia: [http://en.wikipedia.org/wiki/VirtualDub VirtualDub], a free video utility.</ref> is a good tool for this job. Then you must synchronize the comment file with the network dump. The start of the first game ("GO" in the video) is a very good point for synchronization. Here is an example of a comment file (in german):
 
<pre>
 
# All lines beginning with an '#' are comments and ignored.
 
  
# Sync:      timestamp of dump - timestamp of video
+
With beginning of version 1.02, [[Wiimm]] used the knowledge of the [[Wiimmfi]] development to re-implement record and stage detection. For example: If you enter a game in visitor modus, then mkw-ana shows racing data before you can see anything of the race on the screen.
> 2014-03-07 18:33:31.583 +0100 - 0:08:09.667
 
  
0:00:00.000  Video Start
+
Since version 1.06, mkw-ana has a built-in backend server. The user can login with any telnet client and can e.g. reconfigure the table layout or request tables of old races or control the autoban system.
0:00:54.600  Enter WFC first time
 
...
 
0:08:09.667  GO!  GP 1.1
 
</pre>
 
'''Notes:'''
 
* The first line is the real time of the start of the race minus the video time stamp. This is the synchronisation. An synchronisation can be done multiple times.
 
* The lines with the video timestamp and comment follow.
 
* The name of the comment file must be the same as the network dump, but it must have the extension ".info" instead of ".eth".
 
* Here you can find example dumps and log files: http://download.wiimm.de/mkw-ana/dumps/
 
  
 
=== Download ===
 
=== Download ===
Line 542: Line 154:
  
 
If using wireshark, save the dump to a file and use the following command for a live analysis:
 
If using wireshark, save the dump to a file and use the following command for a live analysis:
  mkw-ana --follow DUMPFILE ...
+
  mkw-ana COMMAND --follow DUMPFILE ...
 +
DUMPFILE can not only be a standard file, it can also be a socket or a ZCP7IP connection.
  
 
See »[[Dumping Network Traffic]]« more more details.
 
See »[[Dumping Network Traffic]]« more more details.
Line 566: Line 179:
 
** ''mkw-ana'' detects a BZIP2 compression automatically. It is supported for all other dump file formats.
 
** ''mkw-ana'' detects a BZIP2 compression automatically. It is supported for all other dump file formats.
  
''mkw-ana'' accpets any list of dump files. The file format is detected for each single input file, so mixed formats are possible. The special file name »-« (minus sign) means: Don't open the file and and read the standard input (stdin) instead. So one of the input files can be read via pipe.
+
''mkw-ana'' accepts any list of dump files. The file format is detected for each single input file, so mixed formats are possible. The special file name »-« (minus sign) means: Don't open the file and and read the standard input (stdin) instead. So one of the input files can be read via pipe.
  
 
== Live Statistics ==
 
== Live Statistics ==
  
'''mkw-ana''' can scan the network traffic in real time and can produce ''makedoc'' or ''php'' data files. Together with '''ssh''' and an '''cgi script''', a [http://wiimm.de/mkw-race live statistic] is created. Live means that the tables are updates 2-5 seconds after the race have finished.
+
'''mkw-ana''' can scan the network traffic in real time print a complete race statistics and more at the text screen. Moreover it can create ''makedoc'' or ''php'' data files after each race to create.
  
=== How it works ===
 
 
The whole job is done by 3 processes:
 
<ol>
 
<li>
 
 
First, you must capture the network traffic like described above. Then use one of the commands:
 
First, you must capture the network traffic like described above. Then use one of the commands:
 
<pre>
 
<pre>
... | mkw-ana log --md  DATAFILE
+
... | mkw-ana race
... | mkw-ana log --php DATAFILE
+
mkw-ana race --follow DUMPFILE
mkw-ana --follow DUMPFILE log --md  DATAFILE
+
</pre> With this command you'll see information about selected the track, entering the room and a live game statistics. Important infos about cheats and glitches are added if detected.
mkw-ana --follow DUMPFILE log --php DATAFILE
 
</pre>
 
 
 
<li>
 
Each time, a new DATAFILE is written, it must be transferred to the web server. A script using '''ssh''', '''sftp''' '''scp''' or '''ftp''' within an endless loop will do this job automatically.
 
 
 
<li>
 
Last not least, a CGI or PHP script running at the web server must read the data files to serve a html-page to the visitors.
 
</ol>
 
 
 
To see, what live means, visit the [http://wiimm.de/mkw-race live statistics] on Wednesday or Thursday between 19:10 and 20:30 CET (Central European Time).
 
  
 
== Links ==
 
== Links ==
  
 
* [[MKWii Network Protocol]]
 
* [[MKWii Network Protocol]]
* [http://www.mariokartwii.com/f101/mkw-ana-mario-kart-wii-network-protocol-109421.html Discussion at mariokartwii.com]
 
 
* [http://forum.wii-homebrew.com/board42-kreativitaet/development/47289-wiimms-mkw-ana-tool/ Discussion at Wii-Homebrew.com] (german forum)
 
* [http://forum.wii-homebrew.com/board42-kreativitaet/development/47289-wiimms-mkw-ana-tool/ Discussion at Wii-Homebrew.com] (german forum)
  
Line 605: Line 201:
 
<br/>
 
<br/>
 
{{MKWii Network Protocol}}
 
{{MKWii Network Protocol}}
[[Category:Software]]
+
[[Category:Software|M]]
[[category:Network Protocol]]
+
[[category:Network Protocol|M]]

Revision as of 10:38, 30 March 2021

Wiimms mkw-ana
Wiimms SZS Tools Logo.png
Author: Wiimm
Operating Systems: Linux (i386,x86_64),
Windows (Cygwin).
Software Type: Mario Kart Wii network traffic analyzer
File Formats: PCAP 2.4, PCAP 2.4.modified, PCAP-NG, bzip2 compression, BMG (text).
Current Version: v1.15, 2017-08-21
Homepage: mkw-ana.wiimm.de
Download: download.wiimm.de

mkw-ana is a tool by Wiimm to analyze the network protocol of Mario Kart Wii. It can also print infos about current races and detect the usage of different cheats and used glitches.



Intention

In November 2012, Wiimm decided to analyze the network protocol of Mario Kart Wii. The main goal was to discover online cheaters. Another goal was to set up his own server if Nintendo ever shut down its servers, which eventually happened on May 20th, 2014.

The main feature is to dump the packets of a tcpdump (done by tcpdump or wireshark) in a user-friendly format. After first experiments, it also became a live racing statistic tool.

The Tool

Based on new knowledge made with Wiimmfi development, Wiimm has restructured mkw-ana. The important changes since v1.02 are:

  • New record analysis.
  • Improved detection of race type (racing, balloon, coin, team, global, private room) and race stages.
  • Improved detection of current active players.
  • Improved hex dumps.
  • Complete new RACE command:
    • It shows battles and normal races.
    • It shows the in-game players while in VIEW mode.
    • Log messages are printed in an own scroll region.
    • special tables that shows client and racing slot usage.
  • Friend code calculation by Wii or by NDS mode.
    • Support of an internal database to find the correct friend code calculation. This database can be modified by external files.
  • Support of an internal secret database. It is needed to decode MS answers. This database can be modified by external files.
  • User defined race and statistics tables. The columns can be enabled and ordered by the new option --table. Alternatively the table definitions can be exported by 'mkw-ana tables, edited and then read by option --tfile.
  • Configurable tables: Columns can be selected and ordered by options or definiton files.
  • A backend server:
    • The backend server is enabled by option --cmd <ADDRESS>:<PORT> or --cmd unix:<FILE>.
    • The number of backend clients is not limited.
    • The backend server work either in a simple stream modus (use e.g. ncat or netcat for it) or in interactive modus using telnet negotiations.
    • The server has an built-in help. Just type "HELP".

With v1.07, mkw-ana can send ban jobs to Wiimmfi if a not allowed cheat is detected and the user have the rights to ban.

  • Using of 19 different glitches is checked. Some of them may trigger an autnoatic ban.
  • Many item cheats are detected. Because of to less packets false positives are possible. But if really an item cheat is used, the item cheat counter goes >4 in a race.
  • Instant drift is detected. A relative rate is used as trigger to avoid false positives.
  • Moving around before race start is detected.
  • Enabling an item before race start is detected.
  • Manipulation of finish time is detected.

With v1.13, the GPCM server send extra message to inform the cleint about room players and their status. mkw-ana extract these infos and creates a room table. But the new room status is not used at the frontend yet and only available at by beackend comamnd »WIIMMFI«. Try »WATCH WIIMMFI«.

Change log

mkw-ana v1.15 r2787 - 2017-08-21

 - Backend command »WIIMMFI« improved. Try »WATCH WIIMMFI«.

 - \wiimmfi\: New data about inactive clients scanned and used.

 - New frontend command: BACKEND:
   The frontend works like an interactive backend connection. (EXPERIMENTAL)

 - Different minor updates.

 - Windows only: Cygwin update to v2.8.1, 2017-07-03.


mkw-ana v1.14 r2631 - 2016-12-08

 - Detection of GPCM \wiimmfi\...\final\ packets.
    - The statistics table is only available at the backend yet.
    - Update of peer-connection flags.

 - Bug fix: Command FLOWRATES failed sometimes.

 - Bug fix: Better detection of invalid STATUS packages. A warning is printed.

 - New option: --warn-mode=LIST: Define, which warnings are enabled:
    - LENGTH  :  Racing records with wrong length.
    - XLENGTH :  Like RACE but be more verbose.
    - STATUS  :  Invalid STATUS records.
    - EVENT   :  Unknown event found.
    - DEFAULT := LENGTH | XLENGTH | STATUS
    - ALL and NONE are also possible.

 - Command SILENT is now silent again. It also disables all warnings.

old logs


General Description

The tool started as simple hex dumper reading network dumps in PCAP format. In the first phase of the tool, the textual dumps of wireshark and tcpdump were much better. But after only a few days, the tool learned to handle records, clients, users, friend codes and Miis. From this moment the tool was better to analyze the Mario Kart Wii traffic.

Now, mkw-ana split the traffic into records and scans some data to detect stages of the online meetings. Stages are for example room, prepare race, count down, racing and end of race. It is able to separate races into events (grand prix and team grand prix) and to calculate racing tables. Racing data can also be exported to support live statistics.

At the moment there are four different kinds of hexdumps. All 4 are able to dump in one line mode to have large tables. Tool less is here a very good tool for vertical and horizontal scrolling. The stages are includes into the dump as comment lines. The dumped records can be filters by sending, receiving, proxy, record types, stage types and packet length. It is also possible to select the dumped bytes by indices and ranges.

With beginning of version 1.02, Wiimm used the knowledge of the Wiimmfi development to re-implement record and stage detection. For example: If you enter a game in visitor modus, then mkw-ana shows racing data before you can see anything of the race on the screen.

Since version 1.06, mkw-ana has a built-in backend server. The user can login with any telnet client and can e.g. reconfigure the table layout or request tables of old races or control the autoban system.

Download

You can find the latest and some old distributions here
Content
  • Binaries for:
    • Linux i386
    • Linux x86_64
    • Cygwin/Windows (Needed Cygwin[1] DLL files are delivered. Best is to install a Cygwin system).
  • Some scripts as examples.
  • Some BMG text examples.
  • Some doc files.
Sometimes I upload single tool updates (beta versions) for testers

Capture the network data

First you must capture the network traffic of the Wii. Therefore you must redirect it to a PC running a capture software. There are 3 general ways to to this:

  • If you have a manageable switch, enable port mirroring and send all Wii traffic to a PC.
  • Use your PC as router.
  • Use old network hubs (not switches). A hub will mirror all traffic of all ports to all others; it's just a multi port repeater and will slow down your network.

Use a software like tcpdump or wireshark to capture the data. Best is to save the captured data directly to a file or to send it to other commands like mkw-ana for a live analysis.

It's also possible to save the data to a file and to make a live analysis at the same time. Use the following command pipe: 

tcpdump -w- -U -i eth1 host wii | tee save.dump | mkw-ana ...

It is important to filter the data by host ip_or_name, because foreign traffic interfere the wii traffic analysis and will have curious side effects.

If using wireshark, save the dump to a file and use the following command for a live analysis: 

mkw-ana COMMAND --follow DUMPFILE ...

DUMPFILE can not only be a standard file, it can also be a socket or a ZCP7IP connection.

See »Dumping Network Traffic« more more details.

Accepted file formats

mkw-ana accepts the following file formats for the network dumps:

  • PCAP 2.4 : Standard packet capturing file format[2].
    • Big and little endian are supported.
    • Timestamps in micro- and in nanoseconds are supported.
  • PCAP 2.4.modified : Like PCAP, but with an extend packet header. This format is used by several routers, AVM FRITZ!Box[3] is one example.
    • Big and little endian are supported.
    • Only microseconds timestamps are supported.
  • PCAP-NG 2.4.modified : A next generation (NG) PCAP format[4].
    • Big and little endian are supported.
    • Microseconds timestamps are assumed, other are not supported.
    • Only the Enhanced Packet Block[5] is supported to retrieve packets.
  • BZIP2 compression
    • mkw-ana detects a BZIP2 compression automatically. It is supported for all other dump file formats.

mkw-ana accepts any list of dump files. The file format is detected for each single input file, so mixed formats are possible. The special file name »-« (minus sign) means: Don't open the file and and read the standard input (stdin) instead. So one of the input files can be read via pipe.

Live Statistics

mkw-ana can scan the network traffic in real time print a complete race statistics and more at the text screen. Moreover it can create makedoc or php data files after each race to create.

First, you must capture the network traffic like described above. Then use one of the commands: 

... | mkw-ana race
mkw-ana race --follow DUMPFILE

With this command you'll see information about selected the track, entering the room and a live game statistics. Important infos about cheats and glitches are added if detected.

Links

References

  1. Cygwin, a Linux like environment for Windows.
  2. Wireshark: LIBPCAP file format
  3. AVM FRITZ!Box, a widely used router in Germany
  4. Wincap: The next generation PCAP file format
  5. Wincap: PCAP-NG, Enhanced Packet Block


Template:MKWii Network Protocol

Retrieved from "https://wiki.tockdom.com/w/index.php?title=Wiimms_mkw-ana_(tool)&oldid=257293"