You are not logged in.
I have a couple of UTP packets which I picked up using wireshark and I was wondering if you guys can tell me exactly how these packets correlate to the protocol.
This is what I found for the UTP header on the bittorrent.org web site
0 4 8 16 24 32
+-------+-------+---------------+---------------+---------------+
| ver | type | extension | connection_id |
+-------+-------+---------------+---------------+---------------+
| timestamp_microseconds |
+---------------+---------------+---------------+---------------+
| timestamp_difference_microseconds |
+---------------+---------------+---------------+---------------+
| wnd_size |
+---------------+---------------+---------------+---------------+
| seq_nr | ack_nr |
+---------------+---------------+---------------+---------------+
This is one of the UTP data packets. I thought that since it is an embedded protocol it would start in the data section, where it first says d1:rd2. This is confusing me because I thought there was only one version of UTP so the version number should be 1 and not 0xd which is hex for 13.
I also noticed that the end of the data section is always similar to other packets as well so is there some protocol at the end?
0000 00 19 d1 60 b4 77 00 0c f1 d0 c2 33 08 00 45 00 ...`.w.. ...3..E.
0010 01 42 00 00 40 00 2d 11 9c 0a 50 ca 9f 1e c0 a8 .B..@.-. ..P.....
0020 00 10 c0 0e 5b 26 01 2e a3 89 64 31 3a 72 64 32 ....[&.. ..d1:rd2
0030 3a 69 64 32 30 3a 00 9d 08 10 25 55 26 66 7b d9 :id20:.. ..%U&f{.
0040 74 65 20 71 41 c1 df 04 db 03 35 3a 6e 6f 64 65 te qA... ..5:node
0050 73 32 30 38 3a 3d c2 e5 59 91 a3 f0 6f ec f5 0b s208:=.. Y...o...
0060 26 f3 9d 1e 15 f0 8e d7 81 4f 6d 21 06 3e 0f 39 &....... .Om!.>.9
0070 29 95 c8 39 7e d3 95 7e ea 1d 4a e4 67 d6 d1 7c )..9~..~ ..J.g..|
0080 56 2b ae 7c da cf 94 1d 9b 34 89 3e 37 71 00 90 V+.|.... .4.>7q..
0090 56 15 55 0a ba b1 67 60 59 36 f7 9d 1d 4d e3 24 V.U...g` Y6...M.$
00a0 90 8d 30 2d 60 06 da ea b0 2a ef c1 b3 fc 9f 73 ..0-`... .*.....s
00b0 af bb a9 61 e9 a9 7d c8 96 1c 21 ce 53 2e b6 20 ...a..}. ..!.S..
00c0 0c 39 94 d4 4f 9b 2e 03 0c c8 be 50 69 1c bc a6 .9..O... ...Pi...
00d0 bd 50 b9 80 a6 21 99 29 fd 69 9f fc 96 a4 19 4c .P...!.) .i.....L
00e0 af 7f 50 8e 78 c0 05 4e d7 fb 85 3c 2d 50 e7 c6 ..P.x..N ...<-P..
00f0 bc 27 47 be 07 91 71 49 84 fc cb a7 67 9c 4c 41 .'G...qI ....g.LA
0100 84 cb 76 e2 87 ce 2d a9 09 6c 1e 1d e0 b0 73 ec ..v...-. .l....s.
0110 fd 14 5e 0b 3d 5e 8a 0e b9 fb a3 10 5d cc c7 4f ..^.=^.. ....]..O
0120 a5 b9 2e 64 7e 35 3a 74 6f 6b 65 6e 38 3a 23 ce ...d~5:t oken8:#.
0130 2d 6f 8c b5 6f 73 65 31 3a 74 34 3a 39 01 00 00 -o..ose1 :t4:9...
0140 31 3a 76 34 3a 54 52 24 b3 31 3a 79 31 3a 72 65 1:v4:TR$ .1:y1:re
Offline
this is not µTP, it's DHT traffic, which is bencoded and starts at the "d1:rd2" and ends with the last "e". I would assume that you included the UDP headers?
You can find the specification here: http://bittorrent.org/beps/bep_0005.html
Az dev
Offline
yea this is the whole packet with UDP header.
45 00
0010 00 86 49 61 00 00 80 11 07 d4 c0 a8 00 10 da 4b
0020 4e 2e
Thats the extracted IP protocol.
Anyways, hash tables aren't my specialty, but looking at wikipedia are you saying that the UTP packet is in there just scrambled through the hash table? What should I look for and how do I get my hands on a UTP packet?
EDIT
Just to clarify,
All I want really is some example packets of UTP, all I have to do really is put the packet side by side with the protocol description and say this does this, XX is the version number which means blah, XX is the ___ and does __________ .
Last edited by DarkD (2009-11-28 22:00:33)
Offline
*sigh* Again, this is not a µTP packet. It's a packet which is part of the DHT network. Completely different purpose, completely different protocol. They only share the fact that they're running over UDP. That's all.
If you want some sample µTP packets i suggest you just rune wireshark alongside µTorrent and run a popular torrent to increase the likelyhood of such a connection being created. And maybe disabling DHT or putting it on another port will make things easier to distinguish for you.
Az dev
Offline
When I narrowed the transfer down to just between two myself and one of the seeds I found a second type of packet. What is bugging me is there isn't really a data section on this one
00 0c f1 d0 c2 33 00 19 d1 60 b4 77 08 00 45 00
00 33 4b b3 00 00 80 11 a1 63 c0 a8 00 10 62 dc
2a 0f 5b 26 1a e1 00 1f 25 9c 17 d7 67 18 4b 10
80 9a 00 01 3a ba 01 0b 67 9b ab 00 01 00 06 6c
76
What bugs me about this one is there isn't much of a data section... 3 bytes in this packet... The connection id is the only thing which really makes sense in it to me...
Offline
wait are you saying that I haven't been getting a uTP packet yet? They are unlikely to appear or something like that?
Last edited by DarkD (2009-11-29 17:26:42)
Offline
I am saying that the packet which you provided in the initial post is not a µTP packet. Some other packets you have captured may have been µTP packets, but i obviously can't know that.
µTP is just a transport protocol, like TCP. So if you see regular bittorrent traffic (containing the "\19bittorrent protocol" header and everything) going over UDP then you possibly have a µTP connection there.
i think you can observe following encapsulation and protocol combinations:
network layer -> IP -> TCP -> bittorrent
network layer -> IP -> TCP -> encryption handshake -> bittorrent (encrypted)
network layer -> IP -> UDP -> µTP -> bittorrent
network layer -> IP -> UDP -> µTP -> encryption handshake -> bittorrent (encrypted)
network layer -> IP -> UDP -> DHT
The packet you posted was of the last kind. It's auxiliary to bittorrent and unrelated to µTP.
Az dev
Offline
I get that, which is why I posted a different packet that had completely different characteristics. If I emailed you my pcap file, could you pull out a utp packet
Offline