Packet Sniffer - What is the big deal?

[QuerySEQ]

I have been reading the threads about Packet Sniffers, Key Sniffers and detecting if SOE is watching those that use em??

I used a few packet sniffers and port checkers to watch all the traffic coming into and leaving my network. Source Addresses, Destination Addresses as well as the code in the packets.

I used "Ethereal for windows. Then I decided I needed a good deal more filtering and firepower and found a HUGE PLETHORA of Linux Code already out there that did the same thing.

Logged Every Tidbit of information (even caught my son's PC going to porn sites) bugger was smart and cleared his cache and cookies so I couldnt find it..

What is all this about? Well.. I found that nothing out of the ordinary was leaving my machine when I played EQ. I watched the Sync Packets go across, and even though I am NOT A CODER ( shall probably have to repeat that again later) I am however an accomplished Network Developer.

I can read SOME code, and understand a good bit of it. There IS a way to filter OUTBOUND traffic containing specific key generators that are transmitted through each packet.

I did NOT find anything out of the ordinary on the data leaving my PC to my Game Server other than the Sync Packets. (for those not understanding the game engine dynamics, those are the packets that give you position information to the server so that everyones position is correct, they are quite small.)

* UNLESS *, SOE was smart and put their "Imaginary So Far" key sniffer KEY SNIFFING into that Sync Packet, then I do not see how Locating the KEY, closing down the Key sniffer and loading that Key into SEQ is going to get detected.

My Suggestion, (as I am NOT A CODER), is to take a look at the data LEAVING your computers/networks and check the packets. Maybe one of you coding guru's can decypher something more.

I know its not much help for the current delemna of Keys Sniffer Detection, but it may help is some benign way.

Thanks for at least listening.

QuerySEQ

[QuerySEQ]

Breaking down some packets, I found an interesting one that had an unknown protocol (at first).

Later.. I see it again. I figured.. Hmm.. okay.. destination is SOE.. Maybe its a rogue...... Nope.. Tore it up, the protocol is called "Gryphon". Not something I have alot of knowledge on.

It uses a UDP, Destination port 7000.... Great, whats that do? It looks like a Patch request.. AHH.. that came from the Patcher, looking to make sure the game had up to date files.... perhaps.

THen WHAM.. the brick wall.
From sone.server.989studios.com) to (insert my ip here)

Malformed Packet.
Source PORT:2250
Destination PORT:2897

So.. its a disassembled packet.... this alternates between my machine and eqzone servers..

Checksum is 0x5bfc

this is foreign territory as the packets that were encrypted didnt originally show up at all.

am I making any sense? Probably not. but at least I am trying to locate to see if they are "sniffing" ME looking to see if I am sniffing them.

[septara93]

I might be wrong but it sounds like you think the key sniffer is a network sniffer.. I think its a memory sniffer.

That is why sony can see what we are doing.. we are latching onto their process etc.

[baelang]

The key itself is encrypted via a PKI encryption system before it is sent across the network. this is why we need "keysniffer" utillities to run on the windows box to aquire the unencrypted key from memory.

Showeq itself does a very good job of sniffing network traffic and making sence of what it sees. that's pretty much all it does in fact.

[hawgz]

I'm going to dredge this up because I did kind of the same thing. I fired up ethereal during the patch process and saw a protocol i know nothing about and couldn't find much info on.

During the patch process, I saw a decent number of packets that ethereal identified as DG Gryphon. Most of these read as invalid "unreassembled" packets for some reason. They used port 7000 just as stated above.

A search on this brought up very little information other than hardware logic for reading interfacing with autos or some such.

I'm going to re-install NAI's Sniffer and run it in expert mode to see if it has anything relating to the gryphon protocol.

My question is, can anybody identify what this is and give me a source to read more info? I finally found a reference to DG Gryphon in the ethereal documentation under display filters, but that's not much help. I'd really like to know why so many of those packets were identified as invalid.

[fee]

First understand Ethereal's default mechanism for disecting protocols is based largely on port numbers. You see port 7000, ethereal sees this as a standard port for gryphon. What you are looking at in reality is simple http over a non-standard port. Tell ethereal to reprocess that data as http and you will get a nice protocol breakdown.


This http traffic to port 7000 is how the patch program works. Nothing funny going on with it.


No comment on the rest of what you might be looking for. You weren't very clear, so not going to speculate.


fee

[hawgz]

Thanks, fee. I thought it might be an ID mechanism within ethereal, but wasn't sure.

I'm just capturing traces of the EQ data stream and poking around, not looking for anything in particular. I'm trying to figure out how you guys do what you do so well.

It's kind of a daunting task, but I'd like to understand more about how this all works. I've use sniffers for network troubleshooting, but it's been awhile since I've worked on packet level decodes.

[fryfrog]

the patch server is most definatly a plain old http server running on port 7000. when i forgot to bring some eq cds into work to amuse myself while bored i tried running the patch program to get em all.. it wouldn't get pop an sol... but it DID spit out a list of the files it would not download.... so i just searched and found the url to each file, put it at the begging of the name and put a .gz at the end. then just "wget `cat filename.txt`" and i had all the files... gunziped them all, then zipped it into one file and set it along the way.

got 1 megabyte / sec from the patch server too, very nice :)