View Full Version : "How To" capture announces with Wireshark. [Limited to Http trackers only]

04.08.17, 09:19
Hello sb-innovation members,
This tutorial will cover everything from capturing announces to viewing them with Wireshark. As you all must know, Wireshark can run on many of Operating Systems. So this guide can be beneficial to all.

Official Download Link: https://www.wireshark.org/download.html

Software(s) needed for this tutorial.
1) Notepad (To copy and save the data)
2) Torrent Client (A client which needs to be explored for many a reasons) [Vuze will be used in this case]
3) Wireshark (A network adapter sniffing tool)
4) Torrent File (Preferably with a http tracker) *No HTTPS Trackers or DDLs*

Now that we gotten our requirements straight, Let us get started!

1) Launch your Torrent Client and stop all torrent from running (i.e, Stop all torrent)
[Picture: 18110]

2) Start up Wireshark.

3) Fill in the filter with "http" or "http.request or http.response"

4) Click on Apply

5) Choose the "any" interface

6) Click on the start button.

7) Start one or more torrent.

8) Check Wireshark interface for captured announce.
[Picture: 18134]

9) Right click on the announce url and choose "Follow TCP Stream"
[Picture: 18135]

Now you can copy your data to a notepad and save it or save it as any other format via Wireshark.

Other Options to view package information

1) In case you only want to copy more than one announce to the clipboard, use the Copy option. i.e, after you find the Announce link having the HTTP protocol. Right click on the link->Copy->Bytes->Printable Text Only.
[Picture of the data copied to the clipboard-18136]

2) In case you want to view more than one announce, use the "Show Packet in New Window" Option. i.e., after you find the Announce link having the HTTP protocol. Right click on the link->Show Packet In New Window. This will open up the entire packet information covering:

1) Frame: Covers information regarding- interface id, encapsulation type, arrival time, package shift time, Epoch time, Time delta, frame number, frame length, captured length

2) Adapter Information (Usually Internet Connection 1,2,3....) (In my case it is Ethernet II): Covers information regarding- Local address, Source Address etc.

3) Interner Protocol Version 4: Covers information regarding- Version, length, Flags, Protocols.

4) Interner Protocol Version 6 (If IPv6 is used through on the Torrent Client.): Covers information regarding- Version, length, Flags, Protocols

4) Transmission Control Protocol (Source Port to Destination Port): Covers information regarding- Streams, Ports, Checksums, headers.

5) Hypertext Transfer Protocol: Covers information regarding- announce url, request method, request uri, request version, connection type, host, user agent.
[Picture - 18137

You can use also Wireshark, to capture HTTPS announce headers however, that requires adding the servers's SSL key, Ip, Port, Username, Passoword etc. If you plan to capture announces on a SSL(HTTPS) tracker try this tutorial here: https://support.citrix.com/article/CTX116557

So that about sums it up. If you do have questions, or think something that must be added here let me know.


04.08.17, 16:03
4) Torrent File (Preferably with a http tracker) *No UPD, HTTPS Trackers or DDLs*

No private tracker uses UDP for the time being, and Fiddler can capture HTTPS traffic if necessary (by installing a trusted certificate and performing a MITM attack on yourself).

05.08.17, 03:21
Perfect to confirm clients for Vuze Extreme Mod or any tool. Specially the one (http://www.sb-innovation.de/f274/deluge-1-3-15-a-33314/) I'm unable to verify so far. As much as it's simple, many were asking and looking about guide like this.

10.08.17, 17:22
Worth mentionning that on somes computers (like mine) you need to start Wireshark "as administrator" in order to see your network interfaces.

Worth mentioning as well. A LARGE part of your passkey is visible on your screenshots (multiple screenshot expose multiple parts of the passkey). Long story short, but with 5 or 6 visible characters from a hash it's easy for tracker admins to identify who you are.
You better re-upload your images with the passkey completely hidden.