+ Reply to Thread
Results 1 to 4 of 4

Thread: "How To" capture announces with Wireshark. [Limited to Http trackers only]

  1. #1

    "How To" capture announces with Wireshark. [Limited to Http trackers only]

    Hello sb-innovation members,
    This tutorial will cover everything from capturing announces to viewing them with Wireshark. As you all must know, Wireshark can run on many of Operating Systems. So this guide can be beneficial to all.

    Official Download Link: https://www.wireshark.org/download.html

    Software(s) needed for this tutorial.
    1) Notepad (To copy and save the data)
    2) Torrent Client (A client which needs to be explored for many a reasons) [Vuze will be used in this case]
    3) Wireshark (A network adapter sniffing tool)
    4) Torrent File (Preferably with a http tracker) *No HTTPS Trackers or DDLs*

    Now that we gotten our requirements straight, Let us get started!

    1) Launch your Torrent Client and stop all torrent from running (i.e, Stop all torrent)
    [Picture: Click image for larger version. 

Name:	torrent stopped.png 
Views:	360 
Size:	83.3 KB 
ID:	18110]

    2) Start up Wireshark.

    3) Fill in the filter with "http" or "http.request or http.response"

    4) Click on Apply

    5) Choose the "any" interface

    6) Click on the start button.
    [Picture:Click image for larger version. 

Name:	choose interface and start.jpg 
Views:	390 
Size:	177.6 KB 
ID:	18111]

    7) Start one or more torrent.
    [Picture:Click image for larger version. 

Name:	seding.png 
Views:	338 
Size:	72.4 KB 
ID:	18112

    8) Check Wireshark interface for captured announce.
    [Picture: Click image for larger version. 

Name:	new_captured.jpg 
Views:	355 
Size:	42.6 KB 
ID:	18134]

    9) Right click on the announce url and choose "Follow TCP Stream"
    [Picture: Click image for larger version. 

Name:	new_captured_2.jpg 
Views:	345 
Size:	72.8 KB 
ID:	18135]

    Now you can copy your data to a notepad and save it or save it as any other format via Wireshark.

    Other Options to view package information

    1) In case you only want to copy more than one announce to the clipboard, use the Copy option. i.e, after you find the Announce link having the HTTP protocol. Right click on the link->Copy->Bytes->Printable Text Only.
    [Picture of the data copied to the clipboard-Click image for larger version. 

Name:	new_copied_data.jpg 
Views:	326 
Size:	31.8 KB 
ID:	18136]

    2) In case you want to view more than one announce, use the "Show Packet in New Window" Option. i.e., after you find the Announce link having the HTTP protocol. Right click on the link->Show Packet In New Window. This will open up the entire packet information covering:

    1) Frame: Covers information regarding- interface id, encapsulation type, arrival time, package shift time, Epoch time, Time delta, frame number, frame length, captured length

    2) Adapter Information (Usually Internet Connection 1,2,3....) (In my case it is Ethernet II): Covers information regarding- Local address, Source Address etc.

    3) Interner Protocol Version 4: Covers information regarding- Version, length, Flags, Protocols.

    4) Interner Protocol Version 6 (If IPv6 is used through on the Torrent Client.): Covers information regarding- Version, length, Flags, Protocols

    4) Transmission Control Protocol (Source Port to Destination Port): Covers information regarding- Streams, Ports, Checksums, headers.

    5) Hypertext Transfer Protocol: Covers information regarding- announce url, request method, request uri, request version, connection type, host, user agent.
    [Picture - Click image for larger version. 

Name:	new_new_window.jpg 
Views:	332 
Size:	91.2 KB 
ID:	18137

    You can use also Wireshark, to capture HTTPS announce headers however, that requires adding the servers's SSL key, Ip, Port, Username, Passoword etc. If you plan to capture announces on a SSL(HTTPS) tracker try this tutorial here: https://support.citrix.com/article/CTX116557

    So that about sums it up. If you do have questions, or think something that must be added here let me know.

    ~cloud99
    Last edited by shoulder; 11.08.17 at 14:46. Reason: images replaced
    Reply With QuoteReply With Quote
    Thanks

  2. Who Said Thanks:

    anthony-joal (10.08.17) , illusive (05.08.17) , H265 (04.08.17) , RaMa (04.08.17) , anon (04.08.17)

  3. #2
    Moderator anon's Avatar
    Join Date
    01.02.08
    Posts
    39,386
    Activity Longevity
    11/20 19/20
    Today Posts
    5/5 ssss39386
    Quote Originally Posted by cloud99 View Post
    4) Torrent File (Preferably with a http tracker) *No UPD, HTTPS Trackers or DDLs*
    No private tracker uses UDP for the time being, and Fiddler can capture HTTPS traffic if necessary (by installing a trusted certificate and performing a MITM attack on yourself).
    "I just remembered something that happened a long time ago."
    Reply With QuoteReply With Quote
    Thanks

  4. Who Said Thanks:

    cloud99 (05.08.17) , illusive (05.08.17) , H265 (04.08.17)

  5. #3
    Member illusive's Avatar
    Join Date
    24.10.10
    P2P Client
    What ?! That's Private!
    Posts
    505
    Activity Longevity
    3/20 16/20
    Today Posts
    0/5 ssssss505
    Perfect to confirm clients for Vuze Extreme Mod or any tool. Specially the one I'm unable to verify so far. As much as it's simple, many were asking and looking about guide like this.
    Reply With QuoteReply With Quote
    Thanks

  6. Who Said Thanks:

    cloud99 (05.08.17)

  7. #4
    Guest Coder anthony-joal's Avatar
    Join Date
    22.03.17
    Location
    France
    P2P Client
    qBittorrent
    Posts
    188
    Activity Longevity
    0/20 9/20
    Today Posts
    0/5 ssssss188
    Worth mentionning that on somes computers (like mine) you need to start Wireshark "as administrator" in order to see your network interfaces.

    Worth mentioning as well. A LARGE part of your passkey is visible on your screenshots (multiple screenshot expose multiple parts of the passkey). Long story short, but with 5 or 6 visible characters from a hash it's easy for tracker admins to identify who you are.
    You better re-upload your images with the passkey completely hidden.
    Last edited by anthony-joal; 11.08.17 at 11:31.
    This is my signature. There are many others like it, but this one is mine.
    Reply With QuoteReply With Quote
    Thanks

  8. Who Said Thanks:

    illusive (12.05.18) , cloud99 (11.08.17) , H265 (10.08.17)

+ Reply to Thread

Tags for this Thread

Posting Permissions

  • You may post new threads
  • You may post replies
  • You may not post attachments
  • You may not edit your posts
  •