Differences between revisions 1 and 21 (spanning 20 versions)
Revision 1 as of 2006-06-25 17:37:21
Size: 1989
Editor: h47n2fls31o982
Comment:
Revision 21 as of 2008-05-20 02:53:18
Size: 1903
Editor: GuyHarris
Comment: Ventrilo server advertising, more like it.
Deletions are marked like this. Additions are marked like this.
Line 2: Line 2:
= Full PROTO name (PROTO abbreviation) =

This file tries to help you add a new protocol to the wiki. Edit anything as appropriate to the specific protocol and replace any appearance of PROTO/proto/protofirstletter by your protocols name (and remove this text line before saving!).

XXX - add a brief PROTO description here

== History ==

XXX - add a brief description of PROTO history
= Ventrilo Protocol =
VP - The ventrilo protocol is the one used by Ventrilo to encrypt and decrypt VoIP chatting.
Line 13: Line 6:

* ["TCP"]: Typically, PROTO uses ["TCP"] as its transport protocol. The well known TCP port for PROTO traffic is 80.
 * [[TCP]]: Typically, VP uses [[TCP]] as its transport protocol. The TCP port for VP traffic is 3784 (Depending on server).
Line 17: Line 9:
v2.3.0 [[http://pastebin.ca/71370|HERE]] (Long text pasted on pastebin.ca)
Line 18: Line 11:
Here == v3.0.0 ==
The preshared encryption key is the same as the one for 2.3.0 and the key exchange and encryption method seem to be the same. However, a type 0x34 packet now siganls a change in encryption sometime shortly after connecting and displaying the server status.

The login packet has also changed to type 0x48 and has an additional 16 bytes of data immediately before the client version string.

The client has a quirk of its own that makes running it through the decryption proxy somewhat of a pain. It first connects and gets the server status via UDP before it will even attempt to connect. If you proxy it through a port that does not match what the remote server claims to be it will also not connect. Either the packet must be modified with the redirected UDP port or they must be changed to match the remote end. This means you may no longer block the UDP port to prevent people from checking to see who's on.
Line 21: Line 19:

The PROTO dissector is (fully functional, partially functional, not existing, ... whatever the current state is). Also add info of additional Wireshark features where appropriate, like special statistics of this protocol.

== Preference Settings ==

(XXX add links to preference settings affecting how PROTO is dissected).
The VP dissector is non-existing.
Line 29: Line 22:
[[http://wiki.wireshark.org/Ventrilo?action=AttachFile&do=get&target=ExampleVP.pcap|ExampleVP.pcap]]: This file contains a capture of the Ventrilo protocol, however the packets are encrypted.
Line 30: Line 24:
XXX - Add a simple example capture file to the SampleCaptures page and link from here (see below). Keep this file short, it's also a good idea to gzip it to make it even smaller, as Wireshark can open gzipped files automatically.

 * attachment:SampleCaptures/PROTO.pcap

== Display Filter ==
A complete list of PROTO display filter fields can be found in the [http://www.wireshark.org/docs/dfref/protofirstletter/proto.html display filter reference]

 Show only the PROTO based traffic: {{{
 proto }}}

== Capture Filter ==

You cannot directly filter PROTO protocols while capturing. However, if you know the ["TCP"] port used (see above), you can filter on that one.

 Capture only the PROTO traffic over the default port (80): {{{
 tcp port 80 }}}
See [[http://aluigi.altervista.org/papers.htm#ventrilo|Luigi's page]] for decryption algorithm and [[http://pastebin.ca/71370|this]] for a decrypted capture.
Line 48: Line 27:

 * add link to PROTO specification and where to find additional info on the web about it, e.g.:
 * [http://www.ietf.org/rfc/rfc123.txt RFC 123] ''The RFC title'' - explanation of the RFC content.

== Discussion ==
 * [[http://aluigi.altervista.org/papers.htm#ventrilo|Luigi's page]] - The one and only recource on the VP protocol.

Ventrilo Protocol

VP - The ventrilo protocol is the one used by Ventrilo to encrypt and decrypt VoIP chatting.

Protocol dependencies

  • TCP: Typically, VP uses TCP as its transport protocol. The TCP port for VP traffic is 3784 (Depending on server).

Example traffic

v2.3.0 HERE (Long text pasted on pastebin.ca)

v3.0.0

The preshared encryption key is the same as the one for 2.3.0 and the key exchange and encryption method seem to be the same. However, a type 0x34 packet now siganls a change in encryption sometime shortly after connecting and displaying the server status.

The login packet has also changed to type 0x48 and has an additional 16 bytes of data immediately before the client version string.

The client has a quirk of its own that makes running it through the decryption proxy somewhat of a pain. It first connects and gets the server status via UDP before it will even attempt to connect. If you proxy it through a port that does not match what the remote server claims to be it will also not connect. Either the packet must be modified with the redirected UDP port or they must be changed to match the remote end. This means you may no longer block the UDP port to prevent people from checking to see who's on.

Wireshark

The VP dissector is non-existing.

Example capture file

ExampleVP.pcap: This file contains a capture of the Ventrilo protocol, however the packets are encrypted.

See Luigi's page for decryption algorithm and this for a decrypted capture.

  • Luigi's page - The one and only recource on the VP protocol.

Ventrilo (last edited 2008-05-20 02:53:18 by GuyHarris)