Capturing and analyzing Bitcoin network traffic with tcpdump

[altamic]

During these days I am trying to collect Bitcoin packets flowing through the network lan, to (hopefully) gain a deeper understanding of the protocol by "seeing" how it behave.

Needless to say that having a good understanding of the protocol is essential to write accurate documentation, verify correctness of any implementation, detect or debug incorrect behavior and analyze performance.

After having discarded the option of instrumenting the code, since I judge it too time consuming for my current skills, I've opted to use an "Old School Unix Tool of The Trade", i.e. tcpdump.

I am by no means an expert with it, but I have been able to put  a simple shell script to filter only packets of "Bitcoinian"interest

I would like to share it with you:

#!/usr/bin/env sh

# bitdump.sh
#
# captures Bitcoin network traffic

SELF=`basename $0`

if [[ $1 = "" ]]; then
  DEFAULT="en1"
  echo "$SELF: no interface name provided as argument: using $DEFAULT as default"
else
  DEFAULT=$1
fi

connected_nodes() {
  netstat -an |
  awk '/8333/ && /ESTA/ { print $5 }' |
  sed 's/[.:]8333//'
}

# tcpdump config
IF="-i $DEFAULT"
ASCII="-A"
BINARY="-XX"
NO_DNS="-n"
FULL_PACKETS="-s 0"
NODES=($(connected_nodes))
PORT="8333"
FILE="bitdump.pcap"

if [[ -z "$NODES" ]]; then
  echo "$SELF: No peer found, check your internet connection and that Bitcoin is running"
else
  for (( i = 0; i < ${#NODES

• }; i++ )); do

    ANY_NODE="host ${NODES} and $ANY_NODE"
  done

  # -t : don't print a timestamp on each dump line
  # -q : stay quiet

  CMD="tcpdump $IF -w $FILE $FULL_PACKETS $BINARY $NO_DNS $ANY_NODE port $PORT"

  echo $CMD
  $CMD
fi


you can clone/fork it here:

   https://gist.github.com/795809

The executable script, baptised 'bitdump.sh', receives as argument the name of the network interface and requires superuser privileges, i.e. you can run it with:

   chmod +x bitdump.sh
   sudo ./bitdump.sh

Mining a new block, creating a new bitcoin installation, sending or receiving transaction  involve many protocol interaction between nodes and I think it would be interesting to see yours on the wire. So ...let's start a campaign!

http://desmond.yfrog.com/Himg617/scaled.php?tn=0&server=617&filename=x4atu.png&xsize=640&ysize=640

Are you a miner? Are you a new user? Nice, then share your network dumps to benefit developers

Thank you.





 

[1715182609]

1715182609

[1715182609]

1715182609

[1715182609]

1715182609

[fabianhjr]

Mhhh, I don't see the point unless Bitcoin was a closed sourced program. You can look at the sourecode and see how it works.

[0x6763]

My favorite tools for packet sniffing and inspection are Wireshark (http://www.wireshark.org/) and Scapy (http://www.secdev.org/projects/scapy/).  I'm implementing the protocol right now, and these tools were very helpful and lead to me finding that some of the docs on the wiki were incorrect (I changed the wiki to reflect my findings, though I haven't covered everything).  The wiki, forums, IRC, other bitcoin related software, and packet sniffs have allowed me to learn about the protocol and how the official bitcoin client works while barely looking at the official client's code (It's pretty hard to follow, at least for me...I'm starting to make sense out of some of it after learning about what it's doing from all of these other sources, however).

[Cdecker]

I have a few dumps done with wireshark and I use them when unit testing my networking code, it's incredibly usefull to have actual conversations to test against. Also the format of the messages makes it quite easy to split the dump into single messages.

BTW: 0x6763 would you be interested in joining efforts? I heard you are developing a network stack in Java too, I'd be keen to get a good networking code done that is peer reviewed. It could serve as a basis for many different services.

[0x6763]

BTW: 0x6763 would you be interested in joining efforts? I heard you are developing a network stack in Java too, I'd be keen to get a good networking code done that is peer reviewed. It could serve as a basis for many different services.

My code is running on the JVM, but it's not Java.  I'm using Clojure. See http://clojure.org or #clojure on freenode.
Technically we could certainly use each other's code, but I think it would be a little awkward for merging our development while keeping with our own languages.  I'd very much like to discuss it, though.