Analyzing Bitcoin Network Traffic Using Wireshark – Sam Kear

Since Bitcoin is a peer to peer protocol it relies very strenuously on network communication to perform its functions. The best way to get a closer look at the Bitcoin protocol is to use a packet sniffer such spil Wireshark to view the frames traversing the network.

There are several different Bitcoin clients available but they all rely on the same underlying protocol. My local client of choice is the Bitcoin-Qt client but Wireshark can decode the traffic regardless of which client is ter use.

Fully synchronized clients do not generate a large amount of network traffic but unsyncronized clients that do not have a accomplish copy of the Bitcoin blockchain can create a substantial amount of network traffic.

Presently the entire blockchain is almost 9GB ter size and resumes to grow. Once the client has cached a local copy of the blockchain they will stay up to date using the getblocks message type.

Supported Versions of Wireshark

The current stable version of Wireshark (1.8.7) does not have support for the Bitcoin protocol so you will need to download the development release to decode the packets. The current public version of the development release is version 1.Ten.0rc2 which contains a dissector for Bitcoin.

The Bitcoin protocol dissector still has some issues and doesn’t decently decode all of the traffic tho’. Based on the notes I read ter the packet-bitcoin.c source opstopping the protocol dissector wasgoed written by Christian Svensson (voeling informatie below). If you send him a note (and maybe a bitcoin peak) he might be able to provide further support and update the decoder.

I also complied the most latest development release (1.11) from the source tree but I found that the Bitcoin dissector wasgoed not functioning decently. Some messages were decoded without issues but some were listed spil malformed packets. So for the time being I recommend using version 1.Ten.

Viewing Bitcoin Traffic ter Wireshark

After installing the development release you can test out the decoder by kicking off a Bitcoin client to generate some traffic on the network. After capturing traffic for a brief period of time you can view the Bitcoin traffic by simply typing Bitcoin te the filer opbergruimte and pressing inject.

Wireshark will process all of the packets and display only the Bitcoin packets.

During testing I noticed that the bitcoin filterzakje wasgoed not displaying traffic related to my client downloading a copy of the blockchain. If you want to see this traffic, or any other traffic the decoder might miss I would suggest using a filterzakje such spil the following:

bitcoin or tcp.port==8333

Client Startup and DNS Seeds

During the Bitcoin client startup process clients will use several different methods to detect peers. Clients commencing up for the very first time will search for DNS seeds that are hard coded into the client. You can use the filterzakje below to search for thesis queries within Wireshark.

dns.qry.name == “seed.bitcoin.sipa.be” or dns.qry.name == “dnsseed.bluematt.mij” or dns.qry.name == “dnsseed.bitcoin.dashjr.org” or dns.qry.name == “bitseed.xf2.org”

Thesis DNS seeds could switch ter the future but you can view them by looking at the source code for the netwerk.cpp opstopping te the Bitcoin client source repository.

Bitcoin client resolving the hostnames of the DNS seeds.

If the client is incapable to voeling the DNS seeds it will fall back to a list of hard coded IP addresses. Thesis IP addresses can be found te the netwerken.cpp opstopping ter packed binary format. Sgornick wrote a script to test each of the IP addresses that could lightly be modified to list the IPs if you wished to build a filterzakje to search for packets destined to thesis addresses.

More Useful Wireshark Filters for Bitcoin Traffic

Find clients using Bitcoin version 70001

Display Bitcoin frames containing peer IP addresses

Display frames that are part of the main Bitcoin blockchain

Display frames that are part of the Bitcoin test blockchain

Bitcoin Protocol Information

The Bitcoin protocol is fairly simplistic when compared to some other protocols. Bitcoin runs on TCP port 8333, testnet runs on port 18333 instead. Essentially there are Legal different message types, and 6 types of structures.

For the utter details on the different message types take a look at the Bitcoin protocol specification wiki.

Play bitcoin games and win real money. Take a look at bitcoincasino.best for a good selection of bonuses.

Share this:

Sam Kear

Sam graduated from the University of Missouri – Kansas City with a bachelors degree ter Information Technology. Presently he works spil a network analyst for an algorithmic trading rock hard. Sam likes the challenge of troubleshooting ingewikkeld problems and is permanently experimenting with fresh technologies.

One thought to &ldquo,Analyzing Bitcoin Network Traffic Using Wireshark&rdquo,

I like your proef,analysing bitcoin using wireshark

I attempted to go after your example sometimes ago to no avail.i didnt manaage to catch any bitcoin packet

I am working on a research about anonymity of cryptocurrencies

Can you vormgeving and share another proefneming by using the latest version of wireshark

Related movie: Acer Aspire One Netbook Disassembly


Leave a Reply

Your email address will not be published. Required fields are marked *