Ali Wangwang Protocol Analysis

I. Overview

Amoy Wangwang is an instant messaging software, integrated with real-time text, voice, video communication, as well as transaction reminders, fast channels, the latest business and other functions, is an essential tool for online transactions. Taobao is Alibaba's website, but also the Chinese E-commerce Integrity Alliance launched the website.

Taobao Wang Wang uses the TCP communication method, the default landing port is 16000, when 16000 port does not pass, then jumps to 80 port carries on the communication. Generally as long as 16000, 80, 8080 and 443 ports of any one pass, you can successfully login Taobao flourishing. Amoy Wangwang has an ultra strong network connectivity features, support SOCK4, SOCK5, and HTTP proxy server mode landing.

This article will follow the Wireshark grasping package to analyze the characteristics of Wang Wang's protocol.

Second, analysis

1) Landing

During the logon process, packages that include different protocols: Udp/tcp (excluding HTTP), HTTP. HTTP packets are divided into two kinds: one is Ali Wangwang directly, one is generated by the browser, we just need to pay attention to the Ali Wangwang software directly generated.

Ali Wangwang packets have the following characteristics: The User-agent field has 16-in-format keywords, such as B0A2C0EFCDFACDFA; some packages have the im.alisoft.com "cookie:ali_" keyword.

After TCP negotiation, the Ali Wangwang protocol packet has a distinct feature: the first 4 bytes of the data section contain the hexadecimal number "8f010100".

When landing successfully, there are two UDP packets, IP belongs to Hangzhou Telecom. The first byte of these UDP packets also contains hexadecimal data such as "8f010121

2) Chat

In text chat: When line text chat, packets are the same as TCP packets and logon features.

Voice Chat: The Voice chat process includes TCP and UDP messages, which are processed separately. The process software interacts with different servers such as multimedia.im.alisoft.com,forum.split.taobao.com, and transmits voice data using UDP packets. Another feature is that want want to try to interact with the local ISP and Hangzhou Telecom. This produces a series of UDP packets. If you're lucky enough, the UDP packets can be identified,

Its packet contains hexadecimal number 52554450 in the first 4 bytes.

Video chat: This process is the same as voice chat.

3) File transfer

In the process of file transfer, TCP protocol is used to negotiate. The first three bytes of the UDP packet are characterized by "710206".

Main reference:

Http://wzgyantai.blogbus.com/logs/28288501.html

Google search