Trying to analyze the lovely packets

[Masamune00]

Hello everyone !

This is a long text but I thought it might be interesting if anyone else is interested in this kind of stuff one day, it may help him.

In fact, I would like to develop a tool for factorio, which will be able to do different stuffs, but one of the most interesting I'm thinking right now would be to be able to find which packet is sent when you give a deconstruct order.
Oh I am doing that since we don't have any log of who did what yet in a server, and don't want to install any mod.

To be honest, I know network, udp wireshark & its friends, but I'm a very beginner in what I'm trying to do, so I started wireshark obviously, isolated the traffic sent to the server, and then I reseted wireshark, started a deconstruct order, stopped recording the packets, and there are 419 packets. Have fun trying to find the deconstruct order packet.

Like, does anyone have some suggestions on how to find it ?
Or have already anyone tried or started to understand the packets of factorio ?
Or maybe is it not even possible to try to do what I'm trying to do ?

Thank for help everyone and enjoy the game.

EDIT : I just started though as I opened this topic.

EDIT2 : Nevermind, I think I've found the sneaky packet, just had to remove all the udp of the same length (length 27 udp) and there was very few packets (like less than 10) so it was kinda easy to find it.

EDIT 3 : So i've found that when you give a deconstruct order, the packet seems to always have a length of 45 bytes in the data in udp. But I'm realizing it now, it's very difficult to identify what each bytes is... To be honest, I didn't find anything more than the data length of udp to find a deconstruct order packet, and doing this reverse engineering for the first time makes me realize it's painful.
Oh and it's sending this packet even if there is no nothing in the deconstruct order (doesn't matter if there are anything in the area of deconstruct or not)

EDIT 4 : Nevermind, it seems like 98% of a deconstruct order packet has this size, but some can be a bit bigger(for example if you do a big area)... I guess the only way is to write a program to compare all the packets and see what is the same in each of this packet. Damn, I've played for a bit without giving another deconstruct order and there was no packet of 45, but then I discover this . :/


Would it be possible to have more information on the udp data of factorio ? like what bytes refers to, or a global explanation (not necessary in the detail) ? I understand if you don't want to, but it's always worth to try asking.

EDIT 5 : I finally finished to make a program which compares udp data(ugly coding but w/e), like that I'll record only "deconstruct udp packet" and just compare all of them, to see what is the same in all the packets, which will make me able to identify a "deconstruct udp packet".

I'm aware that 0.15 may probably break everything I've done (packets will be different), but it's more to learn about this kind of work myself and understanding factorio network, maybe have something working at end, curiosity. If it's really broken later, it can be redone faster once I've learned how to do it once, and have all the tools already ready.
I've asked on irc and it seems like one asked the devs about it, thank a lot for that, very kind of him.

In fact there is no "deconstruct order packet", it seems like there is this action and other actions grouped in the same packet, but anyway I'll keep trying, my goal is not a very complex one like finding the size of the deconstruct, if it removed anything or not, it's just the "order gived to deconstruct", so I think I may be able to identify only when a packet has this order, it should be anyway, unless it's split in different packets, in this case rip or have fun trying to find it.

Another project I'm doing in parallel is trying to link a username and its ip, the reason why I'm doing this is I'm curious to see how many players would join my server if I allowed everyone (but ban them by ip if they grief, and I can't find the ip in the factorio game with /p o, so I need to read the packets and associate an user with its ip).
Sometimes I see in my server some people who try to connect without being authentified so there are some.
Of course I won't keep this server for a long time since the ban ip can be dodge +/- easily, and in the end the server will be griefed, but I want to try a server like that at least once.

[ssilk]

Nice that we could help you with talking to yourself.



Analyzing compacted, serialzed data from a system that does weekly changes is a task that never ends. So I highly recommend to write a mod, that does this kind of logging, which is in my opinion pretty easy and will work with v1.0 without changing any line of code.

[Masamune00]

Going to update topic tomorrow but finally I got something which is always working, finding the ip of a user in the server, at least it was not complicated like the other task, but not very useful since it's only interesting in a "no verified identity" game.

Ahah, yeah it should be renamed to report or something, I was hoping some had already worked or was working on this kind of stuff or had some experience but I guessed wrong.

The problem with modding is that very few players on mp join a modded game (and I'm one of them, to lazy to download the mods and I like vanilla experience), and even if there are not a lot of mods, not as much people will join, compared to a vanilla game. I love playing with 5-30 people, 2-3 players is kinda boring, so to reach that you need to host a vanilla game. So making this as a mod is out of question.

[DaveMcW]

You can edit control.lua of a save file instead of making a standalone mod. viewtopic.php?f=34&t=35828

[ssilk]

The problem with modding is that very few players on mp join a modded game (and I'm one of them, to lazy to download the mods and I like vanilla experience), and even if there are not a lot of mods, not as much people will join, compared to a vanilla game.

Well, but we can await, that this will change with the next release, cause it is currently about to be implemented, that mods are downloaded automatically.

[Deadly-Bagel]

And if you can make it a sort of standardised thing then nobody will have a choice. I'm sure almost every server admin has been bitten by at least one griefer and would happily install a tool to mitigate that problem, if 90% of server admins did this then most griefers would go to the 10% remaining servers and convince them to install one too ^^

With mods being downloaded automatically and that this would be a purely script mod (no images or anything) it would be very lightweight and fast, no bother to anyone really.

[Zeblote]

Why do people do these things by analyzing packets?

It seems much easier to me to just make a small injectable dll that hooks whatever deserializes the deconstruct order... they even give you a .pdb file with symbols! :D

[Masamune00]

We'll see once the update is pushed. I'm curious about seeing how many more will play modded game instead of vanilla, or if people will keep playing on vanilla.
And I won't be surprised that later, we will have more detailled/complete(?) logs on the server about what happened, which will make these ideas useless anyway and make serv admins life easier.

Yeah it may be easier with what you said Zeblote, but first I never thought about that (guess it's because I only think of network...), and then I never ever did a dll injection.

[Ranakastrasz]

I think you can list everyone with a deconstruction blueprint selected when a deconstruction event is thrown. No idea if that is what you are looking for though.