|Operating Systems:||Linux (i386,x86_64),|
|Software Type:||Mario Kart Wii network traffic analyzer|
|File Formats:||PCAP 2.4, PCAP 2.4.modified, PCAP-NG, bzip2 compression, BMG (text).|
|Current Version:||v1.01r1991, 2014-11-03|
|Current Beta:||v1.01r1991, 2014-11-03|
In November 2012, Wiimm decided to analyze the network protocol of Mario Kart Wii. The main goal was to discover online cheaters. Another goal was to set up his own server (Wiimmfi-Project) when Nintendo shuts down its servers on 20th May 2014.
So the main feature is to dump the packets of a tcpdump (done by tcpdump or wireshark) in a user-friendly format. After first experiments, it becomes also a live racing statistic tool.
Terms and definition
The following terms are used in the article:
- Address Resolution Protocol, a network routing protocol.
- A Wii system that take part of the race.
- fc, fc8
- The friend code (8 bytes = 64 bits) of the first user of a client. Sometimes a friend code is extended by ".1" or ".2" to identify the user of the client.
- All non host clients.
- The observed client (client, where the network traffic comes from).
- The client, which has opened the room.
- The Mii avatar of a user.
- One of Nintendos servers.
- A packet is a technical network packet. Mario Kart Wii uses ARP, TCP and UDP (including name resolution) packets.
- A player, that take part of the race (max=12). Players are all users of all clients.
- player id, fc4
- The player id is a short version of the friend code with only the lowest 4 bytes (32 bit). It is used in the network protocols for identification.
- Transmission Control Protocol, a network protocol.
- A packet can be split into logical records. Each record has its own meaning and its own data structure.
- User Datagram Protocol, a network protocol.
- A user of a client. Each client supports 1 or 2 users. The users of client are numbered 1 and 2.
mkw-ana v1.00 r1975 - 2014-10-03 - This is mkw-ana version 1.0, the last version with old race detection. From now on I will re-implement the race statistics based on the new knowledge since start of Wiimmfi development. - Command DUMP3 --key=secret: If set, use the 'secret' for decoding answers of server MS. - Command QUERY: - Options --server, --wiimmfi (default), --twiimmfi, --nintendo and --dwc define the server. - Wiimmfi --select=+ support to get all table members known by the server. If --wiimmfi or --twiimmfi is set, the default for --select is '+'. And '+' means: Send all known database columns. - Bug fix for command QUERY: Use the entered port and not only port 28910. - Support of NATNEG types 0x0f and 0x10 (PREINIT and related ACK). - Support of MASTER types 0x01..0x0a with and without prefix 0xfefd. - Formatted XML output. - Windows only: Cygwin update to v1.7.32 2014-08-13.
→ old logs
The tool started as simple hex dumper reading network dumps in PCAP format. In the first phase of the tool, the textual dumps of wireshark and tcpdump were much better. But after only a few days, the tool learned to handle records, clients, users, friend codes and Miis. From this moment the tool was better to analyze the Mario Kart Wii traffic.
Now, mkw-ana split the traffic into records and scans some data to detect stages of the online meeting. Stages are for example room, prepare race, count down, racing and end of race. It is able to separate races into events (grand prix and team grand prix) and to calculate racing tables. Racing data can also be exported to support live statistics.
At the moment there are three different kinds of hexdumps. All 3 are able to dump in one line mode to have large tables. Tool less is here a very good tool for vertical and horizontal scrolling. The stages are includes into the dump as comment lines. The dumped records can be filters by sending, receiving, proxy, record types, stage types and packet length. It is also possible to select the dumped bytes by indices and ranges.
Include logs into output
Another feature is, that mkw-ana can read comment files. If making videos of the dumped meetings, you can write such comment file. Each line starts with a timestamp followed by a comment. VirtualDub is a good tool for this job. Then you must synchronize the comment file with the network dump. The start of the first game ("GO" in the video) is a very good point for synchronization. Here is an example of a comment file (in german):
# All lines beginning with an '#' are comments and ignored. # Sync: timestamp of dump - timestamp of video > 2014-03-07 18:33:31.583 +0100 - 0:08:09.667 0:00:00.000 Video Start 0:00:54.600 Enter WFC first time ... 0:08:09.667 GO! GP 1.1
- The first line is the real time of the start of the race minus the video time stamp. This is the synchronisation. An synchronisation can be done multiple times.
- The lines with the video timestamp and comment follow.
- The name of the comment file must be the same as the network dump, but it must have the extension ".info" instead of ".eth".
- Here you can find example dumps and log files: http://download.wiimm.de/mkw-ana/dumps/
- You can find the latest and some old distributions here
- Binaries for:
- Linux i386
- Linux x86_64
- Cygwin/Windows (Needed Cygwin DLL files are delivered. Best is to install a Cygwin system).
- Some scripts as examples.
- Some BMG text examples.
- Some doc files.
- Sometimes I upload single tool updates (beta versions) for testers
Capture the network data
First you must capture the network traffic of the Wii. Therefore you must redirect it to a PC running a capture software. There are 3 general ways to to this:
- If you have a manageable switch, enable port mirroring and send all Wii traffic to a PC.
- Use your PC as router.
- Use old network hubs (not switches). A hub will mirror all traffic of all ports to all others; it's just a multi port repeater and will slow down your network.
Use a software like tcpdump or wireshark to capture the data. Best is to save the captured data directly to a file or to send it to other commands like mkw-ana for a live analysis.
It's also possible to save the data to a file and to make a live analysis at the same time. Use the following command pipe:
tcpdump -w- -U -i eth1 host wii | tee save.dump | mkw-ana ...
It is important to filter the data by host ip_or_name, because foreign traffic interfere the wii traffic analysis and will have curious side effects.
If using wireshark, save the dump to a file and use the following command for a live analysis:
mkw-ana COMMAND --follow DUMPFILE ...
Accepted file formats
mkw-ana accepts the following file formats for the network dumps:
- PCAP 2.4 : Standard packet capturing file format.
- Big and little endian are supported.
- Timestamps in micro- and in nanoseconds are supported.
- PCAP 2.4.modified : Like PCAP, but with an extend packet header. This format is used by several routers, AVM FRITZ!Box is one example.
- Big and little endian are supported.
- Only microseconds timestamps are supported.
- PCAP-NG 2.4.modified : A next generation (NG) PCAP format.
- BZIP2 compression
- mkw-ana detects a BZIP2 compression automatically. It is supported for all other dump file formats.
mkw-ana accpets any list of dump files. The file format is detected for each single input file, so mixed formats are possible. The special file name »-« (minus sign) means: Don't open the file and and read the standard input (stdin) instead. So one of the input files can be read via pipe.
mkw-ana can scan the network traffic in real time and can produce makedoc or php data files. Together with ssh and an cgi script, a live statistic is created. Live means that the tables are updates 2-5 seconds after the race have finished.
How it works
The whole job is done by 3 processes:
First, you must capture the network traffic like described above. Then use one of the commands:
... | mkw-ana log --md DATAFILE ... | mkw-ana log --php DATAFILE mkw-ana --follow DUMPFILE log --md DATAFILE mkw-ana --follow DUMPFILE log --php DATAFILE
- Each time, a new DATAFILE is written, it must be transferred to the web server. A script using ssh, sftp scp or ftp within an endless loop will do this job automatically.
- Last not least, a CGI or PHP script running at the web server must read the data files to serve a html-page to the visitors.
To see, what live means, visit the live statistics on Wednesday or Thursday between 19:10 and 20:30 CET (Central European Time).