Hi-Performance Protocol Identification Engine
HiPPIE
Home
About HiPPIE
Features
Protocols
Downloads
Documentation
Mailing Lists
Support
  

Protocols > Ares P2P

HiPPIE Name: ares
Protocol Category: Peer-to-Peer Protocols
Protocol Classification: Average

Ares is a peer-to-peer program in very large usage to download anything from MP3's to movies and so on.  It is available from http://aresgalaxy.sourceforge.net or http://www.aresgalaxy.org/.  There is also a clone of Ares that operates over the same protocol called Warez, that should let you know exactly what this protocol is all about.  There are two different portions of this protocol, a TCP portion, which is the most prominent, and a UDP portion.  Below are how to identify both of these types of traffic.

TCP

The TCP portion of Ares which operates almost every function of this protocol is very easy to classify.  There is only one thing you need to look for during a TCP session to identify it as Ares.  The first packet that is sent during an Ares session after the TCP handshake is 46 bytes long (including IP and TCP headers) or in other words contains 6 bytes of data, or which the first 3 bytes are always (from observation):

03 00 5a

From further observation, what this actually comes from is that all the command channels of the Ares protocol operate by having the first two bytes of the protocol are actually a data count for the rest of the data stream in that packet, followed by a opcode.  So in the case of the above packet, it's a byte count of 3 after the two bytes of sizing (0x0300) and the opcode (0x5a), for a total of 6 bytes.  Another example of this would be a packet with a data size of 214 bytes, with a data count of 211 (0xd300) containing also an opcode of 0x33.

UDP

The UDP portion of the Ares protocol is an attempt to circumvent filtering and/or deal with firewalls.  It only operates in the absense of a functional TCP connection or to facilitate this connection.  I haven't recorded lengths on these packets, because they may well vary, but the first 3 bytes of these packets are always

41 52 45

or what amounts to "ARE" in ascii.

Classifying any sessions that begin with either the TCP or UDP packets demonstrated above will be enough to fully break the Ares protocol for now, though I'm investigating actually fully classifying Ares.

Back to Protocol List.
Copyright © Josh Ballard, oofle.com Security 2001-2008. Some Rights Reserved.
File hosting and other features supplied by:
SourceForge Logo