This is an amazingly helpful email I received from "Howard", he goes to great depth to discuss different types of packets and responses.

When you are done here, head back to DavesPlanet.net/Kazaa

Hi Dave,

I saw your webpage on the Participation level cracking of KaZaA. I'm no
expert at any of this, but I thought I could give you some help in what I've
spotted.

Firsty, you mentioned a lack of "sniffing" software. Try this link
http://www.analogx.com/contents/download/network/pmon.htm

It's a very usefull *free* packet sniffer. The details I've got below came
from me setting up a rule in it to sniff any packets who contained the word
Kazaa in the data part. I only seem to be able to sniff the traffic coming
into my PC, I can't seem to sniff the traffic I send out to other users, but
then I am a novice at all this...

So, I've sniffed some details - here they are and what I think was happening
at the time:

1.    Other users requesting files from me. They all look fairly similar,
but there are some differences. They all come from pre version 2.0 users
(you can tell by the date of the client) or non Kazaa users. These don't
have an X-Kazaa-XferUid which I suspect is the bit that includes the
Participation Level - without this I think my machine assumes a level of
zero. Note also that the the GET request includes the filename in plain text
in most of them. The fourth one doesn't - maybe that one came from a l"ist
of all my files" compared to the others who may have come from a normal
search?. I don't know about the X-Kazaa-XferId bit - the first two requests
come from the same user for two diferent (but similar named) files - note
how close they are. Is it a consecutive number on a client basis..?

GET /5876/%5btmd%5dstar.trek.nemesis.%28ftf%29.ts.%281of2%29.avi HTTP/1.1
Host: 213.48.248.247:2397
UserAgent: KazaaClient Mar 30 2002 23:23:10
X-Kazaa-Username: jo10584
X-Kazaa-Network: KaZaA
X-Kazaa-IP: 80.110.67.130:1214
X-Kazaa-SupernodeIP: 212.186.198.247:3364
Range: bytes=88734465-91423599
Connection: close
X-Kazaa-XferId: 11828737

GET /2499/%5btmd%5dstar.trek.nemesis.%28ftf%29.ts.%282of2%29.avi HTTP/1.1
Host: 213.48.248.247:2397
UserAgent: KazaaClient Mar 30 2002 23:23:10
X-Kazaa-Username: jo10584
X-Kazaa-Network: KaZaA
X-Kazaa-IP: 80.110.67.130:1214
X-Kazaa-SupernodeIP: 212.186.198.247:3364
Range: bytes=25049778-52422774
Connection: close
X-Kazaa-XferId: 11821764

GET /10809/filename.mpg HTTP/1.1
Host: 213.48.248.247:2397
UserAgent: KazaaClient May 28 2002 14:51:21
X-Kazaa-Username: anon90764
X-Kazaa-Network: ???
X-Kazaa-IP: 217.215.166.213:1214
X-Kazaa-SupernodeIP: 217.215.164.80:2654
Range: bytes=8064-19320070
Connection: close
X-Kazaa-XferId: 5624908

GET /.hash=6301d33c8976c367ff2c3e735181d63f2adad457 HTTP/1.1
Host: 213.48.248.247:2397
UserAgent: KazaaClient May 28 2002 14:51:21
X-Kazaa-Username: admiral_truman
X-Kazaa-Network: fileshare
X-Kazaa-IP: 62.31.197.108:1088
X-Kazaa-SupernodeIP: 62.31.113.223:3314
Range: bytes=141723662-145498111
Connection: close
X-Kazaa-XferId: 187265

GET /12680/Directory%20Lister.exe HTTP/1.1
Host: 213.48.248.247:2397
UserAgent: KazaaClient May 28 2002 14:51:21
X-Kazaa-Username: scrogy
X-Kazaa-Network: fileshare
X-Kazaa-IP: 217.36.1.5:1214
X-Kazaa-SupernodeIP: 158.143.180.244:3431
Connection: close
X-Kazaa-XferId: 178788


2.    Other users requesting files from me. These appear to be from version
2 users judging by the user agent date. They include a X-Kazaa-XferUid who
may be similar to the LastSearchHash and include the Participation level
somewhere in them. The first two are requesting different parts of the same
file (the /.hash is the same) but the -XferUid is different. Could their
participation level have just changed and made it different, or could the
requested start byte/end byte/length/XferId be just part of the figure? It
is also simple letters numbers and puntuation, whereas the LastSearchHash
contains many other bytes outside these ranges.

GET /.hash=55e49f25f750cd9b4c4ef86796fa04cf70f438b6 HTTP/1.1
Host: 213.48.248.247:2397
UserAgent: KazaaClient Sep 16 2002 23:59:43
X-Kazaa-Username: kazaaliteuser
X-Kazaa-Network: KaZaA
X-Kazaa-IP: 62.211.166.8:1214
X-Kazaa-SupernodeIP: 193.206.169.183:1899
Range: bytes=17572007-18484345
Connection: close
X-Kazaa-XferId: 8197629
X-Kazaa-XferUid: szeNwdaW33JfNdgZfaZxct7zk8TyAQqs

GET /.hash=55e49f25f750cd9b4c4ef86796fa04cf70f438b6 HTTP/1.1
Host: 213.48.248.247:2397
UserAgent: KazaaClient Sep 16 2002 23:59:43
X-Kazaa-Username: kazaaliteuser
X-Kazaa-Network: KaZaA
X-Kazaa-IP: 62.211.166.8:1214
X-Kazaa-SupernodeIP: 193.206.169.183:1899
Range: bytes=46611221-47778084
Connection: close
X-Kazaa-XferId: 9857993
X-Kazaa-XferUid: 0yB9NXKXCaG9szU85x+nh0DvoGVhwyEi

GET /.hash=88c7641eabc845330b213883efc15190207e8047 HTTP/1.1
Host: 213.48.248.247:2397
UserAgent: KazaaClient Nov  3 2002 20:29:03
X-Kazaa-Username: jomel166
X-Kazaa-Network: KaZaA
X-Kazaa-IP: 66.108.27.18:2794
X-Kazaa-SupernodeIP: 66.108.102.39:3708
Range: bytes=146732-16609231
Connection: close
X-Kazaa-XferId: 5242890
X-Kazaa-XferUid: CP0VpV6fMl52LExv8pk1LxJHZf/I9qjA0oGSC1zOs3w=



3.    I'm already downloading a file, I've requested another chunk from
other users and here comes back the header and their details. Just for info,
I thought I'd put this here - it must be part of the normal traffic that
flows once a download is in process. See the bottom for details of what the
X-KazaaTag values are if wanted:

HTTP/1.1 206 Partial Content
Content-Range: bytes 39758881-50331647/59356749
Content-Length: 10572767
Accept-Ranges: bytes
Date: Fri, 27 Dec 2002 00:43:03 GMT
Server: KazaaClient May 28 2002 14:51:21
Connection: close
Last-Modified: Tue, 24 Dec 2002 05:23:32 GMT
X-Kazaa-Username: stlchris
X-Kazaa-Network: fileshare
X-Kazaa-IP: 66.136.185.154:1214
X-Kazaa-SupernodeIP: 130.39.220.153:3558
X-KazaaTag: 3==m5w/yUcRXdNTe7zITgjULcMJAWQ=
X-KazaaTag: 4="Title" of the download in process..
X-KazaaTag: 14="Category" of the download in process..
Content-Type: video/x-ms-asf

HTTP/1.1 206 Partial Content
Content-Range: bytes 312173994-312573384/734765056
Content-Length: 399391
Accept-Ranges: bytes
Date: Fri, 27 Dec 2002 00:40:04 GMT
Server: KazaaClient Nov  3 2002 20:29:03
Connection: close
Last-Modified: Fri, 15 Nov 2002 05:39:16 GMT
X-Kazaa-Username: krilind
X-Kazaa-Network: KaZaA
X-Kazaa-IP: 213.67.147.228:2108
X-Kazaa-SupernodeIP: 213.66.40.183:2193
X-KazaaTag: 13=640
X-KazaaTag: 5=5646
X-KazaaTag: 21=1016
X-KazaaTag: 28=div3
X-KazaaTag: 3==ABOlKDGiY/KYu7MPjLoup+WMuRQ=
Content-Type: video/x-msvideo

HTTP/1.1 206 Partial Content
Content-Range: bytes 312450181-312573384/734765056
Content-Length: 123204
Accept-Ranges: bytes
Date: Fri, 27 Dec 2002 00:45:36 GMT
Server: KazaaClient Sep 16 2002 23:59:43
Connection: close
Last-Modified: Thu, 07 Nov 2002 07:15:57 GMT
X-Kazaa-Username: 007
X-Kazaa-Network: KaZaA
X-Kazaa-IP: 213.67.26.156:1214
X-Kazaa-SupernodeIP: 213.66.206.200:2661
X-KazaaTag: 13=640
X-KazaaTag: 5=5646
X-KazaaTag: 21=1016
X-KazaaTag: 28=div3
X-KazaaTag: 3==ABOlKDGiY/KYu7MPjLoup+WMuRQ=
Content-Type: video/x-msvideo

4.    Some other snippets that maybe of use..:

HTTP/1.0 503 Service Unavailable
Retry-After: 174
X-Kazaa-Username: krilind
X-Kazaa-Network: KaZaA
X-Kazaa-IP: 213.67.147.228:2108
X-Kazaa-SupernodeIP: 213.66.40.183:2193

HTTP/1.0 503 Service Unavailable
Retry-After: 300
X-Kazaa-Username: djbaco
X-Kazaa-Network: KaZaA
X-Kazaa-IP: 213.51.14.167:3112
X-Kazaa-SupernodeIP: 212.204.140.233:1122

Some stuff I've spotted. Prior to version 2 of Kazaa, you had to enter a
username and password. I never tried logging on again with a different
password, but I assume there was some repository somewhere which only let
you log onto the Kazaa network if you had the correct valid combination.
Under version 2, there no longer is a password and many users can have
exactly the same name. Maybe this is part of what the LastSearchHash is
for - something else to uniquely attempt to identify one person from
another. There may be many defaultuser@Kazaa out there, but they mostly have
different serial numbers on their hard drives(!). With the information in
the Hash, if two different people with the same name request the same file
from me, I get two entries in the uploading box - my machine can tell they
are different people. But I presume that if one of them logs off,
changes/renews their ip address and logs back on and tries to get the file
again, it may spot that they are the same person and not make a new entry in
the uploading box. I haven't tested this out but it's an intriguing idea.

If this is true then it could help to explain some internal parts of Kazaa.
For example, if I download a file from someone one day and then come back
another, they will most likely be on a different ip address. Although it's
unlikely, someone else could be on that old ip address also running Kazaa
and possibly with the same username - but not the same hard drive serial so
my pc knows to re-search instead. Or is it just stupid and asks for the same
named file and the new person's machine says "file not found"...? I'm not
sure if any of this rambling helps..

I suppose that if you could write a program to mimic the following then that
could be used to boost the levels:

GET /5876/%5btmd%5dstar.trek.nemesis.%28ftf%29.ts.%281of2%29.avi HTTP/1.1
Host: 213.48.248.247:2397
UserAgent: KazaaClient Mar 30 2002 23:23:10
X-Kazaa-Username: jo10584
X-Kazaa-Network: KaZaA
X-Kazaa-IP: 80.110.67.130:1214
X-Kazaa-SupernodeIP: 212.186.198.247:3364
Range: bytes=88734465-91423599
Connection: close
X-Kazaa-XferId: 11828737

You would need to get the GET right firstly. The file name is easy as it
could grab it from the "my Shared Folder", but I don't know what the number
before it comes from. The number is there when I do a browser connect but
obviously you can't get that for v2.0.2. You then just need to give it some
IP addresses, a byte range and an XferId. I wonder if it is clever enough to
spot a 127.0.0.1 in the Kazaa-IP field and know you're trying to trick it..?
We know that version 2.0.2 won't allow you to connect from 127.0.0.1:1214 in
a browser, but then a browser doesn't supply any of the headers listed
above, so that could be why a browser no longer works, if it has no Kazaa
headers then don't allow it. Is it that simple?

There's a program out there on the net that can read in the data256.dbb file
and extract it's contents, so that could be used to retrieve a filename,
hash (if need be) and a length for the above headers. The file can be found
here: http://www.sandersonforensics.co.uk/p2pview.htm On the same page, it
details what the X-KazaaTag fields are.

I haven't got 2.0.2 on my machine - has anyone tried using a browser and
going in on the port defined for incoming connections instead of 1214/80...?

Anyway, I hope some of this helps you in finding a way round the
participation level. at the very least, I've told you how to get hold of a
usefull sniffer program that should help anyway...

I'll keep checking back on your page as I'm keen to find a way round this
horrible participation level thing. Unfortunately I use a modem and my
numbers are always going downhill. With my 56k connection, I always download
faster than I upload, so already I have a downhill spiral. Add to that the
fact that when someone if going full pelt on an upload from me so much
traffic is generated both ways that I get no download power whatsoever, so I
have to put a limit on the upload speed so I can at least download
something - again my Participation level drops even further. It's not fair!

Ta.

Howard (aka H.)



When you are done here, head back to DavesPlanet.net/Kazaa

Locations of visitors to this page