Analyzing Bitcoin Network Traffic Using Wireshark

Since Bitcoin is a peer to peer protocol it relies very heavily on network communication to perform its functions.  The best way to get a closer look at the Bitcoin protocol is to use a packet sniffer such as Wireshark to view the frames traversing the network.

There are several different Bitcoin clients available but they all rely on the same underlying protocol.  My local client of choice is the Bitcoin-Qt client but Wireshark can decode the traffic regardless of which client is in use.

Fully synchronized clients do not generate a large amount of network traffic but unsyncronized clients that do not have a complete copy of the Bitcoin blockchain can create a substantial amount of network traffic.

Currently the entire blockchain is nearly 9GB in size and continues to grow.  Once the client has cached a local copy of the blockchain they will stay up to date using the getblocks message type.

Supported Versions of Wireshark

The current stable version of Wireshark (1.8.7) does not have support for the Bitcoin protocol so you will need to download the development release to decode the packets.  The current public version of the development release is version 1.10.0rc2 which contains a dissector for Bitcoin.

Wireshark Development Release Download

The Bitcoin protocol dissector still has some issues and doesn’t properly decode all of the traffic though.  Based on the notes I read in the packet-bitcoin.c source file the protocol dissector was written by Christian Svensson (contact info below).  If you send him a note (and maybe a bitcoin tip) he might be able to provide further support and update the decoder.

Christian Svensson <blue@cmd.nu>
Bitcoin address: 15Y2EN5mLnsTt3CZBfgpnZR5SeLwu7WEHz

I also complied the most recent development release (1.11) from the source tree but I found that the Bitcoin dissector was not functioning properly.  Some messages were decoded without issues but some were listed as malformed packets.  So for the time being I recommend using version 1.10.

 Viewing Bitcoin Traffic in Wireshark

After installing the development release you can test out the decoder by starting a Bitcoin client to generate some traffic on the network.  After capturing traffic for a short period of time you can view the Bitcoin traffic by simply typing Bitcoin in the filer box and pressing enter.

Wireshark will process all of the packets and display only the Bitcoin packets.

Wireshark Bitcoin Decoder

During testing I noticed that the bitcoin filter was not displaying traffic related to my client downloading a copy of the blockchain.  If you want to see this traffic, or any other traffic the decoder might miss I would suggest using a filter such as the following:

bitcoin or tcp.port==8333

Client Startup and DNS Seeds

During the Bitcoin client startup process clients will use several different methods to discover peers.  Clients starting up for the first time will search for DNS seeds that are hard coded into the client.  You can use the filter below to search for these queries within Wireshark.

dns.qry.name == "seed.bitcoin.sipa.be" or dns.qry.name == "dnsseed.bluematt.me" or dns.qry.name == "dnsseed.bitcoin.dashjr.org" or dns.qry.name == "bitseed.xf2.org"

These DNS seeds could change in the future but you can view them by looking at the source code for the net.cpp file in the Bitcoin client source repository.

When starting up for the first time the Bitcoin client will attempt to contact the DNS seeds hardcoded into the program.
Bitcoin client resolving the hostnames of the DNS seeds.

If the client is unable to contact the DNS seeds it will fall back to a list of hard coded IP addresses.  These IP addresses can be found in the net.cpp file in packed binary format.  Sgornick wrote a script to test each of the IP addresses that could easily be modified to list the IPs if you wanted to build a filter to search for packets destined to these addresses.

More Useful Wireshark Filters for Bitcoin Traffic

Find clients using Bitcoin version 70001

bitcoin.version.version == 70001

Display Bitcoin frames containing peer IP addresses

bitcoin.services.network

Display frames that are part of the main Bitcoin blockchain

bitcoin.magic == 0xf9beb4d9

Display frames that are part of the Bitcoin test blockchain

bitcoin.magic == 0xfabfb5da

Bitcoin Protocol Information

The Bitcoin protocol is fairly simplistic when compared to some other protocols.  Bitcoin runs on TCP port 8333, testnet runs on port 18333 instead.  Essentially there are 18 different message types, and 6 types of structures.

For the full details on the different message types take a look at the Bitcoin protocol specification wiki.

Play bitcoin games and win real money. Take a look at bitcoincasino.best for a great selection of bonuses.

Sam Kear

Sam graduated from the University of Missouri - Kansas City with a bachelors degree in Information Technology. Currently he works as a network analyst for an algorithmic trading firm. Sam enjoys the challenge of troubleshooting complex problems and is constantly experimenting with new technologies.

One thought to “Analyzing Bitcoin Network Traffic Using Wireshark”

  1. Dear Sam
    I like your experiment,analysing bitcoin using wireshark
    I tried to follow your example sometimes ago to no avail.i didnt manaage to catch any bitcoin packet
    I am working on a research about anonymity of cryptocurrencies
    Can you design and share another experiment by using the latest version of wireshark

    Let me know
    Kidn Regards
    Julius

Leave a Reply

Your email address will not be published. Required fields are marked *