(self)
| 18 | class DshellPlugin(dshell.core.ConnectionPlugin): |
| 19 | |
| 20 | def __init__(self): |
| 21 | super().__init__( name='bitcoin', |
| 22 | description='Extract Bitcoin traffic, including Stratum mining protocol (pooled) traffic', |
| 23 | longdescription=''' |
| 24 | The bitcoin plugin will extract any Bitcoin traffic attempting to find and output: |
| 25 | Client/server IP addresses, src/dst port numbers, MAC addresses of the machines |
| 26 | used in the Bitcoin communication/transactions, timestamps of the packets, |
| 27 | packet payload sizes in KB, and the Network type |
| 28 | ('Bitcoin Main' if Bitcoin data traffic). |
| 29 | |
| 30 | Connection tuples are cached when BITCOIN-MAIN traffic is detected, such that following this, |
| 31 | any blobs in a cached connection that do not contain BITCOIN-MAIN magic bytes, are labeled |
| 32 | as part of a connection containing Bitcoin traffic. |
| 33 | |
| 34 | Any traffic on BITCOIN-MAIN's designated port will be labeled as potential Bitcoin traffic. |
| 35 | |
| 36 | Additionally for Stratum mining, the plugin will attempt to extract: |
| 37 | Bitcoin miner being used, transaction methods used in each connection |
| 38 | (mining.notify, mining.authorize, mining.get_transaction, mining.submit, etc.), |
| 39 | User ID (Auth ID) used to access the Bitcoin mining pool, and possibly the password |
| 40 | used to connect to the pool if it is stored in the JSON of the payload. |
| 41 | |
| 42 | Also, the: |
| 43 | range of job IDs (per connection), previous block hash, generation transaction (part 1), |
| 44 | generation transaction (part 2), merkle tree branches (hashes), block version, |
| 45 | and the hash difficulty (n-bits) |
| 46 | (The generation transactions and merkle tree branches are only optionally outputted |
| 47 | to a file: See Example (2) below) |
| 48 | |
| 49 | Note (1): The first time that all of this Stratum mining information is |
| 50 | collected (per connection), all of the packets decoded after this |
| 51 | point from within the same connection (same exact sip, dip, sport, dport) |
| 52 | will continue to output the same collection of information since it |
| 53 | will be the same, and is cumulative per connection. |
| 54 | |
| 55 | Note (2): The gen_tx1 and gen_tx2 fields enable the miner to build the coinbase |
| 56 | transaction for the block by concatentating gen_tx1, the extranonce1 |
| 57 | at the start of gen_tx1, the extranonce2 generated by the miner, and |
| 58 | gen_tx2 (hashes with scriptPubKeys) |
| 59 | |
| 60 | Note (3): Some pools recommend miners use their Bitcoin wallet ID |
| 61 | (address used for payment) as their 'Auth ID'. This will be easily |
| 62 | spotted as it is an address consisting of 26-35 alphanumeric characters, |
| 63 | and it always begins with either the number '1' or '3' |
| 64 | |
| 65 | |
| 66 | For additional information: |
| 67 | Bitcoin Protocol: <https://en.bitcoin.it/wiki/Protocol_documentation> |
| 68 | Stratum Mining Protocol: <https://en.bitcoin.it/wiki/Stratum_mining_protocol> |
| 69 | |
| 70 | |
| 71 | --------Main ports / Some secondary ports used for Bitcoin Traffic--------- |
| 72 | Bitcoin Main traffic uses port 8333 |
| 73 | Bitcoin Testnet uses port 18333 |
| 74 | Several pools use ports 3333, 8332, 8337 |
| 75 | The other ports checked are known ports used by specific BTC mining pools |
| 76 | Other Bitcoin pools utilize alternate ports (even 80 / 443) |
| 77 |
nothing calls this directly
no test coverage detected