Kazaa uses encrypted protocol of unknown type (probably HTTPS with the use of Microsoft CryptoAPI)
for any connections with supernodes.
For downloads the usual HTTP protocol with minor extentions is used.
Here are some examples of Kazaa HTTP headers and typical transfers.
File request by its hash (checksum)
Client request:
GET /.hash=d0633f1bfdd0fde48cf351ef8c541b67567426dd HTTP/1.1
Host: 123.52.193.31:1214
UserAgent: KazaaClient Oct 18 2002 01:57:14
X-Kazaa-Username: czarny
X-Kazaa-Network: KaZaA
X-Kazaa-IP: 213.77.151.176:2647
X-Kazaa-SupernodeIP: 206.158.106.142:1715
Connection: close
X-Kazaa-XferId: 11312345
X-Kazaa-XferUid: ytCcDgo+3sTohNl2+1Y2jYkCY6NwCA==
Server response:
HTTP/1.1 200 OK
Content-Length: 6825402
Accept-Ranges: bytes
Date: Mon, 28 Oct 2002 02:15:50 GMT
Server: KazaaClient Jul 15 2002 20:37:36
Connection: close
Last-Modified: Tue, 15 Oct 2002 15:36:45 GMT
X-Kazaa-Username: http://kazaasearch.netfirms.com/
X-Kazaa-Network: KaZaA
X-Kazaa-IP: 123.52.193.31:1214
X-Kazaa-SupernodeIP: 198.37.26.79:2577
X-KazaaTag: 5=427
X-KazaaTag: 21=128
X-KazaaTag: 6=Neil Landstrumm
X-KazaaTag: 8=Understanding Disinformation
X-KazaaTag: 4=Understanding Disinformation
X-KazaaTag: 3==0GM/G/3Q/eSM81HvjFQbZ1Z0Jt0=
Content-Type: audio/mpeg
File request by its name and ID number
Client request:
GET /14587/Art+Of+Trance+-+Madagascar+%28Cygnus+X+Mix%29+-+Dave+Ralph.mp3 HTTP/1.1
Host: 123.52.193.31:1214
UserAgent: KazaaClient Mar 30 2002 23:23:10
X-Kazaa-Username: chaosblue311
X-Kazaa-Network: KaZaA
X-Kazaa-IP: 64.57.225.216:1214
X-Kazaa-SupernodeIP: 66.75.205.152:1490
Connection: close
X-Kazaa-XferId: 8975270
Server response:
HTTP/1.1 200 OK
Content-Length: 6184960
Accept-Ranges: bytes
Date: Mon, 28 Oct 2002 02:07:59 GMT
Server: KazaaClient Jul 15 2002 20:37:36
Connection: close
Last-Modified: Sun, 03 Mar 2002 08:50:39 GMT
X-Kazaa-Username: http://kazaasearch.netfirms.com/
X-Kazaa-Network: KaZaA
X-Kazaa-IP: 123.52.193.31:1214
X-Kazaa-SupernodeIP: 198.37.26.79:2577
X-KazaaTag: 5=387
X-KazaaTag: 21=128
X-KazaaTag: 6=3
X-KazaaTag: 14=Trance
X-KazaaTag: 4=Dave Ralph
X-KazaaTag: 8=Madagascar (Cygnus X Mix)
X-KazaaTag: 3==p5hWARZ8AXXZiAvlYyOZXvpxcts=
Content-Type: audio/mpeg
Continuation of download (partial content request)
Client request:
GET /.hash=260bf58b1ec86524f8b96777c79f83ac84cc763f HTTP/1.1
Host: 123.52.193.31:1214
UserAgent: KazaaClient May 28 2002 00:23:52
X-Kazaa-Username: cbg
X-Kazaa-Network: KaZaA
X-Kazaa-IP: 10.45.206.251:1214
X-Kazaa-SupernodeIP: 169.226.236.179:2296
Range: bytes=2296337-4047806
Connection: close
X-Kazaa-XferId: 12087117
Server response:
HTTP/1.1 206 Partial Content
Content-Range: bytes 2296337-4047806/4047807
Content-Length: 1751470
Accept-Ranges: bytes
Date: Mon, 28 Oct 2002 01:54:32 GMT
Server: KazaaClient Jul 15 2002 20:37:36
Connection: close
Last-Modified: Sat, 12 Oct 2002 23:04:01 GMT
X-Kazaa-Username: http://kazaasearch.netfirms.com/
X-Kazaa-Network: KaZaA
X-Kazaa-IP: 123.52.193.31:1214
X-Kazaa-SupernodeIP: 198.37.26.79:2577
X-KazaaTag: 5=253
X-KazaaTag: 21=128
X-KazaaTag: 6=3
X-KazaaTag: 14=Techno
X-KazaaTag: 4=Batucada N 1
X-KazaaTag: 3==Jgv1ix7IZST4uWd3x5+DrITMdj8=
Content-Type: audio/mpeg
Client request:
GET /6987/07.%20Fluke%20-%20Amp.mp3 HTTP/1.1
Host: 123.52.193.31:1214
UserAgent: KazaaClient May 28 2002 00:23:52
X-Kazaa-Username: xgreg212
X-Kazaa-Network: KaZaA
X-Kazaa-IP: 192.168.1.100:1214
X-Kazaa-SupernodeIP: 64.129.181.173:1082
Range: bytes=131540-7817215
Connection: close
X-Kazaa-XferId: 7401225
Server response:
HTTP/1.1 206 Partial Content
Content-Range: bytes 131540-7817215/7817216
Content-Length: 7685676
Accept-Ranges: bytes
Date: Mon, 28 Oct 2002 02:12:22 GMT
Server: KazaaClient Jul 15 2002 20:37:36
Connection: close
Last-Modified: Thu, 27 Jun 2002 17:57:07 GMT
X-Kazaa-Username: http://kazaasearch.netfirms.com/
X-Kazaa-Network: KaZaA
X-Kazaa-IP: 123.52.193.31:1214
X-Kazaa-SupernodeIP: 198.37.26.79:2577
X-KazaaTag: 5=488
X-KazaaTag: 21=128
X-KazaaTag: 4=Amp
X-KazaaTag: 6=Fluke
X-KazaaTag: 8=Risotto
X-KazaaTag: 1=1997
X-KazaaTag: 3==/D6r3gYx+H9lihDKd8WJUtPXqr4=
Content-Type: audio/mpeg
"Server is busy" response
This is how server puts download request in a "remote queue". Kazaa client will show such download as "Remotely queued" and retry periodically based on "Retry-after" value:
HTTP/1.0 503 Service Unavailable
Retry-After: 300
X-Kazaa-Username: http://kazaasearch.netfirms.com/
X-Kazaa-Network: KaZaA
X-Kazaa-IP: 123.52.193.31:1214
X-Kazaa-SupernodeIP: 198.37.26.79:2577
Incoming connection notification
This is one of the most important parts of the protocol (besides the SN issues).
If a user reports a local IP to his supernode and others (through X-Kazaa-IP header), this means that no one can directly connect to him. But people are still able to download from those users. How this happens? That user has already connected to some supernode, and so have I, like on this cartoon:
his_computer (192.168.0.1 - local IP)
/
his_proxy,gateway, firewall, masquerading server and so on (203.1.2.3 - real IP)
/ |
his_supernode |
| |
my_supernode |
\ |
my_computer (197.1.2.3 - real IP)
Now, when I (host my_computer) click on a file reported by my_supernode, my Kazaa sends a request to my_supernode. It forwards this message to his_supernode, and his_supernode (using existing connection with him) finally to his_computer. his_computer initiates an incoming connection to me (through his_proxy, so that I now see the IP of his_proxy) and sends the HTTP message GIVE:
GIVE 2319868142
Now my Kazaa knows that the connection for that particular download is established, and from this moment everything goes as usual:
GET /.hash=51cdc39f3ca35c1c9aad5f00547497b0ac8857d4 HTTP/1.1
Host: 10.2.16.135:2482
UserAgent: KazaaClient Nov 3 2002 20:29:03
X-Kazaa-Username: defaultuser
X-Kazaa-Network: KaZaA
X-Kazaa-IP: 217.50.138.70:1979
X-Kazaa-SupernodeIP: 208.180.165.2:2645
Range: bytes=0-4314757
Connection: close
X-Kazaa-XferId: 3706885
X-Kazaa-XferUid: s3WY4k8sdIg/zbigHKlaSu7sKPXbIUFqVnGMr+o59TQ=
HTTP/1.1 206 Partial Content
Content-Range: bytes 0-4314757/4314758
Content-Length: 4314758
Accept-Ranges: bytes
Date: Sun, 26 Jan 2003 23:16:32 GMT
Server: KazaaClient Nov 3 2002 20:29:03
Connection: close
Last-Modified: Mon, 19 Aug 2002 14:37:14 GMT
X-Kazaa-Username: Jo_Dax
X-Kazaa-Network: KaZaA
X-Kazaa-IP: 10.2.16.135:2482
X-Kazaa-SupernodeIP: 12.229.170.190:2653
X-KazaaTag: 5=308
X-KazaaTag: 21=112
X-KazaaTag: 6=dj hooligan - rave nation
X-KazaaTag: 4=rave nation
X-KazaaTag: 3==Uc3DnzyjXByarV8AVHSXsKyIV9Q=
Content-Type: audio/mpeg
File listing retrieval
A client may request all shared files from any Kazaa, only knowing its IP. Here is how it goes:
Client request:
GET /.files HTTP/1.1
Host: 12.21.19.62:1214
UserAgent: KazaaClient Nov 3 2002 20:29:03
X-Kazaa-Username: defaultuser
X-Kazaa-Network: KaZaA
X-Kazaa-IP: 21.4.13.7:1214
X-Kazaa-SupernodeIP: 24.12.151.208:2133
Connection: close
Server responds with a service denial:
HTTP/1.0 403 Forbidden 38 3587965875
This response prevents any standard HTTP clients (including standard WinAPI functions CInternetOpenUrl etc.)
from any further communication. You observe two additional decimal values following the Forbidden response. First of those (38) are HTTPAuthBits (this value is stored in registry HCLM\Software\Kazaa\network_config)
and the latter is the authentification code (decimal numeric) from which the client should derive 4-byte authentification response. The requesting client sends these 4 bytes immediately (without end-of-line characters) and then server responds in a usual HTTP-OK manner:
HTTP/1.1 200 OK
Content-Length: 77429
Accept-Ranges: bytes
Date: Tue, 04 Feb 2003 03:07:38 GMT
Server: KazaaClient Nov 3 2002 20:29:03
Connection: close
Last-Modified: Tue, 04 Feb 2003 03:07:38 GMT
X-Kazaa-Username: Broadwaybaby
X-Kazaa-Network: KaZaA
X-Kazaa-IP: 12.21.19.62:3451
X-Kazaa-SupernodeIP: 128.21.197.242:1560
Content-Type: application/octet-stream
Local content listing follows that response header. Its format can be easily understood, because it's very similar to that of dbb and dat files. However, in the absense of knowledge about authentification function no one can write a custom file-retrieval client, and until then I don't see any sence in studying this format. Maybe a few days later...