Sniffing Traffic from Lightning Node Client

6 replies 130 views
Posts: 21 · Reputation: 205
#1May 4, 2017, 10:43 AM
Hey everyone, I'm trying to capture the traffic from the p2p Lightning Network and analyze it with Wireshark or another packet capture tool. The problem is that the traffic is encrypted. Is there any node implementation out there that allows you to pull the key used for encrypting this traffic? If anyone has suggestions on how to capture and read this traffic without needing to extract the key from the node, like maybe setting up a man-in-the-middle situation between the Node and the P2P network, I'd really appreciate any tips. Thanks for your help! Cheers, SS
6 Reply Quote Share
colddiamondHero Member
Posts: 623 · Reputation: 2467
#2May 4, 2017, 01:23 PM
Assuming you are running the node and using LND as an example in the lnd.conf file you can specify the TLS certificate used: https://docs.lightning.engineering/lightning-network-tools/lnd/lnd.conf Not perfect and you won't get everything but anything connecting to your node can then be read. As a cheat, if you just want to see what is going on in general you can setup a bunch of nodes that just talk to each other and read all of their traffic. -Dave
5 Reply Quote Share
Posts: 21 · Reputation: 205
#3May 4, 2017, 05:46 PM
Hi Dave, Thanks for your answer! Checking the link you provided, I'm only able to see configuration for the TLS certificate on RPC connections. I don't know if the node will use the same certificate, but I'm looking to read the p2p network messages (gossip protocol). I mean, the messages that are sent between the nodes.
0 Reply Quote Share
colddiamondHero Member
Posts: 623 · Reputation: 2467
#4May 4, 2017, 07:33 PM
I just read though and did a quick search of https://github.com/lightning/bolts/blob/master/07-routing-gossip.md and did not see anything mentioning encryption. Odd, but you have to have some certificate someplace that you send your side to when they connect. Didn't check, IS it even encrypted? I mean it's 'sudo public' information being sent. -Dave
6 Reply Quote Share
Posts: 21 · Reputation: 205
#5May 5, 2017, 12:56 AM
I guess it is, for privacy and security reasons. https://github.com/lightning/bolts/blob/master/08-transport.md As far as I understand from here, it uses the node ID (a pubkey) to encrypt the traffic. SS
2 Reply Quote Share
LuckyCoinLegendary
Posts: 832 · Reputation: 4795
#6May 5, 2017, 04:04 AM
It looks like it's a non-standard authentication method, not using TLS but it is using keys on the secp256k1 curve and a form of ECDH called Noise_XK. In order to get the session key that is generated by this algorithm which encrypts the traffic, you'll have to find a utility which allows you to replicate the Noise_XK key exchange process.
1 Reply Quote Share
Posts: 21 · Reputation: 205
#7May 5, 2017, 06:19 AM
Thank you! It looks like it. If anyone knows how to do it it will really help. SS
4 Reply Quote Share

Related topics