Haiyang Si
R&D Engineer 2

ATI Minecraft

March 29, 2016 by Haiyang Si

Author: Haiyang Si. Minecraft is a game about breaking and placing blocks. Players can worked together to create wonderful, imaginative things. It is supported on many platforms, such as PC/Mac, Xbox 360, Xbox One, PS3 and PS4, etc.

Now, Ixia ATI supports the Minecraft 1.8.9 PC version. Users can emulate the communication between the game client and multiplayer servers.

Get Plaintext TCP Stream

Minecraft provides a perfect wiki to help developers understand the Minecraft Protocol. Also, there are many open source Minecraft projects online. But most of them just provide source code and only a few support the latest version. What should a beginner do to write his/her own Minecraft client/server? The following will introduce this step by step.

Although the Wiki – Protocol page has a great introduction of the Minecraft protocol, Minecraft developers might not find the ‘Packet ID’ in the TCP stream. This is because the data is encrypted. The document doesn’t mention how to generate a plaintext payload between Client and Server. Generating a plaintext payload is very important. It is the only way to check if the implementation is correct or not. Developers can make a plaintext payload in this way:

1. Download Minecraft Server from its official website.

2. Run the server.

3. Server should generate a file named ‘eula’. Edit it and make sure ‘eula=true’.

4. Reboot the server. Edit file ‘server’ and change ‘online-mode=false’, ‘network-compression-threshold=-1’ (optional), and save the file server. There are many other parameters. Developers can configure based on his/her requirement.

5. Reboot the server. Connect the client and server. Now monitor the TCP stream. You will find that the TCP payload matches the Minecraft Protocol described in Wiki.

The standard Minecraft login process is as follows:

1. C→S: Handshake with Next State set to 2 (login)

2. C→S: Login Start

3. S→C: Encryption Request

4. Client auth

5. C→S: Encryption Response

6. Server auth, both enable encryption

7. S→C: Login Success and Set Compression

After the configuration, the login process is simplified as:

  1. C→S: Handshake with Next State set to 2 (login)

2. C→S: Login Start

3. S→C: Login Success and Set Compression

Now the developer can get the plaintext in the TCP payload. Figure 1 is a server-bound Handshake frame. You can find its format here.



Figure 1: Handshake

ATI Minecraft Test on BreakingPoint System

The ATI Engine can emulate different kinds of Minecraft actions. This is a test on the BreakingPoint System.


Figure 2: Minecraft Application Traffic on the BreakingPoint System

Figure 2 is a Superflow that emulates a login sequence from a client to a multiplayer server. It is combined with 19 different Minecraft actions in client and server.


Wireshark doesn’t support Minecraft so far, but it allows users to customize a dissector for a specific protocol. I have implemented a Minecraft dissector that you can download here.


Figure 3: Wireshark detects Minecraft 1.8.9 traffic with the Minecraft dissector

The Figure 3 Wireshark can detect a Minecraft application data stream. This means the Minecraft traffic generated by ATI engine is correct.

You can now successfully use the BreakingPoint to generate Minecraft traffic as part of your network testing criteria, validating your DPI recognition of Minecraft traffic on your network. Besides our Wireshark dissector we’ve supplied, we’re also adding a Minecraft signature to our ATI Processor product. This support will give you visibility into how much of your traffic is being used for Minecraft and allow you to make intelligent decisions on such traffic.


Leverage Subscription Service to Stay Ahead of Attacks