Clone wiki

NetPro / protocol / Overview



Data transfer

Lineage II uses a custom application-layer network protocol, unlike other, HTTP(S) based MMOs/online games. Data is transmitted in blocks of up to 64K bytes, called packets. A packet's structure is relatively simple (each letter represents a single byte).

| Header |    Content    |
| A | B  |C|D|E|F|G|H|I|…|

All fields (header and content) are written in little endian (a.k.a. Intel's byte order). This includes both numeric and string fields.


The only field in a packet's header is a 2-byte unsigned integer, specifying the packet's total size.

| Header |    Content    |
|  Size  |               |
| A | B  |C|D|E|F|G|H|I|…|

Thus, the largest packet size is 64K (65535 bytes), with 2 bytes reserved for size. The smallest valid packet is 2 bytes long and has no real meaning (as TCP makes keep-alives redundant).


The packet's content is what server emulators typically call 'a packet'. The content starts with an unique dynamic-size prefix identifying the type of the packet, followed by the packet's actual content.

| Header |      Content      |
|  Size  | Opcode(s) |  Data |
| A | B  |C|D|E|F|G|H|I|J|K|…|


If we put protocol versions that predate Prelude BETA (336) aside, then each 'packet' (emulator-wise) starts with 1 to 3 opcodes, where the 1st opcode is a single byte, 2nd – two bytes and 3rd – four bytes.

| Header |                  Content                    |
|  Size  | Opcode1 |  Opcode2  |    Opcode3    |  Data |
| A | B  |    C    |  D  |  E  | F | G | H | I |J|K|L|…|

All transmitted data is enciphered. There are different protocol encryption schemes for login and for game server communications.


In order to provide a live view over transmitted data this application intercepts, deciphers, possibly modifies, re-enciphers and forwards all incoming packets. At this time, NetPro supports only the bare Lineage II network protocol. 3rd party protocol wrappers, or 3rd party tools that negotiate the protocol state in parallel connections are not supported at this time.

Unlike various other packet sniffers, NetPro does not actively target/take over connections. Therefore, you must manually direct the client to connect via NetPro and thus auth connection interception is necessary. If you are concerned about unsolicited credential transfer, see here (at the end).