In order for a software application to interact with the Ethereum blockchain - either by reading blockchain data or sending transactions to the network - it must connect to an Ethereum node.

For this purpose, every Ethereum client implements a JSON-RPC specification, so there is a uniform set of methods that applications can rely on regardless of the specific node or client implementation.

Info

JSON-RPC is a stateless, light-weight remote procedure call (RPC) protocol. It defines several data structures and the rules around their processing. It is transport agnostic in that the concepts can be used within the same process, over sockets, over HTTP, or in many various message passing environments. It uses JSON (RFC 4627) as data format.

Important methods

From the documentation, there are several JSON-RPC API methods that being used for different purposes. However, it will be overwhelmed to look through them all, so paying attention to the most common methods will be a great start of understanding the traffic.

  1. eth_getTransactionReceipt: Gets transaction execution receipt
  2. eth_getBalance: Checks wallet balance
  3. eth_sendTransaction: Sends new transaction
  4. eth_estimateGas: Estimates gas cost for transaction
  5. eth_chainId: Gets blockchain network ID (0x1b39 = testnet)

Analyzing with Wireshark

HTTP/HTTPS Traffic Filters

# All HTTP traffic
http

# HTTPS traffic (encrypted)
tls

# JSON-RPC calls (common for Ethereum)
http contains "jsonrpc"

# Ethereum-specific methods
http contains "eth_"

# Transaction-related calls
http contains "eth_sendTransaction" or http contains "eth_getTransactionByHash"

# Specific transaction hash
http contains "0x7b7ded2d51f0dcb1bf3fc5cc9598b81a7a622aac15d3841d377c548986e0a7c3"

# Attacker address
http contains "0x82b03246a287e5ed681b967cbd9b610a24bd5ef9"

HTTP Request sample structure:

Frame X: HTTP POST Request
├── Ethernet II Header
├── IP Header (source/destination)
├── TCP Header (port information)
└── HTTP Header
    ├── POST /api/blockchain HTTP/1.1
    ├── Content-Type: application/json
    └── JSON Payload:
        {
          "method": "eth_sendTransaction",
          "params": [{
            "from": "0x509625aaa1067a52258414db03a0a50b72714bf2",
            "to": "0x82b03246a287e5ed681b967cbd9b610a24bd5ef9",
            "value": "0x1bc16d674ec80000",
            "gas": "0x5209"
          }],
          "id": 1,
          "jsonrpc": "2.0"
        }

HTTP Response sample structure:

Frame Y: HTTP Response
└── JSON Response:
    {
      "jsonrpc": "2.0",
      "id": 1,
      "result": "0x7b7ded2d51f0dcb1bf3fc5cc9598b81a7a622aac15d3841d377c548986e0a7c3"
    }

The params will be in Hexadecimal format, which can be convert to decimal using any online tool. If there is a value field, it is likely to contain wei. So in order to achieve the ETH value, user need to convert Hexadecimal -> Decimal(wei) -> ETH.