← Back to code | Home

The Napster Protocol

This page is now wildly out of date, but is here for historical purposes.
If you were blocked from using Napster because of the Metallica lawsuit find out how to get your access back.
If your ISP / university has blocked your access to Napster, you may be interested in how to get around a Napster blockade.

I spent four hours reverse engineering the Napster protocol using the NetBoy Windows analysis suite. The results lie below. They are not fully complete, and probably won't ever, be, as the ongoing work at the OpenNap project has far, far more comprehensively documented the protocol, and continues to update and refine their work at a frequency that I have no desire to replicate. READ HERE for the most accurate documentation of the Napster protocol.

The below work will remain here for posterity and to just give you a rough feel for how the protocol works. Please note that I have replaced specific usernames with "username" or "myusername" to protect the privacy of others. For this reason, the packet sizes will not be correct...

Not Covered

  • How account setup is managed
  • Administrative commands
  • More details about sending/receiving files
  • When "User Error" or such messages are sent
february 23, 2000
  • modified the page to make it clear that this page is inactive (pointing people to OpenNap instead)
  • Added administrative commands list
january 26, 2000
  • corrected a few tidbits
january 23, 2000
  • initial document release

Network Configuration

Napster appears to have cubes at globalcenter and at AboveNet
Their main router at abovenet is 208.184.213.7

redirect servers: (server.napster.com:8875)
208.184.216.222
208.184.216.223

servers:
208.178.163.61 (globalcenter)
208.178.175.130-4 (globalcenter)
208.184.216.202,204-209,211-215,217-221 (abovenet @ sjc2:colo8)
208.49.239.242,7,8 (globalcenter)

ports: 4444,5555,6666,7777,8888

Interesting. Looks like their general strategy is to cluster in units of 5 IP block (corresponding to grouped rackmounts?) with 5 sets of port numbers for process redundancy on the servers. I bet they started with GlobalCenter, but decided to move in with Abovenet at their SJC2 colocation facility, now that they have their stuff together. That's where the organized clusters are. The Globalcenter unit looks like it's not in California, but connected via an OC48 line to Globalcenter's Herdon, VA node. (Thanks to Ben Byer!)

Protocol Breakdown

Initial Connection
DNS lookup server.napster.com
SYN (connect) -> 208.184.216.222
[connects port 8875 on server to 1876 locally]

RECEIVED 80 bytes of data: "208.49.239.247:5555" (zero-padded)
RECEIVED 6 0-bytes (Keepalive/synch)
RESPONDS with 2 0-size packets (ACK)

SYN (connect) -> 208.49.239.247
[connects port 5555 (surprise) to port 1877 locally]

SENT to server: 28 00 02 00 username password 23 "v2.0 BETA 5" 10 4398560
RECEIVED 6 0-bytes

RECEIVED 10 00 00 00 "Invalid Password"
RECEIVED 6 0-bytes

connects again to main server, who suggests 208.178.175.133:8888 this time (fails)
connects again to main server, who suggests 208.184.216.204 (succeeds)

RECIEVES
    00 00
    10 00 03 00 anon@napster.com
SENT 0A 00 0D 00 nuprin1715
RECEIVED 0E 00 D6 00 "979 147566 587"
Request for Chat List
SENT 00 00 69 02 (CHATLIST REQ)
RECEIVED
    26 00 6A 02 "Lobby 33 Welcome to the Lobby channel" 2E
    22 00 6A 02 "Rap 27 Welcome to the Rap channel 2E
    23 00 6A 02 "Game 0 Welcome to the Game channel" 2E
    24 00 6A 02 "Rock 14 Welcome to the Rock channel" 2E
    35 00 6A 02 "International 1 Welcome to the International channel" 2E
    ...
    35 00 6A 02 "RadioVersions 0 Welcome to the RadioVersions Channel" 2E
    00 00 69 02 (CHATLIST REQ)
Joining a Channel
SENT
    06 00 90 01 "Trance" (JOIN REQUEST)
RECEIVED
    00 00 00 00 00 00 (SYNC)
    06 00 95 01 "Trance" (JOIN GRANTED)
    1B (string size) 00 98 01 "Trance username #songs conn#" (USER LISTING)
    ...
    06 00 99 01 "Trance" (CHANNEL NAME)
    25 00 9A 01 "Trance Welcome to the Trance channel" 2E (CHANNEL DESC)

connection types:
    10 = T3 (or greater)
    9 = T1
    8 = DSL
    7 = Cable modem
    6 = 128k ISDN
    5 = 64k ISDN
    4 = 56k Modem
    3 = 33.6 Modem
    2 = 28.8 Modem
    1 = 14.4 Modem
    0 = Unknown
Talking on a Channel
SENT
    0C 00 92 01 Trance hello
    (size 00 92 01 channel message)
RECEIVED
    12 00 93 01 Trance myusername hello
    (size 00 93 01 channel user message)
Private Messages
SENT
    0B 00 CD 00 myusername hello
    (size 00 cd 00 touser message)
RECEIVED
    0B 00 CD 00 myusername hello
    (size 00 cd 00 fromuser message)
Whois Requests
SENT
    05 00 5B 02 username
RECEIVED
    3D 00 5C 02 username "User" 6025 "Trance " "Active" 127 0 0 10 "v2.0 BETA 5"
Leaving a Chat Room
SENT
    06 00 91 01 Trance
RECEIVED
    [6-byte ack]
Searching for Songs
SENT
    41 00 C8 00
        FILENAME CONTAINS "aaaa"
        MAX_RESULTS 123
        LINESPEED "AT BEST" 8
        BITRATE "AT LEAST" "128"
        FREQ "EQUAL TO" "32000"
RECEIVED
    00 00 CA 00 00 00 (NO RESULT)

RECEIVED (on different query)
    81 00 C9 00
    "c:\WINDOWS\DESKTOP\mp3s\Nirvana-Lithium.mp3"
        (32-byte checksum)
        (size in bytes)
        (bitrate in kbps)
        (freq)
        (duration in seconds)
        (username)
        (magic cookie - "643813570")
        (line speed)
    92 00 C9 00
    "G:\Program Files\napster\Music\NIRVANA - Smells Like
                Teen Spirit.mp3"
        (32-byte checksum)
        ...
    00 00 CA 00 00 00

[note] Even though Napster transmits the complete location of the file
(and it's also in the request) it seems to not have opened up any security
holes to date.

NOTE: ping time requirements not SENT to server (duh).
Hotlisting a User
SENT
    0E 00 CF 00 username
RECEIVED
    0E 00 2D 01 username (user is online)
    10 00 D1 00 username (user added to hotlist)
Listing a User's Files
SENT
    0E 00 D3 00 username
RECEIVED
    85 00 D4 00 username
        "D:\Nyhemladdade mp3 or\POWER-BEAT - Dance Club
                Megamixes.mp3"
        (32-byte checksum)
        (size in bytes)
        (kbps)
        (freq)
        (length in seconds)
    ...
    (size) 00 D5 00 (username)           (= END OF RESULTS)
Requesting a File
SENT
    2A 00 CB 00 username
        "C:\MP3\REM - Everybody Hurts.mp3"
RECEIVED
    2E 00 CC 00 "157.22.134.22" 4005
        "REM - Everybody Hurts.mp3"

[handshake directly with 157.22.134.22 on port 4005]

RECEIVED from client
    31 00 00 00 00 00
SENT to client
    GET
RECEIVED from client
    00 00 00 00 00 00
SENT to client
    Myusername
    "C:\MP3\REM - Everybody Hurts.mp3"
RECEIVED from client
    (size in bytes)
SENT to server
    00 00 DD 00  (give the go-ahead thru server)
RECEIVED from client
    [file transfer begins]

Historical Context

This document represents reverse-engineering work performed in early 2000 during the height of the peer-to-peer file sharing era. The Napster protocol documented here was used by millions of users before the service was shut down following legal action from the recording industry in 2001. This analysis helped inform the development of subsequent peer-to-peer protocols and networks.

Legal Disclaimer: This historical information is preserved for educational and technical archival purposes only. The original Napster service was shut down in 2001, and this information is no longer applicable to any current services.