

This document contains the protocol header specifications for the BNCS, Realm, D2GS, BNLS, W3GS, and Storm UDP protocols.
BNCS Headers
BNCS stands for Battle.Net Chat Server and is the protocol that Blizzard's Battle.net enabled games use to communicate. Every BNCS message has the same header:
(UINT8) Always 0xFF
(UINT8) Message ID
(UINT16) Message length, including this header
(VOID) Message Data
The BNCS protocol is aggressively enforced by Battle.net - at least, for clients - and violations of the protocol generally result in an IP ban.
When connecting to a BNCS server, you must first tell the server which protocol you wish to use by sending a protocol ID byte before any packets. Some of the protocol IDs are:
- Game:
0x01
(see Logon Sequences for the logon sequences) - BNFTP:
0x02
(see BNFTPv1 or BNFTPv2 for the protocols) - Telnet (Chat):
0x03
,0x63
(see Telnet Protocol for the protocol) DEFUNCT
Other Battle.net protocol IDs are MCP to BNCS communication (0x04
). There is also the 0x06
and 0x81
protocols, which we know almost nothing about. At a guess, 0x06
is used for interserver synchronization (see this thread).
Realm Headers
Battle.net's Realm Servers are what control Diablo II's realms. Realm (sometimes referred to as MCP) message headers are also always the same, albeit slightly different from BNCS's:
(UINT16) Message length, including this header
(UINT8) Message ID
(VOID) Message Data
Violations of the MCP protocol are less severely enforced by MCP servers. If they IP ban at all, it is generally only for a few minutes.
When connecting to an MCP server, you must first send the protocol ID byte 0x01
before sending any packets, like for BNCS. See Diablo II Realm Server Logon Sequence for the logon sequence.
D2GS Headers
D2GS stands for Diablo 2 Game Server. This constitutes the in-game protocol used by Diablo II. The D2GS protocol is somewhat more complicated than other Blizzard protocols - most D2GS messages have set lengths, and those that don't generally have some unique way of obtaining it. The headers are as follows (for decompressed messages):
(UINT8) Message ID
(VOID) Message Data
For compressed messages the format depends on the size of the compressed chunk If the first byte is < 0xF0:
(UINT8) Message Size
(VOID) Message Data
If the first byte is >= 0xF0
(UINT8) High Message Size
(UINT8) Low Message Size
(VOID) Message Data
The length of the compressed block beginning with bytes >= 0xF0 is:
((High << 8) | Low) & 0xFFF
This size includes the length of the 1-2 byte header.
See Diablo II Game Server Accept Sequence for the logon sequence.
Botnet Headers
This is a legacy protocol from the early period of Battle.net reverse engineering.
Botnet is a system whereby bots can share information about users and send commands to each other. It is also used by various bot authors as a means of leak protection & statistics collection, and to administer BNLS & Webchannel, in addition to being a useful chat medium when more privacy is needed than Battle.net allows. The headers are as follows:
(UINT8) Protocol Version (Currently 0x01)
(UINT8) Message ID
(UINT16) Message Length, including this header
(VOID) Message Data
BNLS Headers
BNLS is the Battle.Net Logon Server, and can be used by bot authors to perform some of the computational tasks required during a Battle.net logon. It also allows bot authors to obtain useful information such as the current version byte for a game client, and has provisions for BNCS server emulator authors.
It has the following headers:
(UINT16) Message Length, including this header
(UINT8) Message ID
(VOID) Message Data
W3GS Headers
Used by both ladder games and custom games, the format of these messages are nearly the same as BNCS packets. Every packet has the same header:
(UINT8) Always 0xF7
(UINT8) Message ID
(UINT16) Message length, including this header
(VOID) Message Data
Storm UDP Protocol
This protocol is defined and processed by functions within Storm.dll
and is used for numerous games - namely, Diablo I, Warcraft II: BNE, Starcraft, and Starcraft: Brood War.
(UINT16) Checksum
(UINT16) Header Length
(UINT16) Seq1
(UINT16) Seq2
(UINT8) CLS
(UINT8) Command
(UINT8) PlayerID
(UINT8) Resend
Checksum
is performed by a storm function and is calculated on the whole message, starting atHeader Length
.Header Length
is the length of the entire message.Seq1
is the sender's position in the outbound stream.Seq2
is the most recently received message.CLS
is always a value from 0-2, 0 indicating that the message is processed by Storm, 1 for asynchronous data, 2 for synchronous data, both of which are passed onto the game client.Command
specifies the message type forCLS
type zero, but is always zero otherwise.PlayerID
is the ID of the sending player.Resend
contains control flags.
Synchronous messages contain data that all clients must process on the same turn.