December 19, 2007

Network Captures – IM decoding

Category: Log Analysis — Raffael Marty @ 11:45 pm

I just had a moment of awe. I was playing around with packet captures and was wondering whether Wireshark would still ship with a command line alternative for the GUI version. I always liked Ethereal for its protocol analysis capabilities. I pretty quickly found out that the command line version was still maintained. Now called tshark. I was sort of shocked, when I realized how much protocol traffic was actually decoded:

~/tmp$ sudo tshark -ni en1
Capturing on en1
2.004403 192.168.0.12 -> 207.46.27.163 MSNMS USR 1 YYYYYYY@hotmail.com 1452999922.70216123.6471199
3.672270 205.188.8.233 -> 192.168.0.12 AIM Buddylist Offgoing Buddy: ZZZZZZZZZZ
3.673979 205.188.7.244 -> 192.168.0.12 AIM Buddylist Offgoing Buddy: ZZZZZZZZZZ
5.136301 207.46.27.163 -> 192.168.0.12 MSNMS [TCP Retransmission] USR 1 OK YYYYY@hotmail.com Raffael%20Marty
5.136735 192.168.0.12 -> 207.46.27.163 MSNMS CAL 2 XXXXXX@hotmail.com
5.174140 207.46.27.163 -> 192.168.0.12 MSNMS CAL 2 RINGING 1111111111
6.750004 207.46.27.163 -> 192.168.0.12 MSNMS JOI XXXXXXX@hotmail.com XXXX%20Buding%20in%20boston

It understands the IM protocols (above version is anonymized)! I wonder how I could exploit this for some interesting visualization.

1 Comment »

  1. just use https://mail.google.com then everything is sent over ssl of course i guess if anyone wants to see my im’s they would just see all of the complaints i have about my typical daily bitching about life…

    Comment by tr — December 21, 2007 @ 4:20 am

RSS feed for comments on this post. | TrackBack URI

Leave a comment

XHTML ( You can use these tags): <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong> .