December 19, 2007

Network Captures – IM decoding

Category: Log Analysis — Raffael Marty @ 11:45 pm

I just had a moment of awe. I was playing around with packet captures and was wondering whether Wireshark would still ship with a command line alternative for the GUI version. I always liked Ethereal for its protocol analysis capabilities. I pretty quickly found out that the command line version was still maintained. Now called tshark. I was sort of shocked, when I realized how much protocol traffic was actually decoded:

~/tmp$ sudo tshark -ni en1
Capturing on en1
2.004403 -> MSNMS USR 1 1452999922.70216123.6471199
3.672270 -> AIM Buddylist Offgoing Buddy: ZZZZZZZZZZ
3.673979 -> AIM Buddylist Offgoing Buddy: ZZZZZZZZZZ
5.136301 -> MSNMS [TCP Retransmission] USR 1 OK Raffael%20Marty
5.136735 -> MSNMS CAL 2
5.174140 -> MSNMS CAL 2 RINGING 1111111111
6.750004 -> MSNMS JOI XXXX%20Buding%20in%20boston

It understands the IM protocols (above version is anonymized)! I wonder how I could exploit this for some interesting visualization.

1 Comment »

  1. just use then everything is sent over ssl of course i guess if anyone wants to see my im’s they would just see all of the complaints i have about my typical daily bitching about life…

    Comment by tr — December 21, 2007 @ 4:20 am

RSS feed for comments on this post. | TrackBack URI

Leave a comment

XHTML ( You can use these tags): <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong> .