On Tuesday 17 August 2010 21:15:51 Dale wrote: > Mick wrote: > > On 17 August 2010 15:29, BRM wrote: > >> ----- Original Message ---- > >> > >>> From: Dale > >>> > >>> Adam Carter wrote: > >>>> Is this easy to do? I have no idea where to start except that > >>>> wireshark is installed. > >>>> > >>>> Yep, start the capture with Capture -> Interfaces and click on the > >>>> start > >>> > >>> button next to the correct interface, then right click on one of the > >>> packets that is to the yahoo box and choose Decode As set the port > >>> and protocol then apply. You'll > >>> > >>> need to understand the semantics of HTTP for it to be of much use tho. > >>> You had me until the last part. No semantics here. lol May see if > >>> I can post a little and see if anyone can figure out what the heck it > >>> is doing. I'm thinking some crazy bug or something. Maybe checking > >>> for updates not realizing it's > >>> > >>> Kopete instead of a Yahoo program. > >> > >> Wireshark will show you the raw packet data, and decode only a little of > >> it - enough to identify the general protocol, senders, etc. > >> So to understand the packet, you will need to understand the application > >> layer protocol - in this case HTTP - yourself as Wireshark won't help > >> you there. > >> > >> But yet, Wireshark, nmap, and nessus security scanner are the tools, > >> less so nessus as it really is more of a port scanner/security hole > >> finder than a debug tool for applications (it's basically an interface > >> for nmap for those purposes). > > > > I'm not at home to experiment and I don't use yahoo, but port 5050 is > > typically used for mmcc = multi media conference control - does yahoo > > offer such a service? It could be a SIP server running there for VoIP > > between Yahoo registered users or something similar. > > > > The http connection could be offered as an alternative proxy > > connection to the yahoo IM servers for users who are behind > > restrictive firewalls. Have you asked as much in the Yahoo user > > groups? > > > > The fact that the threads continue after kopete has shut down is not > > necessarily of concern as was already explained, unless it carries on > > and on for a long time and the flow of packets continues. I don't > > know how yahoo VoIP works. Did you install some plugin specific for > > yahoo services? If it imitates the Skype architecture then it > > essentially runs proxies on clients' machines and this could be an > > explanation for the traffic. > > I don't have VoIP, Skype or that sort of thing here. Here is my Kopete > info tho: > > [ebuild R ] kde-base/kopete-4.4.5-r1 USE="addbookmarks autoreplace > contactnotes groupwise handbook highlight history nowlistening pipes > privacy ssl statistics texteffect translator urlpicpreview yahoo > zeroconf (-aqua) -debug -gadu -jabber -jingle (-kdeenablefinal) > (-kdeprefix) -latex -meanwhile -msn -oscar -otr -qq -skype -sms -testbed > -v4l2 -webpresence -winpopup" 0 kB > > Anything there that cold cause a problem? No, I can't see anything suspicious, you don't even have skype or v4l2 enabled, so it is unlikely that it is running some webcam stream (as part of VoIP). -- Regards, Mick