From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1OlTS4-0007l7-Rl for garchives@archives.gentoo.org; Tue, 17 Aug 2010 21:12:09 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 720E6E0AD4; Tue, 17 Aug 2010 21:11:34 +0000 (UTC) Received: from mail-ew0-f53.google.com (mail-ew0-f53.google.com [209.85.215.53]) by pigeon.gentoo.org (Postfix) with ESMTP id 2064BE0AD4 for ; Tue, 17 Aug 2010 21:11:34 +0000 (UTC) Received: by ewy19 with SMTP id 19so3907158ewy.40 for ; Tue, 17 Aug 2010 14:11:33 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:from:reply-to:to:subject:date :user-agent:references:in-reply-to:mime-version:content-type :content-transfer-encoding:message-id; bh=h4lkt0LbEDkgfflpyA7TU6Y8xa3lhmPG0qLPTY6/9/c=; b=Xnaxv2SjuLtR059soWlcKeh2T6I+X7xU+yQ6Tjv9SN+l2iWm/gAEV/MSrHjMLh08Ua jQEqnOT+JzYEhj7SkF64InIn/mqFxBXfzhCooHaVvBpKASyIBJkwW2kprF88wfjoejd4 TgdCc6f8Wn4MHUu/IfeXa3jid0M+Jd++akNa8= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=from:reply-to:to:subject:date:user-agent:references:in-reply-to :mime-version:content-type:content-transfer-encoding:message-id; b=q8M/amVO/MhIX7Iho9OpYgufBeUWcfytpBDYT+D0kT8Xx93iHn8yA7yjUY0d/POvXM zkxBPIvtoC+eaelf9jangsCSjgFQurbCrYH70ZvIfjq6BP5rM9O9KWJBzbc5puIR5t0A 2HByVXv7zqz7dSqQMC2wjdamXaDuVx1VqfJiI= Received: by 10.216.11.129 with SMTP id 1mr1228211wex.90.1282079493533; Tue, 17 Aug 2010 14:11:33 -0700 (PDT) Received: from (230.3.169.217.in-addr.arpa [217.169.3.230]) by mx.google.com with ESMTPS id w29sm4413916weq.18.2010.08.17.14.11.32 (version=TLSv1/SSLv3 cipher=RC4-MD5); Tue, 17 Aug 2010 14:11:32 -0700 (PDT) From: Mick To: gentoo-user@lists.gentoo.org Subject: Re: [gentoo-user] Yahoo and strange traffic. Date: Tue, 17 Aug 2010 22:11:20 +0100 User-Agent: KMail/1.13.5 (Linux/2.6.34-gentoo-r1; KDE/4.4.5; x86_64; ; ) References: <4C684F59.3040903@gmail.com> <4C6AEDF7.1020507@gmail.com> In-Reply-To: <4C6AEDF7.1020507@gmail.com> Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart2932768.CSZlsTC5HZ"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <201008172211.32089.michaelkintzios@gmail.com> X-Archives-Salt: 2e1b938f-1eb6-40c0-95c8-c0a5cc6905f7 X-Archives-Hash: 8454b93c759f52227f517a530b0d8809 --nextPart2932768.CSZlsTC5HZ Content-Type: Text/Plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable On Tuesday 17 August 2010 21:15:51 Dale wrote: > Mick wrote: > > On 17 August 2010 15:29, BRM wrote: > >> ----- Original Message ---- > >>=20 > >>> From: Dale > >>>=20 > >>> Adam Carter wrote: > >>>> Is this easy to do? I have no idea where to start except that > >>>> wireshark is installed. > >>>>=20 > >>>> Yep, start the capture with Capture -> Interfaces and click on the > >>>> start > >>>=20 > >>> button next to the correct interface, then right click on one of the > >>> packets that is to the yahoo box and choose Decode As set the port > >>> and protocol then apply. You'll > >>>=20 > >>> need to understand the semantics of HTTP for it to be of much use th= o. > >>> You had me until the last part. No semantics here. lol May see if > >>> I can post a little and see if anyone can figure out what the heck it > >>> is doing. I'm thinking some crazy bug or something. Maybe checking > >>> for updates not realizing it's > >>>=20 > >>> Kopete instead of a Yahoo program. > >>=20 > >> Wireshark will show you the raw packet data, and decode only a little = of > >> it - enough to identify the general protocol, senders, etc. > >> So to understand the packet, you will need to understand the applicati= on > >> layer protocol - in this case HTTP - yourself as Wireshark won't help > >> you there. > >>=20 > >> But yet, Wireshark, nmap, and nessus security scanner are the tools, > >> less so nessus as it really is more of a port scanner/security hole > >> finder than a debug tool for applications (it's basically an interface > >> for nmap for those purposes). > >=20 > > I'm not at home to experiment and I don't use yahoo, but port 5050 is > > typically used for mmcc =3D multi media conference control - does yahoo > > offer such a service? It could be a SIP server running there for VoIP > > between Yahoo registered users or something similar. > >=20 > > The http connection could be offered as an alternative proxy > > connection to the yahoo IM servers for users who are behind > > restrictive firewalls. Have you asked as much in the Yahoo user > > groups? > >=20 > > The fact that the threads continue after kopete has shut down is not > > necessarily of concern as was already explained, unless it carries on > > and on for a long time and the flow of packets continues. I don't > > know how yahoo VoIP works. Did you install some plugin specific for > > yahoo services? If it imitates the Skype architecture then it > > essentially runs proxies on clients' machines and this could be an > > explanation for the traffic. >=20 > I don't have VoIP, Skype or that sort of thing here. Here is my Kopete > info tho: >=20 > [ebuild R ] kde-base/kopete-4.4.5-r1 USE=3D"addbookmarks autoreplace > contactnotes groupwise handbook highlight history nowlistening pipes > privacy ssl statistics texteffect translator urlpicpreview yahoo > zeroconf (-aqua) -debug -gadu -jabber -jingle (-kdeenablefinal) > (-kdeprefix) -latex -meanwhile -msn -oscar -otr -qq -skype -sms -testbed > -v4l2 -webpresence -winpopup" 0 kB >=20 > Anything there that cold cause a problem? No, I can't see anything suspicious, you don't even have skype or v4l2=20 enabled, so it is unlikely that it is running some webcam stream (as part o= f=20 VoIP). =2D-=20 Regards, Mick --nextPart2932768.CSZlsTC5HZ Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.15 (GNU/Linux) iEYEABECAAYFAkxq+wQACgkQVTDTR3kpaLYuuQCgnQ4DRZ5rNFIqy/0hKeS7eado +CkAoPXAShoeVL5gRjkA64S7xfN0KNRz =a0Qw -----END PGP SIGNATURE----- --nextPart2932768.CSZlsTC5HZ--