[gentoo-user] Yahoo and strange traffic.

[gentoo-user] Yahoo and strange traffic.

[Dale]

Hi folks,

I been noticing the past few weeks that something is communicating with 
Yahoo at these addresses:

cs210p2.msg.sp1.yahoo.com

rdis.msg.vip.sp1.yahoo.com

I thought it was Kopete getting some info, profile pics maybe, from the 
server.  Thing is, it does this for a really long time.  It is also 
SENDING data as well.  I have no idea why it is doing this or what it is 
sending.  I closed the Kopete app but the data still carries on.   This 
"transfer" has been going for a while now and the only way I can stop it 
is to stop the network, wait a minute or two for it to time out and then 
restart the network.

Anybody have any idea what the heck this is?  Is Yahoo up to something?  
Some new security issue that I haven't heard of?

Thanks.

Dale

:-)  :-)

Re: [gentoo-user] Yahoo and strange traffic.

[Paul Hartman]

On Sun, Aug 15, 2010 at 3:34 PM, Dale <rdalek1967@gmail.com> wrote:
> Hi folks,
>
> I been noticing the past few weeks that something is communicating with
> Yahoo at these addresses:
>
> cs210p2.msg.sp1.yahoo.com
>
> rdis.msg.vip.sp1.yahoo.com
>
> I thought it was Kopete getting some info, profile pics maybe, from the
> server.  Thing is, it does this for a really long time.  It is also SENDING
> data as well.  I have no idea why it is doing this or what it is sending.  I
> closed the Kopete app but the data still carries on.   This "transfer" has
> been going for a while now and the only way I can stop it is to stop the
> network, wait a minute or two for it to time out and then restart the
> network.
>
> Anybody have any idea what the heck this is?  Is Yahoo up to something?
>  Some new security issue that I haven't heard of?

I think it's normal.

The first address is one of their pool of messaging servers and the
second is a web server, probably like you said for retrieving
additional info. The sending of data could be the http request, or
updating your status/picture/whatever kopete may be doing. You could
try blocking it and see what breaks. :)

Re: [gentoo-user] Yahoo and strange traffic.

[BRM]

----- Original Message ----

> On Sun, Aug 15, 2010 at 3:34 PM, Dale <rdalek1967@gmail.com> wrote:
> >  Hi folks,
> > I been noticing the past few weeks that something is  communicating with
> > Yahoo at these addresses:
> >
> > cs210p2.msg.sp1.yahoo.com
> >
> > rdis.msg.vip.sp1.yahoo.com
> >
> >  I thought it was Kopete getting some info, profile pics maybe, from the
> >  server.  Thing is, it does this for a really long time.  It is also  
SENDING
> > data as well.  I have no idea why it is doing this or what  it is sending.  
I
> > closed the Kopete app but the data still carries  on.   This "transfer" has
> I think it's  normal.
> 
> The first address is one of their pool of messaging servers and  the
> second is a web server, probably like you said for  retrieving
> additional info. The sending of data could be the http request,  or
> updating your status/picture/whatever kopete may be doing. You  could
> try blocking it and see what breaks. :)

Likely true as Yahoo!'a interfaces are highly AJAX driven - with their own PHP 
oriented widget kit as well.
So if you have a web page open to any Yahoo! site that is probably what is doing 
it.

Ben

Re: [gentoo-user] Yahoo and strange traffic.

[Alan McKinnon]

On Sunday 15 August 2010 22:55:23 Paul Hartman wrote:
> On Sun, Aug 15, 2010 at 3:34 PM, Dale <rdalek1967@gmail.com> wrote:
> > Hi folks,
> > 
> > I been noticing the past few weeks that something is communicating with
> > Yahoo at these addresses:
> > 
> > cs210p2.msg.sp1.yahoo.com
> > 
> > rdis.msg.vip.sp1.yahoo.com
> > 
> > I thought it was Kopete getting some info, profile pics maybe, from the
> > server.  Thing is, it does this for a really long time.  It is also
> > SENDING data as well.  I have no idea why it is doing this or what it is
> > sending.  I closed the Kopete app but the data still carries on.   This
> > "transfer" has been going for a while now and the only way I can stop it
> > is to stop the network, wait a minute or two for it to time out and then
> > restart the network.
> > 
> > Anybody have any idea what the heck this is?  Is Yahoo up to something?
> > 
> >  Some new security issue that I haven't heard of?
> 
> I think it's normal.
> 
> The first address is one of their pool of messaging servers and the
> second is a web server, probably like you said for retrieving
> additional info. The sending of data could be the http request, or
> updating your status/picture/whatever kopete may be doing. You could
> try blocking it and see what breaks. :)

Dale,

It could also be a weather map, or any number of widgets that get data from 
the intartubes.

netstat with -p can help track down the app that has the connection open




-- 
alan dot mckinnon at gmail dot com

Re: [gentoo-user] Yahoo and strange traffic.

[Mick]

[-- Attachment #1: Type: Text/Plain, Size: 1051 bytes --]

On Sunday 15 August 2010 21:34:33 Dale wrote:
> Hi folks,
> 
> I been noticing the past few weeks that something is communicating with
> Yahoo at these addresses:
> 
> cs210p2.msg.sp1.yahoo.com
> 
> rdis.msg.vip.sp1.yahoo.com
> 
> I thought it was Kopete getting some info, profile pics maybe, from the
> server.  Thing is, it does this for a really long time.  It is also
> SENDING data as well.  I have no idea why it is doing this or what it is
> sending.  I closed the Kopete app but the data still carries on.   This
> "transfer" has been going for a while now and the only way I can stop it
> is to stop the network, wait a minute or two for it to time out and then
> restart the network.
> 
> Anybody have any idea what the heck this is?  Is Yahoo up to something?
> Some new security issue that I haven't heard of?

What does your netstat show with respect to ports being used and what does 
tcpdump/tcpflow show?  If it is Yahoo, you should see things that are relevant 
and hopefully make sense.
-- 
Regards,
Mick

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 198 bytes --]

Re: [gentoo-user] Yahoo and strange traffic.

[Dale]

BRM wrote:
> ----- Original Message ----
>
>    
>> On Sun, Aug 15, 2010 at 3:34 PM, Dale<rdalek1967@gmail.com>  wrote:
>>      
>>>   Hi folks,
>>> I been noticing the past few weeks that something is  communicating with
>>> Yahoo at these addresses:
>>>
>>> cs210p2.msg.sp1.yahoo.com
>>>
>>> rdis.msg.vip.sp1.yahoo.com
>>>
>>>   I thought it was Kopete getting some info, profile pics maybe, from the
>>>   server.  Thing is, it does this for a really long time.  It is also
>>>        
> SENDING
>    
>>> data as well.  I have no idea why it is doing this or what  it is sending.
>>>        
> I
>    
>>> closed the Kopete app but the data still carries  on.   This "transfer" has
>>>        
>> I think it's  normal.
>>
>> The first address is one of their pool of messaging servers and  the
>> second is a web server, probably like you said for  retrieving
>> additional info. The sending of data could be the http request,  or
>> updating your status/picture/whatever kopete may be doing. You  could
>> try blocking it and see what breaks. :)
>>      
> Likely true as Yahoo!'a interfaces are highly AJAX driven - with their own PHP
> oriented widget kit as well.
> So if you have a web page open to any Yahoo! site that is probably what is doing
> it.
>
> Ben
>
>    

Wouldn't it stop tho if I closed Kopete?  I'm not using Yahoo's 
messenger tho.  I don't think they have one now.

I did also trying closing Seamonkey to but the traffic continues.  I 
very rarely go to yahoo.com.

Also, this can carry on for a really long time.   This can last over 30 
minutes.

Dale

:-)  :-)

Re: [gentoo-user] Yahoo and strange traffic.

[Peter Humphrey]

On Sunday 15 August 2010 22:35:01 Dale wrote:

> Also, this can carry on for a really long time.  This can last over
> 30 minutes.

I think I'd be getting tcpdump out about now...

-- 
Rgds
Peter.          Linux Counter 5290, 1994-04-23.

Re: [gentoo-user] Yahoo and strange traffic.

[Dale]

Peter Humphrey wrote:
> On Sunday 15 August 2010 22:35:01 Dale wrote:
>
>    
>> Also, this can carry on for a really long time.  This can last over
>> 30 minutes.
>>      
> I think I'd be getting tcpdump out about now...
>
>    

I'm going to try netstat next time.  Waiting on it to start again.

Dale

:-)  :-)

Re: [gentoo-user] Yahoo and strange traffic.

[Dale]

Alan McKinnon wrote:
> On Sunday 15 August 2010 22:55:23 Paul Hartman wrote:
>    
>> On Sun, Aug 15, 2010 at 3:34 PM, Dale<rdalek1967@gmail.com>  wrote:
>>      
>>> Hi folks,
>>>
>>> I been noticing the past few weeks that something is communicating with
>>> Yahoo at these addresses:
>>>
>>> cs210p2.msg.sp1.yahoo.com
>>>
>>> rdis.msg.vip.sp1.yahoo.com
>>>
>>> I thought it was Kopete getting some info, profile pics maybe, from the
>>> server.  Thing is, it does this for a really long time.  It is also
>>> SENDING data as well.  I have no idea why it is doing this or what it is
>>> sending.  I closed the Kopete app but the data still carries on.   This
>>> "transfer" has been going for a while now and the only way I can stop it
>>> is to stop the network, wait a minute or two for it to time out and then
>>> restart the network.
>>>
>>> Anybody have any idea what the heck this is?  Is Yahoo up to something?
>>>
>>>   Some new security issue that I haven't heard of?
>>>        
>> I think it's normal.
>>
>> The first address is one of their pool of messaging servers and the
>> second is a web server, probably like you said for retrieving
>> additional info. The sending of data could be the http request, or
>> updating your status/picture/whatever kopete may be doing. You could
>> try blocking it and see what breaks. :)
>>      
> Dale,
>
> It could also be a weather map, or any number of widgets that get data from
> the intartubes.
>
> netstat with -p can help track down the app that has the connection open
>
>    

OK.  It finally started doing it again.  Here is the short version of 
netstat -p.  It looks like kopete but what in the heck is it sending and 
receiving?

root@smoker / # netstat -p
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         
State       PID/Program name
tcp        0      0 192.168.1.2:43577       rdis.msg.vip.sp1.y:http 
TIME_WAIT   -
tcp        0      0 192.168.1.2:43438       rdis.msg.vip.sp1.y:http 
TIME_WAIT   -
tcp        0      0 192.168.1.2:52423       cs204p1.msg.sp1.ya:5050 
ESTABLISHED 9968/kopete
tcp        0      0 192.168.1.2:43490       rdis.msg.vip.sp1.y:http 
TIME_WAIT   -
tcp        0      1 192.168.1.2:43586       rdis.msg.vip.sp1.y:http 
SYN_SENT    18971/kopeteFc9968.
tcp        0      0 localhost:60971         localhost:nut           
ESTABLISHED 9578/upsmon
tcp        1      1 192.168.1.2:43584       rdis.msg.vip.sp1.y:http 
CLOSING     -
tcp        0      0 192.168.1.2:43558       rdis.msg.vip.sp1.y:http 
TIME_WAIT   -
tcp        0      0 192.168.1.2:48301       cs201p1.msg.sp1.ya:5050 
ESTABLISHED 9968/kopete
tcp        0      0 192.168.1.2:43523       rdis.msg.vip.sp1.y:http 
TIME_WAIT   -
tcp        0      0 localhost:nut           localhost:60971         
ESTABLISHED 9640/upsd
tcp        0      0 192.168.1.2:42517       cs215p2.msg.ac4.ya:5050 
ESTABLISHED 9968/kopete
tcp        0      0 192.168.1.2:43462       rdis.msg.vip.sp1.y:http 
TIME_WAIT   -
tcp        0      0 192.168.1.2:43516       rdis.msg.vip.sp1.y:http 
TIME_WAIT   -
tcp        0      0 192.168.1.2:43479       rdis.msg.vip.sp1.y:http 
TIME_WAIT   -
tcp        0      0 192.168.1.2:43405       rdis.msg.vip.sp1.y:http 
TIME_WAIT   -
tcp        0      0 192.168.1.2:43483       rdis.msg.vip.sp1.y:http 
TIME_WAIT   -
tcp        0      0 192.168.1.2:43563       rdis.msg.vip.sp1.y:http 
TIME_WAIT   -
tcp        0      0 192.168.1.2:43487       rdis.msg.vip.sp1.y:http 
TIME_WAIT   -
tcp        0      0 192.168.1.2:43483       rdis.msg.vip.sp1.y:http 
TIME_WAIT   -
tcp        0      0 192.168.1.2:43563       rdis.msg.vip.sp1.y:http 
TIME_WAIT   -
tcp        0      0 192.168.1.2:43487       rdis.msg.vip.sp1.y:http 
TIME_WAIT   -

One other question, if this is kopete, how does it keep 
sending/receiving after I have closed the kopete app?

This is weird.  Kopete and Yahoo have not done this before.

Dale

:-)  :-)

Re: [gentoo-user] Yahoo and strange traffic.

[Adam Carter]

[-- Attachment #1: Type: text/plain, Size: 2489 bytes --]

> root@smoker / # netstat -p
> Active Internet connections (w/o servers)
> Proto Recv-Q Send-Q Local Address           Foreign Address         State
>     PID/Program name
> tcp        0      0 192.168.1.2:43577       rdis.msg.vip.sp1.y:http
> TIME_WAIT   -
> tcp        0      0 192.168.1.2:43438       rdis.msg.vip.sp1.y:http
> TIME_WAIT   -
> tcp        0      0 192.168.1.2:52423       cs204p1.msg.sp1.ya:5050
> ESTABLISHED 9968/kopete
> tcp        0      0 192.168.1.2:43490       rdis.msg.vip.sp1.y:http
> TIME_WAIT   -
> tcp        0      1 192.168.1.2:43586       rdis.msg.vip.sp1.y:http
> SYN_SENT    18971/kopeteFc9968.
> tcp        0      0 localhost:60971         localhost:nut
> ESTABLISHED 9578/upsmon
> tcp        1      1 192.168.1.2:43584       rdis.msg.vip.sp1.y:http
> CLOSING     -
> tcp        0      0 192.168.1.2:43558       rdis.msg.vip.sp1.y:http
> TIME_WAIT   -
> tcp        0      0 192.168.1.2:48301       cs201p1.msg.sp1.ya:5050
> ESTABLISHED 9968/kopete
> tcp        0      0 192.168.1.2:43523       rdis.msg.vip.sp1.y:http
> TIME_WAIT   -
> tcp        0      0 localhost:nut           localhost:60971
> ESTABLISHED 9640/upsd
> tcp        0      0 192.168.1.2:42517       cs215p2.msg.ac4.ya:5050
> ESTABLISHED 9968/kopete
> tcp        0      0 192.168.1.2:43462       rdis.msg.vip.sp1.y:http
> TIME_WAIT   -
> tcp        0      0 192.168.1.2:43516       rdis.msg.vip.sp1.y:http
> TIME_WAIT   -
> tcp        0      0 192.168.1.2:43479       rdis.msg.vip.sp1.y:http
> TIME_WAIT   -
> tcp        0      0 192.168.1.2:43405       rdis.msg.vip.sp1.y:http
> TIME_WAIT   -
> tcp        0      0 192.168.1.2:43483       rdis.msg.vip.sp1.y:http
> TIME_WAIT   -
> tcp        0      0 192.168.1.2:43563       rdis.msg.vip.sp1.y:http
> TIME_WAIT   -
> tcp        0      0 192.168.1.2:43487       rdis.msg.vip.sp1.y:http
> TIME_WAIT   -
> tcp        0      0 192.168.1.2:43483       rdis.msg.vip.sp1.y:http
> TIME_WAIT   -
> tcp        0      0 192.168.1.2:43563       rdis.msg.vip.sp1.y:http
> TIME_WAIT   -
> tcp        0      0 192.168.1.2:43487       rdis.msg.vip.sp1.y:http
> TIME_WAIT   -
>
> One other question, if this is kopete, how does it keep sending/receiving
> after I have closed the kopete app?
>
> Since you're closing Kopete gracefully its probably decided to let those
threads complete what they're doing before shutting them down. If you kill
-9'd them instead (that is send them the KILL signal instead of the TERM
signal) they'd go away immediately.

[-- Attachment #2: Type: text/html, Size: 3857 bytes --]

Re: [gentoo-user] Yahoo and strange traffic.

[Dale]

Adam Carter wrote:
>
>     root@smoker / # netstat -p
>     Active Internet connections (w/o servers)
>     Proto Recv-Q Send-Q Local Address           Foreign Address      
>       State       PID/Program name
>     tcp        0      0 192.168.1.2:43577 <http://192.168.1.2:43577>  
>         rdis.msg.vip.sp1.y:http TIME_WAIT   -
>     tcp        0      0 192.168.1.2:43438 <http://192.168.1.2:43438>  
>         rdis.msg.vip.sp1.y:http TIME_WAIT   -
>     tcp        0      0 192.168.1.2:52423 <http://192.168.1.2:52423>  
>         cs204p1.msg.sp1.ya:5050 ESTABLISHED 9968/kopete
>     tcp        0      0 192.168.1.2:43490 <http://192.168.1.2:43490>  
>         rdis.msg.vip.sp1.y:http TIME_WAIT   -
>     tcp        0      1 192.168.1.2:43586 <http://192.168.1.2:43586>  
>         rdis.msg.vip.sp1.y:http SYN_SENT    18971/kopeteFc9968.
>     tcp        0      0 localhost:60971         localhost:nut        
>       ESTABLISHED 9578/upsmon
>     tcp        1      1 192.168.1.2:43584 <http://192.168.1.2:43584>  
>         rdis.msg.vip.sp1.y:http CLOSING     -
>     tcp        0      0 192.168.1.2:43558 <http://192.168.1.2:43558>  
>         rdis.msg.vip.sp1.y:http TIME_WAIT   -
>     tcp        0      0 192.168.1.2:48301 <http://192.168.1.2:48301>  
>         cs201p1.msg.sp1.ya:5050 ESTABLISHED 9968/kopete
>     tcp        0      0 192.168.1.2:43523 <http://192.168.1.2:43523>  
>         rdis.msg.vip.sp1.y:http TIME_WAIT   -
>     tcp        0      0 localhost:nut           localhost:60971      
>       ESTABLISHED 9640/upsd
>     tcp        0      0 192.168.1.2:42517 <http://192.168.1.2:42517>  
>         cs215p2.msg.ac4.ya:5050 ESTABLISHED 9968/kopete
>     tcp        0      0 192.168.1.2:43462 <http://192.168.1.2:43462>  
>         rdis.msg.vip.sp1.y:http TIME_WAIT   -
>     tcp        0      0 192.168.1.2:43516 <http://192.168.1.2:43516>  
>         rdis.msg.vip.sp1.y:http TIME_WAIT   -
>     tcp        0      0 192.168.1.2:43479 <http://192.168.1.2:43479>  
>         rdis.msg.vip.sp1.y:http TIME_WAIT   -
>     tcp        0      0 192.168.1.2:43405 <http://192.168.1.2:43405>  
>         rdis.msg.vip.sp1.y:http TIME_WAIT   -
>     tcp        0      0 192.168.1.2:43483 <http://192.168.1.2:43483>  
>         rdis.msg.vip.sp1.y:http TIME_WAIT   -
>     tcp        0      0 192.168.1.2:43563 <http://192.168.1.2:43563>  
>         rdis.msg.vip.sp1.y:http TIME_WAIT   -
>     tcp        0      0 192.168.1.2:43487 <http://192.168.1.2:43487>  
>         rdis.msg.vip.sp1.y:http TIME_WAIT   -
>     tcp        0      0 192.168.1.2:43483 <http://192.168.1.2:43483>  
>         rdis.msg.vip.sp1.y:http TIME_WAIT   -
>     tcp        0      0 192.168.1.2:43563 <http://192.168.1.2:43563>  
>         rdis.msg.vip.sp1.y:http TIME_WAIT   -
>     tcp        0      0 192.168.1.2:43487 <http://192.168.1.2:43487>  
>         rdis.msg.vip.sp1.y:http TIME_WAIT   -
>
>     One other question, if this is kopete, how does it keep
>     sending/receiving after I have closed the kopete app?
>
> Since you're closing Kopete gracefully its probably decided to let 
> those threads complete what they're doing before shutting them down. 
> If you kill -9'd them instead (that is send them the KILL signal 
> instead of the TERM signal) they'd go away immediately.

That may be true.  Thing is, it is still sending and receiving traffic 
even after all this time.  I'm wondering what it is or if it is a bug or 
something.

I just did a killall kopete and it did stop.  Is there a way to "see" 
what it is sending/receiving?  I'm talking like is it a jpeg, some other 
file or something else?

Dale

:-)  :-)

Re: [gentoo-user] Yahoo and strange traffic.

[Adam Carter]

[-- Attachment #1: Type: text/plain, Size: 2139 bytes --]

>
> I just did a killall kopete and it did stop.  Is there a way to "see" what
> it is sending/receiving?  I'm talking like is it a jpeg, some other file or
> something else?
>
>
rix portage # nmap -p 5050 -sV cs210p2.msg.sp1.yahoo.com

Starting Nmap 5.21 ( http://nmap.org ) at 2010-08-17 11:27 EST
Nmap scan report for cs210p2.msg.sp1.yahoo.com (98.136.48.110)
Host is up (0.20s latency).
PORT     STATE SERVICE VERSION
5050/tcp open  mmcc?
1 service unrecognized despite returning data. If you know the
service/version, please submit the following fingerprint at
http://www.insecure.org/cgi-bin/servicefp-submit.cgi :
SF-Port5050-TCP:V=5.21%I=7%D=8/17%Time=4C69E58D%P=i686-pc-linux-gnu%r(GetR
SF:equest,195,"HTTP/1\.1\x20404\x20Not\x20Found\r\nContent-Type:\x20text/h
SF:tml\r\nCache-Control:\x20max-age=0,\x20must-revalidate\r\nExpires:\x20S
SF:un,\x2010\x20Jun\x202007\x2012:01:01\x20GMT\r\n\r\n<html><head>\r\n<met
SF:a\x20http-equiv=\"content-type\"\x20content=\"text/html;charset=utf-8\"
SF:>\r\n<title>404\x20Not\x20Found</title>\r\n</head>\r\n<body\x20text=#00
SF:0000\x20bgcolor=#ffffff>\r\n<hr><center>\r\n<H1>Not\x20Found</H1>\r\nTh
SF:e\x20requested\x20URL\x20was\x20not\x20found\x20on\x20this\x20server\.\
SF:r\n</center><p>\r\n</body></html>\r\n")%r(FourOhFourRequest,195,"HTTP/1
SF:\.1\x20404\x20Not\x20Found\r\nContent-Type:\x20text/html\r\nCache-Contr
SF:ol:\x20max-age=0,\x20must-revalidate\r\nExpires:\x20Sun,\x2010\x20Jun\x
SF:202007\x2012:01:01\x20GMT\r\n\r\n<html><head>\r\n<meta\x20http-equiv=\"
SF:content-type\"\x20content=\"text/html;charset=utf-8\">\r\n<title>404\x2
SF:0Not\x20Found</title>\r\n</head>\r\n<body\x20text=#000000\x20bgcolor=#f
SF:fffff>\r\n<hr><center>\r\n<H1>Not\x20Found</H1>\r\nThe\x20requested\x20
SF:URL\x20was\x20not\x20found\x20on\x20this\x20server\.\r\n</center><p>\r\
SF:n</body></html>\r\n");

Service detection performed. Please report any incorrect results at
http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 112.82 seconds
rix portage #


Well its obviously HTTP, NFI why NMAP cant see that. So you could capture in
wireshark, then docode port 5050 as HTTP.

[-- Attachment #2: Type: text/html, Size: 2954 bytes --]

Re: [gentoo-user] Yahoo and strange traffic.

[Dale]

Adam Carter wrote:
>
>
>     I just did a killall kopete and it did stop.  Is there a way to
>     "see" what it is sending/receiving?  I'm talking like is it a
>     jpeg, some other file or something else?
>
>
> rix portage # nmap -p 5050 -sV cs210p2.msg.sp1.yahoo.com 
> <http://cs210p2.msg.sp1.yahoo.com>
>
> << SNIP >>
>
> Well its obviously HTTP, NFI why NMAP cant see that. So you could 
> capture in wireshark, then docode port 5050 as HTTP.

Is this easy to do?  I have no idea where to start except that wireshark 
is installed.

Dale

:-)  :-)

Re: [gentoo-user] Yahoo and strange traffic.

[Adam Carter]

[-- Attachment #1: Type: text/plain, Size: 407 bytes --]

> Is this easy to do?  I have no idea where to start except that wireshark is
> installed.
>
>
Yep, start the capture with Capture -> Interfaces and click on the start
button next to the correct interface, then right click on one of the packets
that is to the yahoo box and choose Decode As set the port and protocol then
apply. You'll need to understand the semantics of HTTP for it to be of much
use tho.

[-- Attachment #2: Type: text/html, Size: 633 bytes --]

Re: [gentoo-user] Yahoo and strange traffic.

[Dale]

Adam Carter wrote:
>
>     Is this easy to do?  I have no idea where to start except that
>     wireshark is installed.
>
>
> Yep, start the capture with Capture -> Interfaces and click on the 
> start button next to the correct interface, then right click on one of 
> the packets that is to the yahoo box and choose Decode As set the port 
> and protocol then apply. You'll need to understand the semantics of 
> HTTP for it to be of much use tho.

You had me until the last part.  No semantics here.  lol   May see if I 
can post a little and see if anyone can figure out what the heck it is 
doing.  I'm thinking some crazy bug or something.  Maybe checking for 
updates not realizing it's Kopete instead of a Yahoo program.

Thanks.  Post back what I find when it does it again.

Dale

:-)  :-)

Re: [gentoo-user] Yahoo and strange traffic.

[Jake Moe]

 On 08/17/10 20:23, Dale wrote:
> Adam Carter wrote:
>>
>>     Is this easy to do?  I have no idea where to start except that
>>     wireshark is installed.
>>
>>
>> Yep, start the capture with Capture -> Interfaces and click on the
>> start button next to the correct interface, then right click on one
>> of the packets that is to the yahoo box and choose Decode As set the
>> port and protocol then apply. You'll need to understand the semantics
>> of HTTP for it to be of much use tho.
>
> You had me until the last part.  No semantics here.  lol   May see if
> I can post a little and see if anyone can figure out what the heck it
> is doing.  I'm thinking some crazy bug or something.  Maybe checking
> for updates not realizing it's Kopete instead of a Yahoo program.
>
> Thanks.  Post back what I find when it does it again.
>
> Dale
>
> :-)  :-)
>
If you do try to send it back to us, you might want to limit what it's
capturing; Wireshark can get a *lot* of data quickly.

For instance, if you know it's only communicating with a few servers,
after you click on "Capture --> Interfaces", click on the "Options"
button, and in the Capture Filter, put "host 98.136.48.110 or host
98.136.42.25", which are the two servers you listed at the beginning of
this thread (cs210p2.msg.sp1.yahoo.com and rdis.msg.vip.sp1.yahoo.com). 
Or you could assume that Yahoo are using the 98.136.0.0 network only for
this sort of thing, and use a filter of "net 98.136.0.0/16", which would
grab all traffic to or from any host with an IP starting with 98.136.x.x.

Jake Moe

Re: [gentoo-user] Yahoo and strange traffic.

[Dale]

Jake Moe wrote:
>   On 08/17/10 20:23, Dale wrote:
>    
>> Adam Carter wrote:
>>      
>>>      Is this easy to do?  I have no idea where to start except that
>>>      wireshark is installed.
>>>
>>>
>>> Yep, start the capture with Capture ->  Interfaces and click on the
>>> start button next to the correct interface, then right click on one
>>> of the packets that is to the yahoo box and choose Decode As set the
>>> port and protocol then apply. You'll need to understand the semantics
>>> of HTTP for it to be of much use tho.
>>>        
>> You had me until the last part.  No semantics here.  lol   May see if
>> I can post a little and see if anyone can figure out what the heck it
>> is doing.  I'm thinking some crazy bug or something.  Maybe checking
>> for updates not realizing it's Kopete instead of a Yahoo program.
>>
>> Thanks.  Post back what I find when it does it again.
>>
>> Dale
>>
>> :-)  :-)
>>
>>      
> If you do try to send it back to us, you might want to limit what it's
> capturing; Wireshark can get a *lot* of data quickly.
>
> For instance, if you know it's only communicating with a few servers,
> after you click on "Capture -->  Interfaces", click on the "Options"
> button, and in the Capture Filter, put "host 98.136.48.110 or host
> 98.136.42.25", which are the two servers you listed at the beginning of
> this thread (cs210p2.msg.sp1.yahoo.com and rdis.msg.vip.sp1.yahoo.com).
> Or you could assume that Yahoo are using the 98.136.0.0 network only for
> this sort of thing, and use a filter of "net 98.136.0.0/16", which would
> grab all traffic to or from any host with an IP starting with 98.136.x.x.
>
> Jake Moe
>
>    

I'll keep that in mind.  I'm not sure when it will start this mess again 
tho.  Sometimes it starts after a day or so, sometimes it is a week or so.

Thanks.

Dale

:-)  :-)

Re: [gentoo-user] Yahoo and strange traffic.

[BRM]

----- Original Message ----

> From: Dale <rdalek1967@gmail.com>
> Adam Carter wrote:
> >     Is this easy to do?  I  have no idea where to start except that
> >     wireshark is  installed.
> > Yep, start the capture with Capture ->  Interfaces and click on the start 
>button next to the correct interface, then  right click on one of the packets 
>that is to the yahoo box and choose Decode As  set the port and protocol then 
>apply. You'll 
>
> need to understand the semantics of  HTTP for it to be of much use tho.
> You had me until the last part.   No semantics here.  lol   May see if I can 
>post a little and see if  anyone can figure out what the heck it is doing.  I'm 
>thinking some crazy  bug or something.  Maybe checking for updates not realizing 
>it's 
>
> Kopete  instead of a Yahoo program.

Wireshark will show you the raw packet data, and decode only a little of it - 
enough to identify the general protocol, senders, etc.
So to understand the packet, you will need to understand the application layer 
protocol - in this case HTTP - yourself as Wireshark won't help you there.

But yet, Wireshark, nmap, and nessus security scanner are the tools, less so 
nessus as it really is more of a port scanner/security hole finder than a debug 
tool for applications (it's basically an interface for nmap for those purposes).

HTH,

Ben

Re: [gentoo-user] Yahoo and strange traffic.

[Mick]

On 17 August 2010 15:29, BRM <bm_witness@yahoo.com> wrote:
> ----- Original Message ----
>
>> From: Dale <rdalek1967@gmail.com>
>> Adam Carter wrote:
>> >     Is this easy to do?  I  have no idea where to start except that
>> >     wireshark is  installed.
>> > Yep, start the capture with Capture ->  Interfaces and click on the start
>>button next to the correct interface, then  right click on one of the packets
>>that is to the yahoo box and choose Decode As  set the port and protocol then
>>apply. You'll
>>
>> need to understand the semantics of  HTTP for it to be of much use tho.
>> You had me until the last part.   No semantics here.  lol   May see if I can
>>post a little and see if  anyone can figure out what the heck it is doing.  I'm
>>thinking some crazy  bug or something.  Maybe checking for updates not realizing
>>it's
>>
>> Kopete  instead of a Yahoo program.
>
> Wireshark will show you the raw packet data, and decode only a little of it -
> enough to identify the general protocol, senders, etc.
> So to understand the packet, you will need to understand the application layer
> protocol - in this case HTTP - yourself as Wireshark won't help you there.
>
> But yet, Wireshark, nmap, and nessus security scanner are the tools, less so
> nessus as it really is more of a port scanner/security hole finder than a debug
> tool for applications (it's basically an interface for nmap for those purposes).

I'm not at home to experiment and I don't use yahoo, but port 5050 is
typically used for mmcc = multi media conference control - does yahoo
offer such a service?  It could be a SIP server running there for VoIP
between Yahoo registered users or something similar.

The http connection could be offered as an alternative proxy
connection to the yahoo IM servers for users who are behind
restrictive firewalls.  Have you asked as much in the Yahoo user
groups?

The fact that the threads continue after kopete has shut down is not
necessarily of concern as was already explained, unless it carries on
and on for a long time and the flow of packets continues.  I don't
know how yahoo VoIP works.  Did you install some plugin specific for
yahoo services?  If it imitates the Skype architecture then it
essentially runs proxies on clients' machines and this could be an
explanation for the traffic.
-- 
Regards,
Mick

Re: [gentoo-user] Yahoo and strange traffic.

[Dale]

Mick wrote:
> On 17 August 2010 15:29, BRM<bm_witness@yahoo.com>  wrote:
>    
>> ----- Original Message ----
>>
>>      
>>> From: Dale<rdalek1967@gmail.com>
>>> Adam Carter wrote:
>>>        
>>>>      Is this easy to do?  I  have no idea where to start except that
>>>>      wireshark is  installed.
>>>> Yep, start the capture with Capture ->    Interfaces and click on the start
>>>>          
>>> button next to the correct interface, then  right click on one of the packets
>>> that is to the yahoo box and choose Decode As  set the port and protocol then
>>> apply. You'll
>>>
>>> need to understand the semantics of  HTTP for it to be of much use tho.
>>> You had me until the last part.   No semantics here.  lol   May see if I can
>>> post a little and see if  anyone can figure out what the heck it is doing.  I'm
>>> thinking some crazy  bug or something.  Maybe checking for updates not realizing
>>> it's
>>>
>>> Kopete  instead of a Yahoo program.
>>>        
>> Wireshark will show you the raw packet data, and decode only a little of it -
>> enough to identify the general protocol, senders, etc.
>> So to understand the packet, you will need to understand the application layer
>> protocol - in this case HTTP - yourself as Wireshark won't help you there.
>>
>> But yet, Wireshark, nmap, and nessus security scanner are the tools, less so
>> nessus as it really is more of a port scanner/security hole finder than a debug
>> tool for applications (it's basically an interface for nmap for those purposes).
>>      
> I'm not at home to experiment and I don't use yahoo, but port 5050 is
> typically used for mmcc = multi media conference control - does yahoo
> offer such a service?  It could be a SIP server running there for VoIP
> between Yahoo registered users or something similar.
>
> The http connection could be offered as an alternative proxy
> connection to the yahoo IM servers for users who are behind
> restrictive firewalls.  Have you asked as much in the Yahoo user
> groups?
>
> The fact that the threads continue after kopete has shut down is not
> necessarily of concern as was already explained, unless it carries on
> and on for a long time and the flow of packets continues.  I don't
> know how yahoo VoIP works.  Did you install some plugin specific for
> yahoo services?  If it imitates the Skype architecture then it
> essentially runs proxies on clients' machines and this could be an
> explanation for the traffic.
>    

I don't have VoIP, Skype or that sort of thing here.  Here is my Kopete 
info tho:

[ebuild   R   ] kde-base/kopete-4.4.5-r1  USE="addbookmarks autoreplace 
contactnotes groupwise handbook highlight history nowlistening pipes 
privacy ssl statistics texteffect translator urlpicpreview yahoo 
zeroconf (-aqua) -debug -gadu -jabber -jingle (-kdeenablefinal) 
(-kdeprefix) -latex -meanwhile -msn -oscar -otr -qq -skype -sms -testbed 
-v4l2 -webpresence -winpopup" 0 kB

Anything there that cold cause a problem?

Dale

:-)  :-)

Re: [gentoo-user] Yahoo and strange traffic.

[Mick]

[-- Attachment #1: Type: Text/Plain, Size: 3368 bytes --]

On Tuesday 17 August 2010 21:15:51 Dale wrote:
> Mick wrote:
> > On 17 August 2010 15:29, BRM<bm_witness@yahoo.com>  wrote:
> >> ----- Original Message ----
> >> 
> >>> From: Dale<rdalek1967@gmail.com>
> >>> 
> >>> Adam Carter wrote:
> >>>>      Is this easy to do?  I  have no idea where to start except that
> >>>>      wireshark is  installed.
> >>>> 
> >>>> Yep, start the capture with Capture ->    Interfaces and click on the
> >>>> start
> >>> 
> >>> button next to the correct interface, then  right click on one of the
> >>> packets that is to the yahoo box and choose Decode As  set the port
> >>> and protocol then apply. You'll
> >>> 
> >>> need to understand the semantics of  HTTP for it to be of much use tho.
> >>> You had me until the last part.   No semantics here.  lol   May see if
> >>> I can post a little and see if  anyone can figure out what the heck it
> >>> is doing.  I'm thinking some crazy  bug or something.  Maybe checking
> >>> for updates not realizing it's
> >>> 
> >>> Kopete  instead of a Yahoo program.
> >> 
> >> Wireshark will show you the raw packet data, and decode only a little of
> >> it - enough to identify the general protocol, senders, etc.
> >> So to understand the packet, you will need to understand the application
> >> layer protocol - in this case HTTP - yourself as Wireshark won't help
> >> you there.
> >> 
> >> But yet, Wireshark, nmap, and nessus security scanner are the tools,
> >> less so nessus as it really is more of a port scanner/security hole
> >> finder than a debug tool for applications (it's basically an interface
> >> for nmap for those purposes).
> > 
> > I'm not at home to experiment and I don't use yahoo, but port 5050 is
> > typically used for mmcc = multi media conference control - does yahoo
> > offer such a service?  It could be a SIP server running there for VoIP
> > between Yahoo registered users or something similar.
> > 
> > The http connection could be offered as an alternative proxy
> > connection to the yahoo IM servers for users who are behind
> > restrictive firewalls.  Have you asked as much in the Yahoo user
> > groups?
> > 
> > The fact that the threads continue after kopete has shut down is not
> > necessarily of concern as was already explained, unless it carries on
> > and on for a long time and the flow of packets continues.  I don't
> > know how yahoo VoIP works.  Did you install some plugin specific for
> > yahoo services?  If it imitates the Skype architecture then it
> > essentially runs proxies on clients' machines and this could be an
> > explanation for the traffic.
> 
> I don't have VoIP, Skype or that sort of thing here.  Here is my Kopete
> info tho:
> 
> [ebuild   R   ] kde-base/kopete-4.4.5-r1  USE="addbookmarks autoreplace
> contactnotes groupwise handbook highlight history nowlistening pipes
> privacy ssl statistics texteffect translator urlpicpreview yahoo
> zeroconf (-aqua) -debug -gadu -jabber -jingle (-kdeenablefinal)
> (-kdeprefix) -latex -meanwhile -msn -oscar -otr -qq -skype -sms -testbed
> -v4l2 -webpresence -winpopup" 0 kB
> 
> Anything there that cold cause a problem?

No, I can't see anything suspicious, you don't even have skype or v4l2 
enabled, so it is unlikely that it is running some webcam stream (as part of 
VoIP).
-- 
Regards,
Mick

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 198 bytes --]

Re: [gentoo-user] Yahoo and strange traffic.

[Dale]

Mick wrote:
> On Tuesday 17 August 2010 21:15:51 Dale wrote:
>    
>> Mick wrote:
>>      
>>> On 17 August 2010 15:29, BRM<bm_witness@yahoo.com>   wrote:
>>>        
>>>> ----- Original Message ----
>>>>
>>>>          
>>>>> From: Dale<rdalek1967@gmail.com>
>>>>>
>>>>> Adam Carter wrote:
>>>>>            
>>>>>>       Is this easy to do?  I  have no idea where to start except that
>>>>>>       wireshark is  installed.
>>>>>>
>>>>>> Yep, start the capture with Capture ->     Interfaces and click on the
>>>>>> start
>>>>>>              
>>>>> button next to the correct interface, then  right click on one of the
>>>>> packets that is to the yahoo box and choose Decode As  set the port
>>>>> and protocol then apply. You'll
>>>>>
>>>>> need to understand the semantics of  HTTP for it to be of much use tho.
>>>>> You had me until the last part.   No semantics here.  lol   May see if
>>>>> I can post a little and see if  anyone can figure out what the heck it
>>>>> is doing.  I'm thinking some crazy  bug or something.  Maybe checking
>>>>> for updates not realizing it's
>>>>>
>>>>> Kopete  instead of a Yahoo program.
>>>>>            
>>>> Wireshark will show you the raw packet data, and decode only a little of
>>>> it - enough to identify the general protocol, senders, etc.
>>>> So to understand the packet, you will need to understand the application
>>>> layer protocol - in this case HTTP - yourself as Wireshark won't help
>>>> you there.
>>>>
>>>> But yet, Wireshark, nmap, and nessus security scanner are the tools,
>>>> less so nessus as it really is more of a port scanner/security hole
>>>> finder than a debug tool for applications (it's basically an interface
>>>> for nmap for those purposes).
>>>>          
>>> I'm not at home to experiment and I don't use yahoo, but port 5050 is
>>> typically used for mmcc = multi media conference control - does yahoo
>>> offer such a service?  It could be a SIP server running there for VoIP
>>> between Yahoo registered users or something similar.
>>>
>>> The http connection could be offered as an alternative proxy
>>> connection to the yahoo IM servers for users who are behind
>>> restrictive firewalls.  Have you asked as much in the Yahoo user
>>> groups?
>>>
>>> The fact that the threads continue after kopete has shut down is not
>>> necessarily of concern as was already explained, unless it carries on
>>> and on for a long time and the flow of packets continues.  I don't
>>> know how yahoo VoIP works.  Did you install some plugin specific for
>>> yahoo services?  If it imitates the Skype architecture then it
>>> essentially runs proxies on clients' machines and this could be an
>>> explanation for the traffic.
>>>        
>> I don't have VoIP, Skype or that sort of thing here.  Here is my Kopete
>> info tho:
>>
>> [ebuild   R   ] kde-base/kopete-4.4.5-r1  USE="addbookmarks autoreplace
>> contactnotes groupwise handbook highlight history nowlistening pipes
>> privacy ssl statistics texteffect translator urlpicpreview yahoo
>> zeroconf (-aqua) -debug -gadu -jabber -jingle (-kdeenablefinal)
>> (-kdeprefix) -latex -meanwhile -msn -oscar -otr -qq -skype -sms -testbed
>> -v4l2 -webpresence -winpopup" 0 kB
>>
>> Anything there that cold cause a problem?
>>      
> No, I can't see anything suspicious, you don't even have skype or v4l2
> enabled, so it is unlikely that it is running some webcam stream (as part of
> VoIP).
>    


lol  I don't have a webcam even if it was turned on.  Sort of funny 
about having a camera in my bedroom.  o_O

I'm thinking it is Yahoo wanting to upgrade something but not realizing 
that I'm not using their client but using kopete.  Yahoo isn't the 
sharpest tool in the shed you know?

Dale

:-)  :-)

Re: [gentoo-user] Yahoo and strange traffic.

[BRM]

----- Original Message ----

> From: Dale <rdalek1967@gmail.com>
> Mick wrote:
> > On Tuesday 17 August 2010 21:15:51 Dale wrote:
> >> Mick wrote:
> >>>  On 17 August 2010 15:29, BRM<bm_witness@yahoo.com>    wrote:
> >>>> -----  Original Message ----
> >>>>> From: Dale<rdalek1967@gmail.com>
> >>>>>  Adam Carter wrote:
> >>>>>>       Is this easy to  do?  I  have no idea where to start except  that
> >>>>>>       wireshark is   installed.
> >>>>>> Yep, start  the capture with Capture ->     Interfaces and click on  
the
> >>>>>> start
> >>>>> button next to the  correct interface, then  right click on one of the
> >>>>>  packets that is to the yahoo box and choose Decode As  set the  port
> >>>>> and protocol then apply.  You'll
> >>>>> need to understand the  semantics of  HTTP for it to be of much use tho.
> >>>>>  You had me until the last part.   No semantics here.  lol   May  see if
> >>>>> I can post a little and see if  anyone can  figure out what the heck it
> >>>>> is doing.  I'm thinking  some crazy  bug or something.  Maybe checking
> >>>>>  for updates not realizing it's
> >>>>>  Kopete  instead of a Yahoo program.
> >>>> Wireshark will show you the raw  packet data, and decode only a little of
> >>>> it - enough to  identify the general protocol, senders, etc.
> >>>> So to  understand the packet, you will need to understand the  
application
> >>>> layer protocol - in this case HTTP - yourself as  Wireshark won't help
> >>>> you  there.
> >>>> But yet, Wireshark, nmap, and  nessus security scanner are the tools,
> >>>> less so nessus as it  really is more of a port scanner/security hole
> >>>> finder than a  debug tool for applications (it's basically an interface
> >>>> for  nmap for those purposes).
> >>> I'm not at home to experiment and I don't use yahoo, but port  5050 is
> >>> typically used for mmcc = multi media conference control  - does yahoo
> >>> offer such a service?  It could be a SIP  server running there for VoIP
> >>> between Yahoo registered users or  something similar.
> >>> The http connection could be  offered as an alternative proxy
> >>> connection to the yahoo IM  servers for users who are behind
> >>> restrictive firewalls.   Have you asked as much in the Yahoo user
> >>>  groups?
> >>> The fact that the threads continue after  kopete has shut down is not
> >>> necessarily of concern as was  already explained, unless it carries on
> >>> and on for a long time  and the flow of packets continues.  I don't
> >>> know how yahoo  VoIP works.  Did you install some plugin specific for
> >>> yahoo  services?  If it imitates the Skype architecture then it
> >>>  essentially runs proxies on clients' machines and this could be  an
> >>> explanation for the traffic.
> >> I don't have VoIP, Skype or that sort of thing  here.  Here is my Kopete
> >> info tho:
> >>  [ebuild   R   ] kde-base/kopete-4.4.5-r1  USE="addbookmarks  autoreplace
> >> contactnotes groupwise handbook highlight history  nowlistening pipes
> >> privacy ssl statistics texteffect translator  urlpicpreview yahoo
> >> zeroconf (-aqua) -debug -gadu -jabber -jingle  (-kdeenablefinal)
> >> (-kdeprefix) -latex -meanwhile -msn -oscar -otr  -qq -skype -sms -testbed
> >> -v4l2 -webpresence -winpopup" 0  kB
> >> Anything there that cold cause a  problem?
> > No, I can't see anything  suspicious, you don't even have skype or v4l2
> > enabled, so it is unlikely  that it is running some webcam stream (as part 
of
> > VoIP).
> I'm thinking it is Yahoo wanting to upgrade something but not  realizing 
> that I'm not using their client but using kopete.  Yahoo  isn't the 
> sharpest tool in the shed you know?

I doubt that's the case. I use Pidgin with Yahoo, and haven't had that kind of 
thing so far as I'm aware.

Ben

Re: [gentoo-user] Yahoo and strange traffic.

[Dale]

BRM wrote:
> ----- Original Message ----
>
>    
>> From: Dale<rdalek1967@gmail.com>
>>      
>> I'm thinking it is Yahoo wanting to upgrade something but not  realizing
>> that I'm not using their client but using kopete.  Yahoo  isn't the
>> sharpest tool in the shed you know?
>>      
> I doubt that's the case. I use Pidgin with Yahoo, and haven't had that kind of
> thing so far as I'm aware.
>
> Ben
>    

I did run into that once before.  Yahoo was determined to upgrade but I 
was using Kopete so things didn't go to well.   It was a pop up that I 
could disable but it would still start trying to download the new 
version.  Of course, when I told it to skip the upgrade it stopped the 
download.  I have not seen any sort of pop up yet with the current issue.

It is weird but it hasn't done it since my earlier post.  It will do it 
again eventually tho.   I'm just waiting so I can get wireshark a hold 
of it.

Dale

:-)  :-)

Re: [gentoo-user] Yahoo and strange traffic.

[Dale]

BRM wrote:
> ----- Original Message ----
>
>    
>> From: Dale<rdalek1967@gmail.com>
>>      
>> I'm thinking it is Yahoo wanting to upgrade something but not  realizing
>> that I'm not using their client but using kopete.  Yahoo  isn't the
>> sharpest tool in the shed you know?
>>      
> I doubt that's the case. I use Pidgin with Yahoo, and haven't had that kind of
> thing so far as I'm aware.
>
> Ben
>    

I did run into that once before.  Yahoo was determined to upgrade but I 
was using Kopete so things didn't go to well.   It was a pop up that I 
could disable but it would still start trying to download the new 
version.  Of course, when I told it to skip the upgrade it stopped the 
download.  I have not seen any sort of pop up yet with the current issue.

It is weird but it hasn't done it since my earlier post.  It will do it 
again eventually tho.   I'm just waiting so I can get wireshark a hold 
of it.

Dale

:-)  :-)

Re: [gentoo-user] Yahoo and strange traffic.

[Dale]

BRM wrote:
> Wireshark will show you the raw packet data, and decode only a little of it -
> enough to identify the general protocol, senders, etc.
> So to understand the packet, you will need to understand the application layer
> protocol - in this case HTTP - yourself as Wireshark won't help you there.
>
> But yet, Wireshark, nmap, and nessus security scanner are the tools, less so
> nessus as it really is more of a port scanner/security hole finder than a debug
> tool for applications (it's basically an interface for nmap for those purposes).
>
> HTH,
>
> Ben
>
>
>    

If finally did it again, and is doing it as I type.  I captured some of 
the traffic with Wireshark.  Can someone tell me what to do with it 
now?  This is one frame of it:

Frame 4 (881 bytes on wire, 881 bytes captured)
     Arrival Time: Aug 24, 2010 21:03:35.518314000
     [Time delta from previous captured frame: 0.000383000 seconds]
     [Time delta from previous displayed frame: 0.000383000 seconds]
     [Time since reference or first frame: 0.010995000 seconds]
     Frame Number: 4
     Frame Length: 881 bytes
     Capture Length: 881 bytes
     [Frame is marked: False]
     [Protocols in frame: eth:ip:tcp:http]
     [Coloring Rule Name: HTTP]
     [Coloring Rule String: http || tcp.port == 80]
Ethernet II, Src: ArchtekT_81:d5:d3 (00:01:53:81:d5:d3), Dst: 
Motorola_aa:96:e4 (00:1d:6b:aa:96:e4)
     Destination: Motorola_aa:96:e4 (00:1d:6b:aa:96:e4)
         Address: Motorola_aa:96:e4 (00:1d:6b:aa:96:e4)
         .... ...0 .... .... .... .... = IG bit: Individual address 
(unicast)
         .... ..0. .... .... .... .... = LG bit: Globally unique address 
(factory default)
     Source: ArchtekT_81:d5:d3 (00:01:53:81:d5:d3)
         Address: ArchtekT_81:d5:d3 (00:01:53:81:d5:d3)
         .... ...0 .... .... .... .... = IG bit: Individual address 
(unicast)
         .... ..0. .... .... .... .... = LG bit: Globally unique address 
(factory default)
     Type: IP (0x0800)
Internet Protocol, Src: 192.168.1.2 (192.168.1.2), Dst: 98.136.112.30 
(98.136.112.30)
     Version: 4
     Header length: 20 bytes
     Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
         0000 00.. = Differentiated Services Codepoint: Default (0x00)
         .... ..0. = ECN-Capable Transport (ECT): 0
         .... ...0 = ECN-CE: 0
     Total Length: 867
     Identification: 0xe5fb (58875)
     Flags: 0x02 (Don't Fragment)
         0.. = Reserved bit: Not Set
         .1. = Don't fragment: Set
         ..0 = More fragments: Not Set
     Fragment offset: 0
     Time to live: 64
     Protocol: TCP (0x06)
     Header checksum: 0xbd48 [correct]
         [Good: True]
         [Bad : False]
     Source: 192.168.1.2 (192.168.1.2)
     Destination: 98.136.112.30 (98.136.112.30)
Transmission Control Protocol, Src Port: 43281 (43281), Dst Port: http 
(80), Seq: 0, Ack: 1, Len: 815
     Source port: 43281 (43281)
     Destination port: http (80)
     [Stream index: 1]
     Sequence number: 0    (relative sequence number)
     [Next sequence number: 815    (relative sequence number)]
     Acknowledgement number: 1    (relative ack number)
     Header length: 32 bytes
     Flags: 0x18 (PSH, ACK)
         0... .... = Congestion Window Reduced (CWR): Not set
         .0.. .... = ECN-Echo: Not set
         ..0. .... = Urgent: Not set
         ...1 .... = Acknowledgement: Set
         .... 1... = Push: Set
         .... .0.. = Reset: Not set
         .... ..0. = Syn: Not set
         .... ...0 = Fin: Not set
     Window size: 92
     Checksum: 0x0d09 [validation disabled]
         [Good Checksum: False]
         [Bad Checksum: False]
     Options: (12 bytes)
         NOP
         NOP
         Timestamps: TSval 177975147, TSecr 3960038659
     [SEQ/ACK analysis]
         [Number of bytes in flight: 815]
Hypertext Transfer Protocol
     GET /v1/displayImage/custom/yahoo/<screen name was here>?redirect=0 
HTTP/1.1\r\n
         [Expert Info (Chat/Sequence): GET 
/v1/displayImage/custom/yahoo/<screen name was here>?redirect=0 
HTTP/1.1\r\n]
             [Message: GET /v1/displayImage/custom/yahoo/<screen name 
was here>?redirect=0 HTTP/1.1\r\n]
             [Severity level: Chat]
             [Group: Sequence]
         Request Method: GET
         Request URI: /v1/displayImage/custom/yahoo/<screen name was 
here>?redirect=0
         Request Version: HTTP/1.1
     Host: rest-img.msg.yahoo.com\r\n
     Connection: close\r\n
     User-Agent: Mozilla/5.0 (compatible; Konqueror/4.4; Linux 
2.6.30-gentoo-r8; X11; i686; en_US) KHTML/4.4.5 (like Gecko)\r\n
     Accept: text/html, image/jpeg;q=0.9, image/png;q=0.9, text/*;q=0.9, 
image/*;q=0.9, */*;q=0.8\r\n
     Accept-Encoding: x-gzip, x-deflate, gzip, deflate\r\n
     Accept-Charset: iso-8859-1, utf-8;q=0.5, *;q=0.5\r\n
     Accept-Language: en-US, en\r\n
     [truncated] Cookie: B=ailkv295qsqnr&b=3&s=dn; 
Y=v=1&n=bt77n8119ils3&l=30b4a_rzwx/o&p=m2316qt013000000&jb=16|47|&r=eg&lg=en-US&intl=us&np=1; 
T=z=b/fcMBbF1cMBqnoHCK8Lm6qNDAxBjU0NDE0MjVPMzI-&a=YAE&sk=DAAgQw54KM2VAc&ks=EAAQtPQ3LsapOyL9MIqyK3.8
     \r\n

No.     Time        Source                Destination           Protocol 
Info
       5 0.152339    98.136.112.30         192.168.1.2           
HTTP     HTTP/1.1 401 Authorization Required  (text/html)


I changed the screen name to protect the innocent.  She is a red head 
with attitude.  Anyway, looking at more than one frame here, it looks 
like it is trying to get info, image perhaps, for that contact but it 
fails so it keeps trying.  Been going at it for half hour or more so 
far.  It looks to me like Yahoo would eventually say "bugger off"!!  LOL

I remember that Yahoo removed images and some kind of profile thingy a 
while back.  Could that be what it is trying to find but that no longer 
exists?

Thoughts?

Dale

:-)  :-)

Re: [gentoo-user] Yahoo and strange traffic.

[Joshua Murphy]

On Tue, Aug 24, 2010 at 10:36 PM, Dale <rdalek1967@gmail.com> wrote:
> BRM wrote:
>>
>> Wireshark will show you the raw packet data, and decode only a little of
>> it -
>> enough to identify the general protocol, senders, etc.
>> So to understand the packet, you will need to understand the application
>> layer
>> protocol - in this case HTTP - yourself as Wireshark won't help you there.
>>
>> But yet, Wireshark, nmap, and nessus security scanner are the tools, less
>> so
>> nessus as it really is more of a port scanner/security hole finder than a
>> debug
>> tool for applications (it's basically an interface for nmap for those
>> purposes).
>>
>> HTH,
>>
>> Ben
>>
>>
>>
>
> If finally did it again, and is doing it as I type.  I captured some of the
> traffic with Wireshark.  Can someone tell me what to do with it now?  This
> is one frame of it:
>
> Frame 4 (881 bytes on wire, 881 bytes captured)
>    Arrival Time: Aug 24, 2010 21:03:35.518314000
>    [Time delta from previous captured frame: 0.000383000 seconds]
>    [Time delta from previous displayed frame: 0.000383000 seconds]
>    [Time since reference or first frame: 0.010995000 seconds]
>    Frame Number: 4
>    Frame Length: 881 bytes
>    Capture Length: 881 bytes
>    [Frame is marked: False]
>    [Protocols in frame: eth:ip:tcp:http]
>    [Coloring Rule Name: HTTP]
>    [Coloring Rule String: http || tcp.port == 80]
> Ethernet II, Src: ArchtekT_81:d5:d3 (00:01:53:81:d5:d3), Dst:
> Motorola_aa:96:e4 (00:1d:6b:aa:96:e4)
>    Destination: Motorola_aa:96:e4 (00:1d:6b:aa:96:e4)
>        Address: Motorola_aa:96:e4 (00:1d:6b:aa:96:e4)
>        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
>        .... ..0. .... .... .... .... = LG bit: Globally unique address
> (factory default)
>    Source: ArchtekT_81:d5:d3 (00:01:53:81:d5:d3)
>        Address: ArchtekT_81:d5:d3 (00:01:53:81:d5:d3)
>        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
>        .... ..0. .... .... .... .... = LG bit: Globally unique address
> (factory default)
>    Type: IP (0x0800)
> Internet Protocol, Src: 192.168.1.2 (192.168.1.2), Dst: 98.136.112.30
> (98.136.112.30)
>    Version: 4
>    Header length: 20 bytes
>    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
>        0000 00.. = Differentiated Services Codepoint: Default (0x00)
>        .... ..0. = ECN-Capable Transport (ECT): 0
>        .... ...0 = ECN-CE: 0
>    Total Length: 867
>    Identification: 0xe5fb (58875)
>    Flags: 0x02 (Don't Fragment)
>        0.. = Reserved bit: Not Set
>        .1. = Don't fragment: Set
>        ..0 = More fragments: Not Set
>    Fragment offset: 0
>    Time to live: 64
>    Protocol: TCP (0x06)
>    Header checksum: 0xbd48 [correct]
>        [Good: True]
>        [Bad : False]
>    Source: 192.168.1.2 (192.168.1.2)
>    Destination: 98.136.112.30 (98.136.112.30)
> Transmission Control Protocol, Src Port: 43281 (43281), Dst Port: http (80),
> Seq: 0, Ack: 1, Len: 815
>    Source port: 43281 (43281)
>    Destination port: http (80)
>    [Stream index: 1]
>    Sequence number: 0    (relative sequence number)
>    [Next sequence number: 815    (relative sequence number)]
>    Acknowledgement number: 1    (relative ack number)
>    Header length: 32 bytes
>    Flags: 0x18 (PSH, ACK)
>        0... .... = Congestion Window Reduced (CWR): Not set
>        .0.. .... = ECN-Echo: Not set
>        ..0. .... = Urgent: Not set
>        ...1 .... = Acknowledgement: Set
>        .... 1... = Push: Set
>        .... .0.. = Reset: Not set
>        .... ..0. = Syn: Not set
>        .... ...0 = Fin: Not set
>    Window size: 92
>    Checksum: 0x0d09 [validation disabled]
>        [Good Checksum: False]
>        [Bad Checksum: False]
>    Options: (12 bytes)
>        NOP
>        NOP
>        Timestamps: TSval 177975147, TSecr 3960038659
>    [SEQ/ACK analysis]
>        [Number of bytes in flight: 815]
> Hypertext Transfer Protocol
>    GET /v1/displayImage/custom/yahoo/<screen name was here>?redirect=0
> HTTP/1.1\r\n
>        [Expert Info (Chat/Sequence): GET
> /v1/displayImage/custom/yahoo/<screen name was here>?redirect=0
> HTTP/1.1\r\n]
>            [Message: GET /v1/displayImage/custom/yahoo/<screen name was
> here>?redirect=0 HTTP/1.1\r\n]
>            [Severity level: Chat]
>            [Group: Sequence]
>        Request Method: GET
>        Request URI: /v1/displayImage/custom/yahoo/<screen name was
> here>?redirect=0
>        Request Version: HTTP/1.1
>    Host: rest-img.msg.yahoo.com\r\n
>    Connection: close\r\n
>    User-Agent: Mozilla/5.0 (compatible; Konqueror/4.4; Linux
> 2.6.30-gentoo-r8; X11; i686; en_US) KHTML/4.4.5 (like Gecko)\r\n
>    Accept: text/html, image/jpeg;q=0.9, image/png;q=0.9, text/*;q=0.9,
> image/*;q=0.9, */*;q=0.8\r\n
>    Accept-Encoding: x-gzip, x-deflate, gzip, deflate\r\n
>    Accept-Charset: iso-8859-1, utf-8;q=0.5, *;q=0.5\r\n
>    Accept-Language: en-US, en\r\n
>    [truncated] Cookie: B=ailkv295qsqnr&b=3&s=dn;
> Y=v=1&n=bt77n8119ils3&l=30b4a_rzwx/o&p=m2316qt013000000&jb=16|47|&r=eg&lg=en-US&intl=us&np=1;
> T=z=b/fcMBbF1cMBqnoHCK8Lm6qNDAxBjU0NDE0MjVPMzI-&a=YAE&sk=DAAgQw54KM2VAc&ks=EAAQtPQ3LsapOyL9MIqyK3.8
>    \r\n
>
> No.     Time        Source                Destination           Protocol
> Info
>      5 0.152339    98.136.112.30         192.168.1.2           HTTP
> HTTP/1.1 401 Authorization Required  (text/html)
>
>
> I changed the screen name to protect the innocent.  She is a red head with
> attitude.  Anyway, looking at more than one frame here, it looks like it is
> trying to get info, image perhaps, for that contact but it fails so it keeps
> trying.  Been going at it for half hour or more so far.  It looks to me like
> Yahoo would eventually say "bugger off"!!  LOL
>
> I remember that Yahoo removed images and some kind of profile thingy a while
> back.  Could that be what it is trying to find but that no longer exists?
>
> Thoughts?
>
> Dale
>
> :-)  :-)

Well, glancing at the GET request it's making there, as well as the
API google points me to when I look it up...

http://developer.yahoo.com/messenger/guide/ch03s02.html#d4e4628

You're right that it's after an image from their profile, but the
cause of the failure appears to be related to some sort of credentials
Yahoo wants the messenger to provide. You might poke Kopete's
bugtracker to see if they've a related bug on file already, and if
they don't, throw one their way.

The API Yahoo appears to be using there (based on a response I got
back in poking lightly) is, or is based on, OAuth, which according to
this:

http://oauth.net/core/1.0/#http_codes

specifies that a request should give a 401 response (Authorization
Required vs Unauthorized is purely the choice of phrase used in the
program decoding the numerical code, i.e. wireshark in your example of
it there) in the following cases:

HTTP 401 Unauthorized
  * Invalid Consumer Key
  * Invalid / expired Token
  * Invalid signature
  * Invalid / used nonce

Yahoo, essentially, *does* give a "bugger off"!! with that response,
but Kopete simply takes it, considers it a brief instant, then decides
"Maybe the answer will change if I try again *now*!"... at which point
it proceeds to introduce its proverbial cranium to the proverbial
brick and mortar vertical surface one might term "the wall."
Repeatedly.

-- 
Poison [BLX]
Joshua M. Murphy

Re: [gentoo-user] Yahoo and strange traffic.

[Dale]

Joshua Murphy wrote:
> Well, glancing at the GET request it's making there, as well as the
> API google points me to when I look it up...
>
> http://developer.yahoo.com/messenger/guide/ch03s02.html#d4e4628
>
> You're right that it's after an image from their profile, but the
> cause of the failure appears to be related to some sort of credentials
> Yahoo wants the messenger to provide. You might poke Kopete's
> bugtracker to see if they've a related bug on file already, and if
> they don't, throw one their way.
>
> The API Yahoo appears to be using there (based on a response I got
> back in poking lightly) is, or is based on, OAuth, which according to
> this:
>
> http://oauth.net/core/1.0/#http_codes
>
> specifies that a request should give a 401 response (Authorization
> Required vs Unauthorized is purely the choice of phrase used in the
> program decoding the numerical code, i.e. wireshark in your example of
> it there) in the following cases:
>
> HTTP 401 Unauthorized
>    * Invalid Consumer Key
>    * Invalid / expired Token
>    * Invalid signature
>    * Invalid / used nonce
>
> Yahoo, essentially, *does* give a "bugger off"!! with that response,
> but Kopete simply takes it, considers it a brief instant, then decides
> "Maybe the answer will change if I try again *now*!"... at which point
> it proceeds to introduce its proverbial cranium to the proverbial
> brick and mortar vertical surface one might term "the wall."
> Repeatedly.
>
>    

I was sort of figuring that it was trying to get something and Yahoo 
wasn't liking it.  At least now we know for sure.

I went to bug.kde and searched but I didn't see anything.  Of course, 
I'm not really sure what the heck to look for since I don't know what is 
failing, other than Kopete.

Thanks.

Dale

:-)  :-)

Re: [gentoo-user] Yahoo and strange traffic.

[BRM]

----- Original Message ----

> Joshua Murphy wrote:
> > Well, glancing at the GET request it's making  there, as well as the
> > API google points me to when I look it  up...
> >
> >  http://developer.yahoo.com/messenger/guide/ch03s02.html#d4e4628
> >
> >  You're right that it's after an image from their profile, but the
> > cause  of the failure appears to be related to some sort of credentials
> > Yahoo  wants the messenger to provide. You might poke Kopete's
> > bugtracker to  see if they've a related bug on file already, and if
> > they don't, throw  one their way.
> >
> > The API Yahoo appears to be using there (based on  a response I got
> > back in poking lightly) is, or is based on, OAuth,  which according to
> > this:
> >
> >  http://oauth.net/core/1.0/#http_codes
> >
> > specifies that a request  should give a 401 response (Authorization
> > Required vs Unauthorized is  purely the choice of phrase used in the
> > program decoding the numerical  code, i.e. wireshark in your example of
> > it there) in the following  cases:
> >
> > HTTP 401 Unauthorized
> >    * Invalid  Consumer Key
> >    * Invalid / expired Token
> >     * Invalid signature
> >    * Invalid / used nonce
> >
> >  Yahoo, essentially, *does* give a "bugger off"!! with that response,
> > but  Kopete simply takes it, considers it a brief instant, then decides
> >  "Maybe the answer will change if I try again *now*!"... at which point
> >  it proceeds to introduce its proverbial cranium to the proverbial
> > brick  and mortar vertical surface one might term "the wall."
> >  Repeatedly.
> >
> >    
> 
> I was sort of figuring that it  was trying to get something and Yahoo 
> wasn't liking it.  At least now  we know for sure.
> 
> I went to bug.kde and searched but I didn't see  anything.  Of course, 
> I'm not really sure what the heck to look for  since I don't know what is 
> failing, other than  Kopete.

Best bet would probably be to check with the Kopete devs on IRC or mailing list 
(kopete-devel).

Ben

Re: [gentoo-user] Yahoo and strange traffic.

[Joshua Murphy]

On Wed, Aug 25, 2010 at 9:21 AM, BRM <bm_witness@yahoo.com> wrote:
> ----- Original Message ----
>
>> Joshua Murphy wrote:
>> > Well, glancing at the GET request it's making  there, as well as the
>> > API google points me to when I look it  up...
>> >
>> >  http://developer.yahoo.com/messenger/guide/ch03s02.html#d4e4628
>> >
>> >  You're right that it's after an image from their profile, but the
>> > cause  of the failure appears to be related to some sort of credentials
>> > Yahoo  wants the messenger to provide. You might poke Kopete's
>> > bugtracker to  see if they've a related bug on file already, and if
>> > they don't, throw  one their way.
>> >
>> > The API Yahoo appears to be using there (based on  a response I got
>> > back in poking lightly) is, or is based on, OAuth,  which according to
>> > this:
>> >
>> >  http://oauth.net/core/1.0/#http_codes
>> >
>> > specifies that a request  should give a 401 response (Authorization
>> > Required vs Unauthorized is  purely the choice of phrase used in the
>> > program decoding the numerical  code, i.e. wireshark in your example of
>> > it there) in the following  cases:
>> >
>> > HTTP 401 Unauthorized
>> >    * Invalid  Consumer Key
>> >    * Invalid / expired Token
>> >     * Invalid signature
>> >    * Invalid / used nonce
>> >
>> >  Yahoo, essentially, *does* give a "bugger off"!! with that response,
>> > but  Kopete simply takes it, considers it a brief instant, then decides
>> >  "Maybe the answer will change if I try again *now*!"... at which point
>> >  it proceeds to introduce its proverbial cranium to the proverbial
>> > brick  and mortar vertical surface one might term "the wall."
>> >  Repeatedly.
>> >
>> >
>>
>> I was sort of figuring that it  was trying to get something and Yahoo
>> wasn't liking it.  At least now  we know for sure.
>>
>> I went to bug.kde and searched but I didn't see  anything.  Of course,
>> I'm not really sure what the heck to look for  since I don't know what is
>> failing, other than  Kopete.
>
> Best bet would probably be to check with the Kopete devs on IRC or mailing list
> (kopete-devel).
>
> Ben

Yep, but... just from a glance at their bug tracker and their commits
list... they made quite a few changes to the Yahoo plugin's handling
of avatars and such in January that're in 4.4... so their go-to answer
on Yahoo avatar related issues seems to be "Try it on 4.4, then come
back if it's still broken."

So... to save a little time and effort when that answer's thrown
around... might be best to test with that. I don't have QT or anything
that depends on it on any of my boxes (the only box I actually have X
on right now's my netbook, so adding's not even a feasable option) and
my yahoo account went dead a few years ago, so I'm not much use for
testing.

-- 
Poison [BLX]
Joshua M. Murphy

Re: [gentoo-user] Yahoo and strange traffic.

[Dale]

Joshua Murphy wrote:
> Yep, but... just from a glance at their bug tracker and their commits
> list... they made quite a few changes to the Yahoo plugin's handling
> of avatars and such in January that're in 4.4... so their go-to answer
> on Yahoo avatar related issues seems to be "Try it on 4.4, then come
> back if it's still broken."
>
> So... to save a little time and effort when that answer's thrown
> around... might be best to test with that. I don't have QT or anything
> that depends on it on any of my boxes (the only box I actually have X
> on right now's my netbook, so adding's not even a feasable option) and
> my yahoo account went dead a few years ago, so I'm not much use for
> testing.
>
>    

Then I guess they would have to look at the bug report then.

[ebuild   R   ] kde-base/kopete-4.4.5-r1  USE="addbookmarks autoreplace 
contactnotes groupwise handbook highlight history nowlistening pipes 
privacy ssl statistics texteffect translator urlpicpreview yahoo 
zeroconf (-aqua) -debug -gadu -jabber -jingle (-kdeenablefinal) 
(-kdeprefix) -latex -meanwhile -msn -oscar -otr -qq -skype -sms -testbed 
-v4l2 -webpresence -winpopup"

Since I am on 4.4.5 already, I am using their preferred version.  My 
current fix, just close Kopete.  I'll see if that keeps it from doing 
this.  lol   I bet that works too.

Maybe 4.5.* will be better.

Dale

:-)  :-)