From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org)
	by finch.gentoo.org with esmtp (Exim 4.60)
	(envelope-from <gentoo-user+bounces-113700-garchives=archives.gentoo.org@lists.gentoo.org>)
	id 1OlKJU-0001cH-DS
	for garchives@archives.gentoo.org; Tue, 17 Aug 2010 11:26:40 +0000
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
	by pigeon.gentoo.org (Postfix) with SMTP id F4042E0809;
	Tue, 17 Aug 2010 11:26:09 +0000 (UTC)
Received: from mail-yx0-f181.google.com (mail-yx0-f181.google.com [209.85.213.181])
	by pigeon.gentoo.org (Postfix) with ESMTP id D835BE0809
	for <gentoo-user@lists.gentoo.org>; Tue, 17 Aug 2010 11:26:09 +0000 (UTC)
Received: by yxh35 with SMTP id 35so2313774yxh.40
        for <gentoo-user@lists.gentoo.org>; Tue, 17 Aug 2010 04:26:09 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=gamma;
        h=domainkey-signature:received:received:message-id:date:from
         :user-agent:mime-version:to:subject:references:in-reply-to
         :content-type:content-transfer-encoding;
        bh=6eCVM4lERnfFxB175h+whPNj2zjr07cGWrrKYIWRZh4=;
        b=ZUGJEYolqyIDVWq6S5YllDvDCeAEVDJICU3qJoAZ0q847Abkj4k34YSuF6eqwgQ1j9
         dZg0tcBwMB+Lhn+/yZr1clAHWmaF2kdvW+LZ8BvioOkzWGPpx2GtBXtUKbswcQrFcv2p
         IZo1eC2q4ZJ9WAlYu+Z+Ip3MAHiPBKwDJyUEw=
DomainKey-Signature: a=rsa-sha1; c=nofws;
        d=gmail.com; s=gamma;
        h=message-id:date:from:user-agent:mime-version:to:subject:references
         :in-reply-to:content-type:content-transfer-encoding;
        b=X0Wl6tj8EYnYYs2CJcWdKafYdESsqpIPH2EPvgBdj84xzXCuN9B7mocGoJMihJqsw4
         fzepvVWnq3bDPsNTkMZ70kHGXehNseBIJjC2z2tUlKT45E+EEGC/0jf/e6xY1idJJI/L
         c9wm3G3utThuoHuIVaVwtgblFF/Pi0eELZALk=
Received: by 10.151.60.4 with SMTP id n4mr6870233ybk.294.1282044369383;
        Tue, 17 Aug 2010 04:26:09 -0700 (PDT)
Received: from [192.168.1.2] (adsl-0-123-240.jan.bellsouth.net [65.0.123.240])
        by mx.google.com with ESMTPS id q25sm2616ybk.6.2010.08.17.04.26.07
        (version=SSLv3 cipher=RC4-MD5);
        Tue, 17 Aug 2010 04:26:08 -0700 (PDT)
Message-ID: <4C6A71CE.7080609@gmail.com>
Date: Tue, 17 Aug 2010 06:26:06 -0500
From: Dale <rdalek1967@gmail.com>
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.11) Gecko/20100801 Gentoo/2.0.6 SeaMonkey/2.0.6
Precedence: bulk
List-Post: <mailto:gentoo-user@lists.gentoo.org>
List-Help: <mailto:gentoo-user+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-user+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-user+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-user.gentoo.org>
X-BeenThere: gentoo-user@lists.gentoo.org
Reply-to: gentoo-user@lists.gentoo.org
MIME-Version: 1.0
To: gentoo-user@lists.gentoo.org
Subject: Re: [gentoo-user] Yahoo and strange traffic.
References: <4C684F59.3040903@gmail.com>	<AANLkTikhuOfKeYjM3MxrXsYe-UMYLfN1zWjVCBw5h79p@mail.gmail.com>	<201008152329.44195.alan.mckinnon@gmail.com>	<4C69C1E4.9090309@gmail.com>	<AANLkTi=euwod2x62e3HHVSiHokWO-U_GnEY6nzBzipnw@mail.gmail.com>	<4C69E3CD.5070108@gmail.com>	<AANLkTi=jtx9fnLhCG+q6vgWnkEztgoO_AXHvrx6FUbyX@mail.gmail.com>	<4C6A224C.2030100@gmail.com> <AANLkTingaq3=odbimkcRsdz+3iRZB80Kb1j5hMCeEdta@mail.gmail.com> <4C6A633F.5070409@gmail.com> <4C6A6F4D.6080900@gmail.com>
In-Reply-To: <4C6A6F4D.6080900@gmail.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-Archives-Salt: bcf2df59-4827-4481-868a-32fa203f620c
X-Archives-Hash: e72a8170bc827c6dae6f037fd474ca40

Jake Moe wrote:
>   On 08/17/10 20:23, Dale wrote:
>    
>> Adam Carter wrote:
>>      
>>>      Is this easy to do?  I have no idea where to start except that
>>>      wireshark is installed.
>>>
>>>
>>> Yep, start the capture with Capture ->  Interfaces and click on the
>>> start button next to the correct interface, then right click on one
>>> of the packets that is to the yahoo box and choose Decode As set the
>>> port and protocol then apply. You'll need to understand the semantics
>>> of HTTP for it to be of much use tho.
>>>        
>> You had me until the last part.  No semantics here.  lol   May see if
>> I can post a little and see if anyone can figure out what the heck it
>> is doing.  I'm thinking some crazy bug or something.  Maybe checking
>> for updates not realizing it's Kopete instead of a Yahoo program.
>>
>> Thanks.  Post back what I find when it does it again.
>>
>> Dale
>>
>> :-)  :-)
>>
>>      
> If you do try to send it back to us, you might want to limit what it's
> capturing; Wireshark can get a *lot* of data quickly.
>
> For instance, if you know it's only communicating with a few servers,
> after you click on "Capture -->  Interfaces", click on the "Options"
> button, and in the Capture Filter, put "host 98.136.48.110 or host
> 98.136.42.25", which are the two servers you listed at the beginning of
> this thread (cs210p2.msg.sp1.yahoo.com and rdis.msg.vip.sp1.yahoo.com).
> Or you could assume that Yahoo are using the 98.136.0.0 network only for
> this sort of thing, and use a filter of "net 98.136.0.0/16", which would
> grab all traffic to or from any host with an IP starting with 98.136.x.x.
>
> Jake Moe
>
>    

I'll keep that in mind.  I'm not sure when it will start this mess again 
tho.  Sometimes it starts after a day or so, sometimes it is a week or so.

Thanks.

Dale

:-)  :-)