From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1OlTJq-00074H-Jg for garchives@archives.gentoo.org; Tue, 17 Aug 2010 21:03:40 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id C984AE0C02 for ; Tue, 17 Aug 2010 21:03:37 +0000 (UTC) Received: from mail-yw0-f53.google.com (mail-yw0-f53.google.com [209.85.213.53]) by pigeon.gentoo.org (Postfix) with ESMTP id 2F22FE0B7A for ; Tue, 17 Aug 2010 20:15:56 +0000 (UTC) Received: by ywo32 with SMTP id 32so3617476ywo.40 for ; Tue, 17 Aug 2010 13:15:56 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from :user-agent:mime-version:to:subject:references:in-reply-to :content-type:content-transfer-encoding; bh=Umy7otRK6rnyIMlnvNJqoI5Fdn1LirVjX5JDhq1Hqq0=; b=dxKNBNfooiq5RYvgqiZp3sYZLvwu1naKfsUthMOtG1axnoPPly0QuvFVqIkirEw9Y5 cfDHKQWOsNwh9VD3X+2CzT1f1ACeyHwF0wrS/bb/lsuw8FR4B7XitjdbF/S+oLGlZS1U INmpYd0SvTvWHNuwyRtpyKatwGCJtpCGfvA2o= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:user-agent:mime-version:to:subject:references :in-reply-to:content-type:content-transfer-encoding; b=KJnB/jrAgJWJ+qemKKhLrzZIatoGpVYVhWLXrAbQUpcc5cxzSasT1ZOCAxZdCDsZrn +1vcrYRnj+b1mKnW99WOhAx/SjWIY7H6FFz2stlUnsJBYBSGtUFdBYMG7GUwmoJnAnnI MBlDjxZTutYOrkJo4WsQz57Y5zCXU+LXNThlk= Received: by 10.231.34.70 with SMTP id k6mr7997327ibd.25.1282076155456; Tue, 17 Aug 2010 13:15:55 -0700 (PDT) Received: from [192.168.1.2] (adsl-0-123-240.jan.bellsouth.net [65.0.123.240]) by mx.google.com with ESMTPS id g31sm6462372ibh.16.2010.08.17.13.15.52 (version=SSLv3 cipher=RC4-MD5); Tue, 17 Aug 2010 13:15:53 -0700 (PDT) Message-ID: <4C6AEDF7.1020507@gmail.com> Date: Tue, 17 Aug 2010 15:15:51 -0500 From: Dale User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.11) Gecko/20100801 Gentoo/2.0.6 SeaMonkey/2.0.6 Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org MIME-Version: 1.0 To: gentoo-user@lists.gentoo.org Subject: Re: [gentoo-user] Yahoo and strange traffic. References: <4C684F59.3040903@gmail.com> <201008152329.44195.alan.mckinnon@gmail.com> <4C69C1E4.9090309@gmail.com> <4C69E3CD.5070108@gmail.com> <4C6A224C.2030100@gmail.com> <4C6A633F.5070409@gmail.com> <306497.5595.qm@web51905.mail.re2.yahoo.com> In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Archives-Salt: bd254bfc-8e40-4ec4-8888-b5c2f8d28b13 X-Archives-Hash: 3e671a8c21775c8d30086c0d824e00b3 Mick wrote: > On 17 August 2010 15:29, BRM wrote: > >> ----- Original Message ---- >> >> >>> From: Dale >>> Adam Carter wrote: >>> >>>> Is this easy to do? I have no idea where to start except that >>>> wireshark is installed. >>>> Yep, start the capture with Capture -> Interfaces and click on the start >>>> >>> button next to the correct interface, then right click on one of the packets >>> that is to the yahoo box and choose Decode As set the port and protocol then >>> apply. You'll >>> >>> need to understand the semantics of HTTP for it to be of much use tho. >>> You had me until the last part. No semantics here. lol May see if I can >>> post a little and see if anyone can figure out what the heck it is doing. I'm >>> thinking some crazy bug or something. Maybe checking for updates not realizing >>> it's >>> >>> Kopete instead of a Yahoo program. >>> >> Wireshark will show you the raw packet data, and decode only a little of it - >> enough to identify the general protocol, senders, etc. >> So to understand the packet, you will need to understand the application layer >> protocol - in this case HTTP - yourself as Wireshark won't help you there. >> >> But yet, Wireshark, nmap, and nessus security scanner are the tools, less so >> nessus as it really is more of a port scanner/security hole finder than a debug >> tool for applications (it's basically an interface for nmap for those purposes). >> > I'm not at home to experiment and I don't use yahoo, but port 5050 is > typically used for mmcc = multi media conference control - does yahoo > offer such a service? It could be a SIP server running there for VoIP > between Yahoo registered users or something similar. > > The http connection could be offered as an alternative proxy > connection to the yahoo IM servers for users who are behind > restrictive firewalls. Have you asked as much in the Yahoo user > groups? > > The fact that the threads continue after kopete has shut down is not > necessarily of concern as was already explained, unless it carries on > and on for a long time and the flow of packets continues. I don't > know how yahoo VoIP works. Did you install some plugin specific for > yahoo services? If it imitates the Skype architecture then it > essentially runs proxies on clients' machines and this could be an > explanation for the traffic. > I don't have VoIP, Skype or that sort of thing here. Here is my Kopete info tho: [ebuild R ] kde-base/kopete-4.4.5-r1 USE="addbookmarks autoreplace contactnotes groupwise handbook highlight history nowlistening pipes privacy ssl statistics texteffect translator urlpicpreview yahoo zeroconf (-aqua) -debug -gadu -jabber -jingle (-kdeenablefinal) (-kdeprefix) -latex -meanwhile -msn -oscar -otr -qq -skype -sms -testbed -v4l2 -webpresence -winpopup" 0 kB Anything there that cold cause a problem? Dale :-) :-)