From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1Oo5r8-0005T3-NE for garchives@archives.gentoo.org; Wed, 25 Aug 2010 02:36:51 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id AE477E06F5; Wed, 25 Aug 2010 02:36:16 +0000 (UTC) Received: from mail-yx0-f181.google.com (mail-yx0-f181.google.com [209.85.213.181]) by pigeon.gentoo.org (Postfix) with ESMTP id 41419E06F5 for ; Wed, 25 Aug 2010 02:36:16 +0000 (UTC) Received: by yxh35 with SMTP id 35so25977yxh.40 for ; Tue, 24 Aug 2010 19:36:16 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from :user-agent:mime-version:to:subject:references:in-reply-to :content-type:content-transfer-encoding; bh=triE0eiaGeXMOrqdzrBGj/KUSK9j/f/fXQwmCvKmDNA=; b=e2xnmHGGsFwhAifZpRU4uW5uQmj/zE1uokmtTvoxyI9mFTkB1Lf581z+YUJdb+IQHO IrrMLu2dItEtuPLDJDjpizuRrJnn62xaciZ2BvHK0vKc95btRJFCKqQ0VOW7XdG2jq+d VSXQ6QdFsUJsNYo+ZcSlEe+ELFd1q/ytOrS7g= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:user-agent:mime-version:to:subject:references :in-reply-to:content-type:content-transfer-encoding; b=MpQ1kXtZOpV7sBw0THazLN4UEIUQ3SWH1VWvJN6rK3pHbYDv3FNhVOjTD6JbNHwIsk NY3ebjXBguEGl0tA0sAiJFVT7RqRPPPVxwHkBFqAFzrXPAzOGZpgzK36JS4rGGjL+2FS PwuXUGExaLJxyB1q4Y19l3KMGQprfWg9t/+4M= Received: by 10.150.52.11 with SMTP id z11mr8087546ybz.149.1282703775091; Tue, 24 Aug 2010 19:36:15 -0700 (PDT) Received: from [192.168.1.2] (adsl-240-57-38.jan.bellsouth.net [74.240.57.38]) by mx.google.com with ESMTPS id 36sm5635489ybr.8.2010.08.24.19.36.11 (version=SSLv3 cipher=RC4-MD5); Tue, 24 Aug 2010 19:36:12 -0700 (PDT) Message-ID: <4C74819A.90904@gmail.com> Date: Tue, 24 Aug 2010 21:36:10 -0500 From: Dale User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.11) Gecko/20100801 Gentoo/2.0.6 SeaMonkey/2.0.6 Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org MIME-Version: 1.0 To: gentoo-user@lists.gentoo.org Subject: Re: [gentoo-user] Yahoo and strange traffic. References: <4C684F59.3040903@gmail.com> <201008152329.44195.alan.mckinnon@gmail.com> <4C69C1E4.9090309@gmail.com> <4C69E3CD.5070108@gmail.com> <4C6A224C.2030100@gmail.com> <4C6A633F.5070409@gmail.com> <306497.5595.qm@web51905.mail.re2.yahoo.com> In-Reply-To: <306497.5595.qm@web51905.mail.re2.yahoo.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Archives-Salt: bd799b47-bff7-45a1-bb3f-80c8dbba4f30 X-Archives-Hash: e93f5e6a6a40d9c1106fb8a70bff572e BRM wrote: > Wireshark will show you the raw packet data, and decode only a little of it - > enough to identify the general protocol, senders, etc. > So to understand the packet, you will need to understand the application layer > protocol - in this case HTTP - yourself as Wireshark won't help you there. > > But yet, Wireshark, nmap, and nessus security scanner are the tools, less so > nessus as it really is more of a port scanner/security hole finder than a debug > tool for applications (it's basically an interface for nmap for those purposes). > > HTH, > > Ben > > > If finally did it again, and is doing it as I type. I captured some of the traffic with Wireshark. Can someone tell me what to do with it now? This is one frame of it: Frame 4 (881 bytes on wire, 881 bytes captured) Arrival Time: Aug 24, 2010 21:03:35.518314000 [Time delta from previous captured frame: 0.000383000 seconds] [Time delta from previous displayed frame: 0.000383000 seconds] [Time since reference or first frame: 0.010995000 seconds] Frame Number: 4 Frame Length: 881 bytes Capture Length: 881 bytes [Frame is marked: False] [Protocols in frame: eth:ip:tcp:http] [Coloring Rule Name: HTTP] [Coloring Rule String: http || tcp.port == 80] Ethernet II, Src: ArchtekT_81:d5:d3 (00:01:53:81:d5:d3), Dst: Motorola_aa:96:e4 (00:1d:6b:aa:96:e4) Destination: Motorola_aa:96:e4 (00:1d:6b:aa:96:e4) Address: Motorola_aa:96:e4 (00:1d:6b:aa:96:e4) .... ...0 .... .... .... .... = IG bit: Individual address (unicast) .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) Source: ArchtekT_81:d5:d3 (00:01:53:81:d5:d3) Address: ArchtekT_81:d5:d3 (00:01:53:81:d5:d3) .... ...0 .... .... .... .... = IG bit: Individual address (unicast) .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) Type: IP (0x0800) Internet Protocol, Src: 192.168.1.2 (192.168.1.2), Dst: 98.136.112.30 (98.136.112.30) Version: 4 Header length: 20 bytes Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00) 0000 00.. = Differentiated Services Codepoint: Default (0x00) .... ..0. = ECN-Capable Transport (ECT): 0 .... ...0 = ECN-CE: 0 Total Length: 867 Identification: 0xe5fb (58875) Flags: 0x02 (Don't Fragment) 0.. = Reserved bit: Not Set .1. = Don't fragment: Set ..0 = More fragments: Not Set Fragment offset: 0 Time to live: 64 Protocol: TCP (0x06) Header checksum: 0xbd48 [correct] [Good: True] [Bad : False] Source: 192.168.1.2 (192.168.1.2) Destination: 98.136.112.30 (98.136.112.30) Transmission Control Protocol, Src Port: 43281 (43281), Dst Port: http (80), Seq: 0, Ack: 1, Len: 815 Source port: 43281 (43281) Destination port: http (80) [Stream index: 1] Sequence number: 0 (relative sequence number) [Next sequence number: 815 (relative sequence number)] Acknowledgement number: 1 (relative ack number) Header length: 32 bytes Flags: 0x18 (PSH, ACK) 0... .... = Congestion Window Reduced (CWR): Not set .0.. .... = ECN-Echo: Not set ..0. .... = Urgent: Not set ...1 .... = Acknowledgement: Set .... 1... = Push: Set .... .0.. = Reset: Not set .... ..0. = Syn: Not set .... ...0 = Fin: Not set Window size: 92 Checksum: 0x0d09 [validation disabled] [Good Checksum: False] [Bad Checksum: False] Options: (12 bytes) NOP NOP Timestamps: TSval 177975147, TSecr 3960038659 [SEQ/ACK analysis] [Number of bytes in flight: 815] Hypertext Transfer Protocol GET /v1/displayImage/custom/yahoo/?redirect=0 HTTP/1.1\r\n [Expert Info (Chat/Sequence): GET /v1/displayImage/custom/yahoo/?redirect=0 HTTP/1.1\r\n] [Message: GET /v1/displayImage/custom/yahoo/?redirect=0 HTTP/1.1\r\n] [Severity level: Chat] [Group: Sequence] Request Method: GET Request URI: /v1/displayImage/custom/yahoo/?redirect=0 Request Version: HTTP/1.1 Host: rest-img.msg.yahoo.com\r\n Connection: close\r\n User-Agent: Mozilla/5.0 (compatible; Konqueror/4.4; Linux 2.6.30-gentoo-r8; X11; i686; en_US) KHTML/4.4.5 (like Gecko)\r\n Accept: text/html, image/jpeg;q=0.9, image/png;q=0.9, text/*;q=0.9, image/*;q=0.9, */*;q=0.8\r\n Accept-Encoding: x-gzip, x-deflate, gzip, deflate\r\n Accept-Charset: iso-8859-1, utf-8;q=0.5, *;q=0.5\r\n Accept-Language: en-US, en\r\n [truncated] Cookie: B=ailkv295qsqnr&b=3&s=dn; Y=v=1&n=bt77n8119ils3&l=30b4a_rzwx/o&p=m2316qt013000000&jb=16|47|&r=eg&lg=en-US&intl=us&np=1; T=z=b/fcMBbF1cMBqnoHCK8Lm6qNDAxBjU0NDE0MjVPMzI-&a=YAE&sk=DAAgQw54KM2VAc&ks=EAAQtPQ3LsapOyL9MIqyK3.8 \r\n No. Time Source Destination Protocol Info 5 0.152339 98.136.112.30 192.168.1.2 HTTP HTTP/1.1 401 Authorization Required (text/html) I changed the screen name to protect the innocent. She is a red head with attitude. Anyway, looking at more than one frame here, it looks like it is trying to get info, image perhaps, for that contact but it fails so it keeps trying. Been going at it for half hour or more so far. It looks to me like Yahoo would eventually say "bugger off"!! LOL I remember that Yahoo removed images and some kind of profile thingy a while back. Could that be what it is trying to find but that no longer exists? Thoughts? Dale :-) :-)