From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org)
	by finch.gentoo.org with esmtp (Exim 4.60)
	(envelope-from <gentoo-user+bounces-113718-garchives=archives.gentoo.org@lists.gentoo.org>)
	id 1OlOkH-0007Ul-1F
	for garchives@archives.gentoo.org; Tue, 17 Aug 2010 16:10:37 +0000
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
	by pigeon.gentoo.org (Postfix) with SMTP id 2CF88E0B6C;
	Tue, 17 Aug 2010 16:10:25 +0000 (UTC)
Received: from mail-qy0-f174.google.com (mail-qy0-f174.google.com [209.85.216.174])
	by pigeon.gentoo.org (Postfix) with ESMTP id 08920E0B6C
	for <gentoo-user@lists.gentoo.org>; Tue, 17 Aug 2010 16:10:24 +0000 (UTC)
Received: by qyk10 with SMTP id 10so826396qyk.19
        for <gentoo-user@lists.gentoo.org>; Tue, 17 Aug 2010 09:10:24 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=gamma;
        h=domainkey-signature:mime-version:received:received:in-reply-to
         :references:date:message-id:subject:from:to:content-type
         :content-transfer-encoding;
        bh=x2z82uAsgkbpepMApttQoYQF9iN9xu+18svsIlFVbdA=;
        b=ngUc0msp3BfwpQ1QmiQYXpld0IjakfR9L0Wcnqe9HJNWhk8CJSD7ELiSSJUJ/meKmC
         PJSF2GYq0o3+f/CLfbcifM8qlmdJ1PZ8Tvos/VE+IoeAMbJUiFQkdtF0s9sJFYycOWe+
         X7XCbHgduJ77pUuPcvZGsMNYoTdhJfZ+n7I5A=
DomainKey-Signature: a=rsa-sha1; c=nofws;
        d=gmail.com; s=gamma;
        h=mime-version:in-reply-to:references:date:message-id:subject:from:to
         :content-type:content-transfer-encoding;
        b=u+1rtCPSLLxTHTx+RD2doaW+OvJPgE8NURFWBksuOQgrjkvxzJaAQ3pkLp7niuzlm4
         QnWh1nJBayZ6evQcjA37DSmnRjnhB58DdbBGH1Ml390PC3iw7D66v53MJ77sG4P5Qx7m
         cieLXqL9um8Iy01t5nU/rupRpYUs9t8QaEDio=
Precedence: bulk
List-Post: <mailto:gentoo-user@lists.gentoo.org>
List-Help: <mailto:gentoo-user+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-user+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-user+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-user.gentoo.org>
X-BeenThere: gentoo-user@lists.gentoo.org
Reply-to: gentoo-user@lists.gentoo.org
MIME-Version: 1.0
Received: by 10.224.28.209 with SMTP id n17mr4533174qac.34.1282061424597; Tue,
 17 Aug 2010 09:10:24 -0700 (PDT)
Received: by 10.229.69.153 with HTTP; Tue, 17 Aug 2010 09:10:24 -0700 (PDT)
In-Reply-To: <306497.5595.qm@web51905.mail.re2.yahoo.com>
References: <4C684F59.3040903@gmail.com>
	<AANLkTikhuOfKeYjM3MxrXsYe-UMYLfN1zWjVCBw5h79p@mail.gmail.com>
	<201008152329.44195.alan.mckinnon@gmail.com>
	<4C69C1E4.9090309@gmail.com>
	<AANLkTi=euwod2x62e3HHVSiHokWO-U_GnEY6nzBzipnw@mail.gmail.com>
	<4C69E3CD.5070108@gmail.com>
	<AANLkTi=jtx9fnLhCG+q6vgWnkEztgoO_AXHvrx6FUbyX@mail.gmail.com>
	<4C6A224C.2030100@gmail.com>
	<AANLkTingaq3=odbimkcRsdz+3iRZB80Kb1j5hMCeEdta@mail.gmail.com>
	<4C6A633F.5070409@gmail.com>
	<306497.5595.qm@web51905.mail.re2.yahoo.com>
Date: Tue, 17 Aug 2010 17:10:24 +0100
Message-ID: <AANLkTi=5beUNGNVNN2t7LXbdPoKj7VfZBcOCZ9CmVtXU@mail.gmail.com>
Subject: Re: [gentoo-user] Yahoo and strange traffic.
From: Mick <michaelkintzios@gmail.com>
To: gentoo-user@lists.gentoo.org
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
X-Archives-Salt: e78252c1-a9f3-43b7-b117-a34243bdb2b4
X-Archives-Hash: 5ff127d413e7e90b86f77bdf2e8f81c1

On 17 August 2010 15:29, BRM <bm_witness@yahoo.com> wrote:
> ----- Original Message ----
>
>> From: Dale <rdalek1967@gmail.com>
>> Adam Carter wrote:
>> > =A0 =A0 Is this easy to do? =A0I =A0have no idea where to start except=
 that
>> > =A0 =A0 wireshark is =A0installed.
>> > Yep, start the capture with Capture -> =A0Interfaces and click on the =
start
>>button next to the correct interface, then =A0right click on one of the p=
ackets
>>that is to the yahoo box and choose Decode As =A0set the port and protoco=
l then
>>apply. You'll
>>
>> need to understand the semantics of =A0HTTP for it to be of much use tho=
.
>> You had me until the last part. =A0 No semantics here. =A0lol =A0 May se=
e if I can
>>post a little and see if =A0anyone can figure out what the heck it is doi=
ng. =A0I'm
>>thinking some crazy =A0bug or something. =A0Maybe checking for updates no=
t realizing
>>it's
>>
>> Kopete =A0instead of a Yahoo program.
>
> Wireshark will show you the raw packet data, and decode only a little of =
it -
> enough to identify the general protocol, senders, etc.
> So to understand the packet, you will need to understand the application =
layer
> protocol - in this case HTTP - yourself as Wireshark won't help you there=
.
>
> But yet, Wireshark, nmap, and nessus security scanner are the tools, less=
 so
> nessus as it really is more of a port scanner/security hole finder than a=
 debug
> tool for applications (it's basically an interface for nmap for those pur=
poses).

I'm not at home to experiment and I don't use yahoo, but port 5050 is
typically used for mmcc =3D multi media conference control - does yahoo
offer such a service?  It could be a SIP server running there for VoIP
between Yahoo registered users or something similar.

The http connection could be offered as an alternative proxy
connection to the yahoo IM servers for users who are behind
restrictive firewalls.  Have you asked as much in the Yahoo user
groups?

The fact that the threads continue after kopete has shut down is not
necessarily of concern as was already explained, unless it carries on
and on for a long time and the flow of packets continues.  I don't
know how yahoo VoIP works.  Did you install some plugin specific for
yahoo services?  If it imitates the Skype architecture then it
essentially runs proxies on clients' machines and this could be an
explanation for the traffic.
--=20
Regards,
Mick