From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1OoB3c-0008O9-Qh for garchives@archives.gentoo.org; Wed, 25 Aug 2010 08:10:05 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id AE87AE0802; Wed, 25 Aug 2010 08:08:59 +0000 (UTC) Received: from mail-vw0-f53.google.com (mail-vw0-f53.google.com [209.85.212.53]) by pigeon.gentoo.org (Postfix) with ESMTP id 7FEDBE0802 for ; Wed, 25 Aug 2010 08:08:59 +0000 (UTC) Received: by vws15 with SMTP id 15so404647vws.40 for ; Wed, 25 Aug 2010 01:08:59 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:received:in-reply-to :references:date:message-id:subject:from:to:content-type :content-transfer-encoding; bh=w89IzzQDLCLm0tZ5mjQq6p1XLsURAvRX8UD+8jMe0Gg=; b=w2qZHRsaXaODC8paS5IWDYMiinm8PysXr7A9qxXYoTJBO4qycyO8BnXXE5VJcCyEqd EJH65J1lCZ/tYyRKGzuHqM4VFynbPjeNC2yzo53Tlk96Fi+FuR8W7Tuv4to65EQXk3zn jxI24TWCm0i1TXvg8BQLyZcQvSYx27cyyiLqc= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type:content-transfer-encoding; b=R1CIS9QKXV+w/fMvqIz4JBHlSOz04KLSa6T7gHVssIvHW5rP9SJuE09cDniIhadFi0 fsNPMC5kMfMFKPcziZ/pq+lqpWkFGRTOCkHVKTYh6MZN5rdrRGZhDcy/dCdvLJaqZ9JZ Yt+ZeVW9is2SdBkyMFITnbeb7P1FxU6UvNM6U= Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org MIME-Version: 1.0 Received: by 10.220.60.204 with SMTP id q12mr5089187vch.43.1282723739101; Wed, 25 Aug 2010 01:08:59 -0700 (PDT) Received: by 10.220.165.211 with HTTP; Wed, 25 Aug 2010 01:08:58 -0700 (PDT) In-Reply-To: <4C74819A.90904@gmail.com> References: <4C684F59.3040903@gmail.com> <201008152329.44195.alan.mckinnon@gmail.com> <4C69C1E4.9090309@gmail.com> <4C69E3CD.5070108@gmail.com> <4C6A224C.2030100@gmail.com> <4C6A633F.5070409@gmail.com> <306497.5595.qm@web51905.mail.re2.yahoo.com> <4C74819A.90904@gmail.com> Date: Wed, 25 Aug 2010 04:08:58 -0400 Message-ID: Subject: Re: [gentoo-user] Yahoo and strange traffic. From: Joshua Murphy To: gentoo-user@lists.gentoo.org Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-Archives-Salt: fafb79b7-9041-4eb6-9692-7e040c828714 X-Archives-Hash: 9a77359b02fa7177e6c90f7c79492129 On Tue, Aug 24, 2010 at 10:36 PM, Dale wrote: > BRM wrote: >> >> Wireshark will show you the raw packet data, and decode only a little of >> it - >> enough to identify the general protocol, senders, etc. >> So to understand the packet, you will need to understand the application >> layer >> protocol - in this case HTTP - yourself as Wireshark won't help you ther= e. >> >> But yet, Wireshark, nmap, and nessus security scanner are the tools, les= s >> so >> nessus as it really is more of a port scanner/security hole finder than = a >> debug >> tool for applications (it's basically an interface for nmap for those >> purposes). >> >> HTH, >> >> Ben >> >> >> > > If finally did it again, and is doing it as I type. =C2=A0I captured some= of the > traffic with Wireshark. =C2=A0Can someone tell me what to do with it now?= =C2=A0This > is one frame of it: > > Frame 4 (881 bytes on wire, 881 bytes captured) > =C2=A0 =C2=A0Arrival Time: Aug 24, 2010 21:03:35.518314000 > =C2=A0 =C2=A0[Time delta from previous captured frame: 0.000383000 second= s] > =C2=A0 =C2=A0[Time delta from previous displayed frame: 0.000383000 secon= ds] > =C2=A0 =C2=A0[Time since reference or first frame: 0.010995000 seconds] > =C2=A0 =C2=A0Frame Number: 4 > =C2=A0 =C2=A0Frame Length: 881 bytes > =C2=A0 =C2=A0Capture Length: 881 bytes > =C2=A0 =C2=A0[Frame is marked: False] > =C2=A0 =C2=A0[Protocols in frame: eth:ip:tcp:http] > =C2=A0 =C2=A0[Coloring Rule Name: HTTP] > =C2=A0 =C2=A0[Coloring Rule String: http || tcp.port =3D=3D 80] > Ethernet II, Src: ArchtekT_81:d5:d3 (00:01:53:81:d5:d3), Dst: > Motorola_aa:96:e4 (00:1d:6b:aa:96:e4) > =C2=A0 =C2=A0Destination: Motorola_aa:96:e4 (00:1d:6b:aa:96:e4) > =C2=A0 =C2=A0 =C2=A0 =C2=A0Address: Motorola_aa:96:e4 (00:1d:6b:aa:96:e4) > =C2=A0 =C2=A0 =C2=A0 =C2=A0.... ...0 .... .... .... .... =3D IG bit: Indi= vidual address (unicast) > =C2=A0 =C2=A0 =C2=A0 =C2=A0.... ..0. .... .... .... .... =3D LG bit: Glob= ally unique address > (factory default) > =C2=A0 =C2=A0Source: ArchtekT_81:d5:d3 (00:01:53:81:d5:d3) > =C2=A0 =C2=A0 =C2=A0 =C2=A0Address: ArchtekT_81:d5:d3 (00:01:53:81:d5:d3) > =C2=A0 =C2=A0 =C2=A0 =C2=A0.... ...0 .... .... .... .... =3D IG bit: Indi= vidual address (unicast) > =C2=A0 =C2=A0 =C2=A0 =C2=A0.... ..0. .... .... .... .... =3D LG bit: Glob= ally unique address > (factory default) > =C2=A0 =C2=A0Type: IP (0x0800) > Internet Protocol, Src: 192.168.1.2 (192.168.1.2), Dst: 98.136.112.30 > (98.136.112.30) > =C2=A0 =C2=A0Version: 4 > =C2=A0 =C2=A0Header length: 20 bytes > =C2=A0 =C2=A0Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN= : 0x00) > =C2=A0 =C2=A0 =C2=A0 =C2=A00000 00.. =3D Differentiated Services Codepoin= t: Default (0x00) > =C2=A0 =C2=A0 =C2=A0 =C2=A0.... ..0. =3D ECN-Capable Transport (ECT): 0 > =C2=A0 =C2=A0 =C2=A0 =C2=A0.... ...0 =3D ECN-CE: 0 > =C2=A0 =C2=A0Total Length: 867 > =C2=A0 =C2=A0Identification: 0xe5fb (58875) > =C2=A0 =C2=A0Flags: 0x02 (Don't Fragment) > =C2=A0 =C2=A0 =C2=A0 =C2=A00.. =3D Reserved bit: Not Set > =C2=A0 =C2=A0 =C2=A0 =C2=A0.1. =3D Don't fragment: Set > =C2=A0 =C2=A0 =C2=A0 =C2=A0..0 =3D More fragments: Not Set > =C2=A0 =C2=A0Fragment offset: 0 > =C2=A0 =C2=A0Time to live: 64 > =C2=A0 =C2=A0Protocol: TCP (0x06) > =C2=A0 =C2=A0Header checksum: 0xbd48 [correct] > =C2=A0 =C2=A0 =C2=A0 =C2=A0[Good: True] > =C2=A0 =C2=A0 =C2=A0 =C2=A0[Bad : False] > =C2=A0 =C2=A0Source: 192.168.1.2 (192.168.1.2) > =C2=A0 =C2=A0Destination: 98.136.112.30 (98.136.112.30) > Transmission Control Protocol, Src Port: 43281 (43281), Dst Port: http (8= 0), > Seq: 0, Ack: 1, Len: 815 > =C2=A0 =C2=A0Source port: 43281 (43281) > =C2=A0 =C2=A0Destination port: http (80) > =C2=A0 =C2=A0[Stream index: 1] > =C2=A0 =C2=A0Sequence number: 0 =C2=A0 =C2=A0(relative sequence number) > =C2=A0 =C2=A0[Next sequence number: 815 =C2=A0 =C2=A0(relative sequence n= umber)] > =C2=A0 =C2=A0Acknowledgement number: 1 =C2=A0 =C2=A0(relative ack number) > =C2=A0 =C2=A0Header length: 32 bytes > =C2=A0 =C2=A0Flags: 0x18 (PSH, ACK) > =C2=A0 =C2=A0 =C2=A0 =C2=A00... .... =3D Congestion Window Reduced (CWR):= Not set > =C2=A0 =C2=A0 =C2=A0 =C2=A0.0.. .... =3D ECN-Echo: Not set > =C2=A0 =C2=A0 =C2=A0 =C2=A0..0. .... =3D Urgent: Not set > =C2=A0 =C2=A0 =C2=A0 =C2=A0...1 .... =3D Acknowledgement: Set > =C2=A0 =C2=A0 =C2=A0 =C2=A0.... 1... =3D Push: Set > =C2=A0 =C2=A0 =C2=A0 =C2=A0.... .0.. =3D Reset: Not set > =C2=A0 =C2=A0 =C2=A0 =C2=A0.... ..0. =3D Syn: Not set > =C2=A0 =C2=A0 =C2=A0 =C2=A0.... ...0 =3D Fin: Not set > =C2=A0 =C2=A0Window size: 92 > =C2=A0 =C2=A0Checksum: 0x0d09 [validation disabled] > =C2=A0 =C2=A0 =C2=A0 =C2=A0[Good Checksum: False] > =C2=A0 =C2=A0 =C2=A0 =C2=A0[Bad Checksum: False] > =C2=A0 =C2=A0Options: (12 bytes) > =C2=A0 =C2=A0 =C2=A0 =C2=A0NOP > =C2=A0 =C2=A0 =C2=A0 =C2=A0NOP > =C2=A0 =C2=A0 =C2=A0 =C2=A0Timestamps: TSval 177975147, TSecr 3960038659 > =C2=A0 =C2=A0[SEQ/ACK analysis] > =C2=A0 =C2=A0 =C2=A0 =C2=A0[Number of bytes in flight: 815] > Hypertext Transfer Protocol > =C2=A0 =C2=A0GET /v1/displayImage/custom/yahoo/?red= irect=3D0 > HTTP/1.1\r\n > =C2=A0 =C2=A0 =C2=A0 =C2=A0[Expert Info (Chat/Sequence): GET > /v1/displayImage/custom/yahoo/?redirect=3D0 > HTTP/1.1\r\n] > =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0[Message: GET /v1/displayImage/c= ustom/yahoo/ here>?redirect=3D0 HTTP/1.1\r\n] > =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0[Severity level: Chat] > =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0[Group: Sequence] > =C2=A0 =C2=A0 =C2=A0 =C2=A0Request Method: GET > =C2=A0 =C2=A0 =C2=A0 =C2=A0Request URI: /v1/displayImage/custom/yahoo/ here>?redirect=3D0 > =C2=A0 =C2=A0 =C2=A0 =C2=A0Request Version: HTTP/1.1 > =C2=A0 =C2=A0Host: rest-img.msg.yahoo.com\r\n > =C2=A0 =C2=A0Connection: close\r\n > =C2=A0 =C2=A0User-Agent: Mozilla/5.0 (compatible; Konqueror/4.4; Linux > 2.6.30-gentoo-r8; X11; i686; en_US) KHTML/4.4.5 (like Gecko)\r\n > =C2=A0 =C2=A0Accept: text/html, image/jpeg;q=3D0.9, image/png;q=3D0.9, te= xt/*;q=3D0.9, > image/*;q=3D0.9, */*;q=3D0.8\r\n > =C2=A0 =C2=A0Accept-Encoding: x-gzip, x-deflate, gzip, deflate\r\n > =C2=A0 =C2=A0Accept-Charset: iso-8859-1, utf-8;q=3D0.5, *;q=3D0.5\r\n > =C2=A0 =C2=A0Accept-Language: en-US, en\r\n > =C2=A0 =C2=A0[truncated] Cookie: B=3Dailkv295qsqnr&b=3D3&s=3Ddn; > Y=3Dv=3D1&n=3Dbt77n8119ils3&l=3D30b4a_rzwx/o&p=3Dm2316qt013000000&jb=3D16= |47|&r=3Deg&lg=3Den-US&intl=3Dus&np=3D1; > T=3Dz=3Db/fcMBbF1cMBqnoHCK8Lm6qNDAxBjU0NDE0MjVPMzI-&a=3DYAE&sk=3DDAAgQw54= KM2VAc&ks=3DEAAQtPQ3LsapOyL9MIqyK3.8 > =C2=A0 =C2=A0\r\n > > No. =C2=A0 =C2=A0 Time =C2=A0 =C2=A0 =C2=A0 =C2=A0Source =C2=A0 =C2=A0 = =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0Destination =C2=A0 =C2=A0 =C2=A0 = =C2=A0 =C2=A0 Protocol > Info > =C2=A0 =C2=A0 =C2=A05 0.152339 =C2=A0 =C2=A098.136.112.30 =C2=A0 =C2=A0 = =C2=A0 =C2=A0 192.168.1.2 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 HTTP > HTTP/1.1 401 Authorization Required =C2=A0(text/html) > > > I changed the screen name to protect the innocent. =C2=A0She is a red hea= d with > attitude. =C2=A0Anyway, looking at more than one frame here, it looks lik= e it is > trying to get info, image perhaps, for that contact but it fails so it ke= eps > trying. =C2=A0Been going at it for half hour or more so far. =C2=A0It loo= ks to me like > Yahoo would eventually say "bugger off"!! =C2=A0LOL > > I remember that Yahoo removed images and some kind of profile thingy a wh= ile > back. =C2=A0Could that be what it is trying to find but that no longer ex= ists? > > Thoughts? > > Dale > > :-) =C2=A0:-) Well, glancing at the GET request it's making there, as well as the API google points me to when I look it up... http://developer.yahoo.com/messenger/guide/ch03s02.html#d4e4628 You're right that it's after an image from their profile, but the cause of the failure appears to be related to some sort of credentials Yahoo wants the messenger to provide. You might poke Kopete's bugtracker to see if they've a related bug on file already, and if they don't, throw one their way. The API Yahoo appears to be using there (based on a response I got back in poking lightly) is, or is based on, OAuth, which according to this: http://oauth.net/core/1.0/#http_codes specifies that a request should give a 401 response (Authorization Required vs Unauthorized is purely the choice of phrase used in the program decoding the numerical code, i.e. wireshark in your example of it there) in the following cases: HTTP 401 Unauthorized * Invalid Consumer Key * Invalid / expired Token * Invalid signature * Invalid / used nonce Yahoo, essentially, *does* give a "bugger off"!! with that response, but Kopete simply takes it, considers it a brief instant, then decides "Maybe the answer will change if I try again *now*!"... at which point it proceeds to introduce its proverbial cranium to the proverbial brick and mortar vertical surface one might term "the wall." Repeatedly. --=20 Poison [BLX] Joshua M. Murphy