Gentoo Archives: gentoo-user

From: Dale <rdalek1967@×××××.com>
To: gentoo-user@l.g.o
Subject: Re: [gentoo-user] Yahoo and strange traffic.
Date: Tue, 17 Aug 2010 21:03:40
Message-Id: 4C6AEDF7.1020507@gmail.com
In Reply to: Re: [gentoo-user] Yahoo and strange traffic. by Mick
1 Mick wrote:
2 > On 17 August 2010 15:29, BRM<bm_witness@×××××.com> wrote:
3 >
4 >> ----- Original Message ----
5 >>
6 >>
7 >>> From: Dale<rdalek1967@×××××.com>
8 >>> Adam Carter wrote:
9 >>>
10 >>>> Is this easy to do? I have no idea where to start except that
11 >>>> wireshark is installed.
12 >>>> Yep, start the capture with Capture -> Interfaces and click on the start
13 >>>>
14 >>> button next to the correct interface, then right click on one of the packets
15 >>> that is to the yahoo box and choose Decode As set the port and protocol then
16 >>> apply. You'll
17 >>>
18 >>> need to understand the semantics of HTTP for it to be of much use tho.
19 >>> You had me until the last part. No semantics here. lol May see if I can
20 >>> post a little and see if anyone can figure out what the heck it is doing. I'm
21 >>> thinking some crazy bug or something. Maybe checking for updates not realizing
22 >>> it's
23 >>>
24 >>> Kopete instead of a Yahoo program.
25 >>>
26 >> Wireshark will show you the raw packet data, and decode only a little of it -
27 >> enough to identify the general protocol, senders, etc.
28 >> So to understand the packet, you will need to understand the application layer
29 >> protocol - in this case HTTP - yourself as Wireshark won't help you there.
30 >>
31 >> But yet, Wireshark, nmap, and nessus security scanner are the tools, less so
32 >> nessus as it really is more of a port scanner/security hole finder than a debug
33 >> tool for applications (it's basically an interface for nmap for those purposes).
34 >>
35 > I'm not at home to experiment and I don't use yahoo, but port 5050 is
36 > typically used for mmcc = multi media conference control - does yahoo
37 > offer such a service? It could be a SIP server running there for VoIP
38 > between Yahoo registered users or something similar.
39 >
40 > The http connection could be offered as an alternative proxy
41 > connection to the yahoo IM servers for users who are behind
42 > restrictive firewalls. Have you asked as much in the Yahoo user
43 > groups?
44 >
45 > The fact that the threads continue after kopete has shut down is not
46 > necessarily of concern as was already explained, unless it carries on
47 > and on for a long time and the flow of packets continues. I don't
48 > know how yahoo VoIP works. Did you install some plugin specific for
49 > yahoo services? If it imitates the Skype architecture then it
50 > essentially runs proxies on clients' machines and this could be an
51 > explanation for the traffic.
52 >
53
54 I don't have VoIP, Skype or that sort of thing here. Here is my Kopete
55 info tho:
56
57 [ebuild R ] kde-base/kopete-4.4.5-r1 USE="addbookmarks autoreplace
58 contactnotes groupwise handbook highlight history nowlistening pipes
59 privacy ssl statistics texteffect translator urlpicpreview yahoo
60 zeroconf (-aqua) -debug -gadu -jabber -jingle (-kdeenablefinal)
61 (-kdeprefix) -latex -meanwhile -msn -oscar -otr -qq -skype -sms -testbed
62 -v4l2 -webpresence -winpopup" 0 kB
63
64 Anything there that cold cause a problem?
65
66 Dale
67
68 :-) :-)

Replies

Subject Author
Re: [gentoo-user] Yahoo and strange traffic. Mick <michaelkintzios@×××××.com>