Gentoo Archives: gentoo-user

From: Mick <michaelkintzios@×××××.com>
To: gentoo-user@l.g.o
Subject: Re: [gentoo-user] Yahoo and strange traffic.
Date: Tue, 17 Aug 2010 21:12:09
Message-Id: 201008172211.32089.michaelkintzios@gmail.com
In Reply to: Re: [gentoo-user] Yahoo and strange traffic. by Dale
1 On Tuesday 17 August 2010 21:15:51 Dale wrote:
2 > Mick wrote:
3 > > On 17 August 2010 15:29, BRM<bm_witness@×××××.com> wrote:
4 > >> ----- Original Message ----
5 > >>
6 > >>> From: Dale<rdalek1967@×××××.com>
7 > >>>
8 > >>> Adam Carter wrote:
9 > >>>> Is this easy to do? I have no idea where to start except that
10 > >>>> wireshark is installed.
11 > >>>>
12 > >>>> Yep, start the capture with Capture -> Interfaces and click on the
13 > >>>> start
14 > >>>
15 > >>> button next to the correct interface, then right click on one of the
16 > >>> packets that is to the yahoo box and choose Decode As set the port
17 > >>> and protocol then apply. You'll
18 > >>>
19 > >>> need to understand the semantics of HTTP for it to be of much use tho.
20 > >>> You had me until the last part. No semantics here. lol May see if
21 > >>> I can post a little and see if anyone can figure out what the heck it
22 > >>> is doing. I'm thinking some crazy bug or something. Maybe checking
23 > >>> for updates not realizing it's
24 > >>>
25 > >>> Kopete instead of a Yahoo program.
26 > >>
27 > >> Wireshark will show you the raw packet data, and decode only a little of
28 > >> it - enough to identify the general protocol, senders, etc.
29 > >> So to understand the packet, you will need to understand the application
30 > >> layer protocol - in this case HTTP - yourself as Wireshark won't help
31 > >> you there.
32 > >>
33 > >> But yet, Wireshark, nmap, and nessus security scanner are the tools,
34 > >> less so nessus as it really is more of a port scanner/security hole
35 > >> finder than a debug tool for applications (it's basically an interface
36 > >> for nmap for those purposes).
37 > >
38 > > I'm not at home to experiment and I don't use yahoo, but port 5050 is
39 > > typically used for mmcc = multi media conference control - does yahoo
40 > > offer such a service? It could be a SIP server running there for VoIP
41 > > between Yahoo registered users or something similar.
42 > >
43 > > The http connection could be offered as an alternative proxy
44 > > connection to the yahoo IM servers for users who are behind
45 > > restrictive firewalls. Have you asked as much in the Yahoo user
46 > > groups?
47 > >
48 > > The fact that the threads continue after kopete has shut down is not
49 > > necessarily of concern as was already explained, unless it carries on
50 > > and on for a long time and the flow of packets continues. I don't
51 > > know how yahoo VoIP works. Did you install some plugin specific for
52 > > yahoo services? If it imitates the Skype architecture then it
53 > > essentially runs proxies on clients' machines and this could be an
54 > > explanation for the traffic.
55 >
56 > I don't have VoIP, Skype or that sort of thing here. Here is my Kopete
57 > info tho:
58 >
59 > [ebuild R ] kde-base/kopete-4.4.5-r1 USE="addbookmarks autoreplace
60 > contactnotes groupwise handbook highlight history nowlistening pipes
61 > privacy ssl statistics texteffect translator urlpicpreview yahoo
62 > zeroconf (-aqua) -debug -gadu -jabber -jingle (-kdeenablefinal)
63 > (-kdeprefix) -latex -meanwhile -msn -oscar -otr -qq -skype -sms -testbed
64 > -v4l2 -webpresence -winpopup" 0 kB
65 >
66 > Anything there that cold cause a problem?
67
68 No, I can't see anything suspicious, you don't even have skype or v4l2
69 enabled, so it is unlikely that it is running some webcam stream (as part of
70 VoIP).
71 --
72 Regards,
73 Mick

Attachments

File name MIME type
signature.asc application/pgp-signature

Replies

Subject Author
Re: [gentoo-user] Yahoo and strange traffic. Dale <rdalek1967@×××××.com>