1 |
On Tue, Aug 24, 2010 at 10:36 PM, Dale <rdalek1967@×××××.com> wrote: |
2 |
> BRM wrote: |
3 |
>> |
4 |
>> Wireshark will show you the raw packet data, and decode only a little of |
5 |
>> it - |
6 |
>> enough to identify the general protocol, senders, etc. |
7 |
>> So to understand the packet, you will need to understand the application |
8 |
>> layer |
9 |
>> protocol - in this case HTTP - yourself as Wireshark won't help you there. |
10 |
>> |
11 |
>> But yet, Wireshark, nmap, and nessus security scanner are the tools, less |
12 |
>> so |
13 |
>> nessus as it really is more of a port scanner/security hole finder than a |
14 |
>> debug |
15 |
>> tool for applications (it's basically an interface for nmap for those |
16 |
>> purposes). |
17 |
>> |
18 |
>> HTH, |
19 |
>> |
20 |
>> Ben |
21 |
>> |
22 |
>> |
23 |
>> |
24 |
> |
25 |
> If finally did it again, and is doing it as I type. I captured some of the |
26 |
> traffic with Wireshark. Can someone tell me what to do with it now? This |
27 |
> is one frame of it: |
28 |
> |
29 |
> Frame 4 (881 bytes on wire, 881 bytes captured) |
30 |
> Arrival Time: Aug 24, 2010 21:03:35.518314000 |
31 |
> [Time delta from previous captured frame: 0.000383000 seconds] |
32 |
> [Time delta from previous displayed frame: 0.000383000 seconds] |
33 |
> [Time since reference or first frame: 0.010995000 seconds] |
34 |
> Frame Number: 4 |
35 |
> Frame Length: 881 bytes |
36 |
> Capture Length: 881 bytes |
37 |
> [Frame is marked: False] |
38 |
> [Protocols in frame: eth:ip:tcp:http] |
39 |
> [Coloring Rule Name: HTTP] |
40 |
> [Coloring Rule String: http || tcp.port == 80] |
41 |
> Ethernet II, Src: ArchtekT_81:d5:d3 (00:01:53:81:d5:d3), Dst: |
42 |
> Motorola_aa:96:e4 (00:1d:6b:aa:96:e4) |
43 |
> Destination: Motorola_aa:96:e4 (00:1d:6b:aa:96:e4) |
44 |
> Address: Motorola_aa:96:e4 (00:1d:6b:aa:96:e4) |
45 |
> .... ...0 .... .... .... .... = IG bit: Individual address (unicast) |
46 |
> .... ..0. .... .... .... .... = LG bit: Globally unique address |
47 |
> (factory default) |
48 |
> Source: ArchtekT_81:d5:d3 (00:01:53:81:d5:d3) |
49 |
> Address: ArchtekT_81:d5:d3 (00:01:53:81:d5:d3) |
50 |
> .... ...0 .... .... .... .... = IG bit: Individual address (unicast) |
51 |
> .... ..0. .... .... .... .... = LG bit: Globally unique address |
52 |
> (factory default) |
53 |
> Type: IP (0x0800) |
54 |
> Internet Protocol, Src: 192.168.1.2 (192.168.1.2), Dst: 98.136.112.30 |
55 |
> (98.136.112.30) |
56 |
> Version: 4 |
57 |
> Header length: 20 bytes |
58 |
> Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00) |
59 |
> 0000 00.. = Differentiated Services Codepoint: Default (0x00) |
60 |
> .... ..0. = ECN-Capable Transport (ECT): 0 |
61 |
> .... ...0 = ECN-CE: 0 |
62 |
> Total Length: 867 |
63 |
> Identification: 0xe5fb (58875) |
64 |
> Flags: 0x02 (Don't Fragment) |
65 |
> 0.. = Reserved bit: Not Set |
66 |
> .1. = Don't fragment: Set |
67 |
> ..0 = More fragments: Not Set |
68 |
> Fragment offset: 0 |
69 |
> Time to live: 64 |
70 |
> Protocol: TCP (0x06) |
71 |
> Header checksum: 0xbd48 [correct] |
72 |
> [Good: True] |
73 |
> [Bad : False] |
74 |
> Source: 192.168.1.2 (192.168.1.2) |
75 |
> Destination: 98.136.112.30 (98.136.112.30) |
76 |
> Transmission Control Protocol, Src Port: 43281 (43281), Dst Port: http (80), |
77 |
> Seq: 0, Ack: 1, Len: 815 |
78 |
> Source port: 43281 (43281) |
79 |
> Destination port: http (80) |
80 |
> [Stream index: 1] |
81 |
> Sequence number: 0 (relative sequence number) |
82 |
> [Next sequence number: 815 (relative sequence number)] |
83 |
> Acknowledgement number: 1 (relative ack number) |
84 |
> Header length: 32 bytes |
85 |
> Flags: 0x18 (PSH, ACK) |
86 |
> 0... .... = Congestion Window Reduced (CWR): Not set |
87 |
> .0.. .... = ECN-Echo: Not set |
88 |
> ..0. .... = Urgent: Not set |
89 |
> ...1 .... = Acknowledgement: Set |
90 |
> .... 1... = Push: Set |
91 |
> .... .0.. = Reset: Not set |
92 |
> .... ..0. = Syn: Not set |
93 |
> .... ...0 = Fin: Not set |
94 |
> Window size: 92 |
95 |
> Checksum: 0x0d09 [validation disabled] |
96 |
> [Good Checksum: False] |
97 |
> [Bad Checksum: False] |
98 |
> Options: (12 bytes) |
99 |
> NOP |
100 |
> NOP |
101 |
> Timestamps: TSval 177975147, TSecr 3960038659 |
102 |
> [SEQ/ACK analysis] |
103 |
> [Number of bytes in flight: 815] |
104 |
> Hypertext Transfer Protocol |
105 |
> GET /v1/displayImage/custom/yahoo/<screen name was here>?redirect=0 |
106 |
> HTTP/1.1\r\n |
107 |
> [Expert Info (Chat/Sequence): GET |
108 |
> /v1/displayImage/custom/yahoo/<screen name was here>?redirect=0 |
109 |
> HTTP/1.1\r\n] |
110 |
> [Message: GET /v1/displayImage/custom/yahoo/<screen name was |
111 |
> here>?redirect=0 HTTP/1.1\r\n] |
112 |
> [Severity level: Chat] |
113 |
> [Group: Sequence] |
114 |
> Request Method: GET |
115 |
> Request URI: /v1/displayImage/custom/yahoo/<screen name was |
116 |
> here>?redirect=0 |
117 |
> Request Version: HTTP/1.1 |
118 |
> Host: rest-img.msg.yahoo.com\r\n |
119 |
> Connection: close\r\n |
120 |
> User-Agent: Mozilla/5.0 (compatible; Konqueror/4.4; Linux |
121 |
> 2.6.30-gentoo-r8; X11; i686; en_US) KHTML/4.4.5 (like Gecko)\r\n |
122 |
> Accept: text/html, image/jpeg;q=0.9, image/png;q=0.9, text/*;q=0.9, |
123 |
> image/*;q=0.9, */*;q=0.8\r\n |
124 |
> Accept-Encoding: x-gzip, x-deflate, gzip, deflate\r\n |
125 |
> Accept-Charset: iso-8859-1, utf-8;q=0.5, *;q=0.5\r\n |
126 |
> Accept-Language: en-US, en\r\n |
127 |
> [truncated] Cookie: B=ailkv295qsqnr&b=3&s=dn; |
128 |
> Y=v=1&n=bt77n8119ils3&l=30b4a_rzwx/o&p=m2316qt013000000&jb=16|47|&r=eg&lg=en-US&intl=us&np=1; |
129 |
> T=z=b/fcMBbF1cMBqnoHCK8Lm6qNDAxBjU0NDE0MjVPMzI-&a=YAE&sk=DAAgQw54KM2VAc&ks=EAAQtPQ3LsapOyL9MIqyK3.8 |
130 |
> \r\n |
131 |
> |
132 |
> No. Time Source Destination Protocol |
133 |
> Info |
134 |
> 5 0.152339 98.136.112.30 192.168.1.2 HTTP |
135 |
> HTTP/1.1 401 Authorization Required (text/html) |
136 |
> |
137 |
> |
138 |
> I changed the screen name to protect the innocent. She is a red head with |
139 |
> attitude. Anyway, looking at more than one frame here, it looks like it is |
140 |
> trying to get info, image perhaps, for that contact but it fails so it keeps |
141 |
> trying. Been going at it for half hour or more so far. It looks to me like |
142 |
> Yahoo would eventually say "bugger off"!! LOL |
143 |
> |
144 |
> I remember that Yahoo removed images and some kind of profile thingy a while |
145 |
> back. Could that be what it is trying to find but that no longer exists? |
146 |
> |
147 |
> Thoughts? |
148 |
> |
149 |
> Dale |
150 |
> |
151 |
> :-) :-) |
152 |
|
153 |
Well, glancing at the GET request it's making there, as well as the |
154 |
API google points me to when I look it up... |
155 |
|
156 |
http://developer.yahoo.com/messenger/guide/ch03s02.html#d4e4628 |
157 |
|
158 |
You're right that it's after an image from their profile, but the |
159 |
cause of the failure appears to be related to some sort of credentials |
160 |
Yahoo wants the messenger to provide. You might poke Kopete's |
161 |
bugtracker to see if they've a related bug on file already, and if |
162 |
they don't, throw one their way. |
163 |
|
164 |
The API Yahoo appears to be using there (based on a response I got |
165 |
back in poking lightly) is, or is based on, OAuth, which according to |
166 |
this: |
167 |
|
168 |
http://oauth.net/core/1.0/#http_codes |
169 |
|
170 |
specifies that a request should give a 401 response (Authorization |
171 |
Required vs Unauthorized is purely the choice of phrase used in the |
172 |
program decoding the numerical code, i.e. wireshark in your example of |
173 |
it there) in the following cases: |
174 |
|
175 |
HTTP 401 Unauthorized |
176 |
* Invalid Consumer Key |
177 |
* Invalid / expired Token |
178 |
* Invalid signature |
179 |
* Invalid / used nonce |
180 |
|
181 |
Yahoo, essentially, *does* give a "bugger off"!! with that response, |
182 |
but Kopete simply takes it, considers it a brief instant, then decides |
183 |
"Maybe the answer will change if I try again *now*!"... at which point |
184 |
it proceeds to introduce its proverbial cranium to the proverbial |
185 |
brick and mortar vertical surface one might term "the wall." |
186 |
Repeatedly. |
187 |
|
188 |
-- |
189 |
Poison [BLX] |
190 |
Joshua M. Murphy |