1 |
BRM wrote: |
2 |
> Wireshark will show you the raw packet data, and decode only a little of it - |
3 |
> enough to identify the general protocol, senders, etc. |
4 |
> So to understand the packet, you will need to understand the application layer |
5 |
> protocol - in this case HTTP - yourself as Wireshark won't help you there. |
6 |
> |
7 |
> But yet, Wireshark, nmap, and nessus security scanner are the tools, less so |
8 |
> nessus as it really is more of a port scanner/security hole finder than a debug |
9 |
> tool for applications (it's basically an interface for nmap for those purposes). |
10 |
> |
11 |
> HTH, |
12 |
> |
13 |
> Ben |
14 |
> |
15 |
> |
16 |
> |
17 |
|
18 |
If finally did it again, and is doing it as I type. I captured some of |
19 |
the traffic with Wireshark. Can someone tell me what to do with it |
20 |
now? This is one frame of it: |
21 |
|
22 |
Frame 4 (881 bytes on wire, 881 bytes captured) |
23 |
Arrival Time: Aug 24, 2010 21:03:35.518314000 |
24 |
[Time delta from previous captured frame: 0.000383000 seconds] |
25 |
[Time delta from previous displayed frame: 0.000383000 seconds] |
26 |
[Time since reference or first frame: 0.010995000 seconds] |
27 |
Frame Number: 4 |
28 |
Frame Length: 881 bytes |
29 |
Capture Length: 881 bytes |
30 |
[Frame is marked: False] |
31 |
[Protocols in frame: eth:ip:tcp:http] |
32 |
[Coloring Rule Name: HTTP] |
33 |
[Coloring Rule String: http || tcp.port == 80] |
34 |
Ethernet II, Src: ArchtekT_81:d5:d3 (00:01:53:81:d5:d3), Dst: |
35 |
Motorola_aa:96:e4 (00:1d:6b:aa:96:e4) |
36 |
Destination: Motorola_aa:96:e4 (00:1d:6b:aa:96:e4) |
37 |
Address: Motorola_aa:96:e4 (00:1d:6b:aa:96:e4) |
38 |
.... ...0 .... .... .... .... = IG bit: Individual address |
39 |
(unicast) |
40 |
.... ..0. .... .... .... .... = LG bit: Globally unique address |
41 |
(factory default) |
42 |
Source: ArchtekT_81:d5:d3 (00:01:53:81:d5:d3) |
43 |
Address: ArchtekT_81:d5:d3 (00:01:53:81:d5:d3) |
44 |
.... ...0 .... .... .... .... = IG bit: Individual address |
45 |
(unicast) |
46 |
.... ..0. .... .... .... .... = LG bit: Globally unique address |
47 |
(factory default) |
48 |
Type: IP (0x0800) |
49 |
Internet Protocol, Src: 192.168.1.2 (192.168.1.2), Dst: 98.136.112.30 |
50 |
(98.136.112.30) |
51 |
Version: 4 |
52 |
Header length: 20 bytes |
53 |
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00) |
54 |
0000 00.. = Differentiated Services Codepoint: Default (0x00) |
55 |
.... ..0. = ECN-Capable Transport (ECT): 0 |
56 |
.... ...0 = ECN-CE: 0 |
57 |
Total Length: 867 |
58 |
Identification: 0xe5fb (58875) |
59 |
Flags: 0x02 (Don't Fragment) |
60 |
0.. = Reserved bit: Not Set |
61 |
.1. = Don't fragment: Set |
62 |
..0 = More fragments: Not Set |
63 |
Fragment offset: 0 |
64 |
Time to live: 64 |
65 |
Protocol: TCP (0x06) |
66 |
Header checksum: 0xbd48 [correct] |
67 |
[Good: True] |
68 |
[Bad : False] |
69 |
Source: 192.168.1.2 (192.168.1.2) |
70 |
Destination: 98.136.112.30 (98.136.112.30) |
71 |
Transmission Control Protocol, Src Port: 43281 (43281), Dst Port: http |
72 |
(80), Seq: 0, Ack: 1, Len: 815 |
73 |
Source port: 43281 (43281) |
74 |
Destination port: http (80) |
75 |
[Stream index: 1] |
76 |
Sequence number: 0 (relative sequence number) |
77 |
[Next sequence number: 815 (relative sequence number)] |
78 |
Acknowledgement number: 1 (relative ack number) |
79 |
Header length: 32 bytes |
80 |
Flags: 0x18 (PSH, ACK) |
81 |
0... .... = Congestion Window Reduced (CWR): Not set |
82 |
.0.. .... = ECN-Echo: Not set |
83 |
..0. .... = Urgent: Not set |
84 |
...1 .... = Acknowledgement: Set |
85 |
.... 1... = Push: Set |
86 |
.... .0.. = Reset: Not set |
87 |
.... ..0. = Syn: Not set |
88 |
.... ...0 = Fin: Not set |
89 |
Window size: 92 |
90 |
Checksum: 0x0d09 [validation disabled] |
91 |
[Good Checksum: False] |
92 |
[Bad Checksum: False] |
93 |
Options: (12 bytes) |
94 |
NOP |
95 |
NOP |
96 |
Timestamps: TSval 177975147, TSecr 3960038659 |
97 |
[SEQ/ACK analysis] |
98 |
[Number of bytes in flight: 815] |
99 |
Hypertext Transfer Protocol |
100 |
GET /v1/displayImage/custom/yahoo/<screen name was here>?redirect=0 |
101 |
HTTP/1.1\r\n |
102 |
[Expert Info (Chat/Sequence): GET |
103 |
/v1/displayImage/custom/yahoo/<screen name was here>?redirect=0 |
104 |
HTTP/1.1\r\n] |
105 |
[Message: GET /v1/displayImage/custom/yahoo/<screen name |
106 |
was here>?redirect=0 HTTP/1.1\r\n] |
107 |
[Severity level: Chat] |
108 |
[Group: Sequence] |
109 |
Request Method: GET |
110 |
Request URI: /v1/displayImage/custom/yahoo/<screen name was |
111 |
here>?redirect=0 |
112 |
Request Version: HTTP/1.1 |
113 |
Host: rest-img.msg.yahoo.com\r\n |
114 |
Connection: close\r\n |
115 |
User-Agent: Mozilla/5.0 (compatible; Konqueror/4.4; Linux |
116 |
2.6.30-gentoo-r8; X11; i686; en_US) KHTML/4.4.5 (like Gecko)\r\n |
117 |
Accept: text/html, image/jpeg;q=0.9, image/png;q=0.9, text/*;q=0.9, |
118 |
image/*;q=0.9, */*;q=0.8\r\n |
119 |
Accept-Encoding: x-gzip, x-deflate, gzip, deflate\r\n |
120 |
Accept-Charset: iso-8859-1, utf-8;q=0.5, *;q=0.5\r\n |
121 |
Accept-Language: en-US, en\r\n |
122 |
[truncated] Cookie: B=ailkv295qsqnr&b=3&s=dn; |
123 |
Y=v=1&n=bt77n8119ils3&l=30b4a_rzwx/o&p=m2316qt013000000&jb=16|47|&r=eg&lg=en-US&intl=us&np=1; |
124 |
T=z=b/fcMBbF1cMBqnoHCK8Lm6qNDAxBjU0NDE0MjVPMzI-&a=YAE&sk=DAAgQw54KM2VAc&ks=EAAQtPQ3LsapOyL9MIqyK3.8 |
125 |
\r\n |
126 |
|
127 |
No. Time Source Destination Protocol |
128 |
Info |
129 |
5 0.152339 98.136.112.30 192.168.1.2 |
130 |
HTTP HTTP/1.1 401 Authorization Required (text/html) |
131 |
|
132 |
|
133 |
I changed the screen name to protect the innocent. She is a red head |
134 |
with attitude. Anyway, looking at more than one frame here, it looks |
135 |
like it is trying to get info, image perhaps, for that contact but it |
136 |
fails so it keeps trying. Been going at it for half hour or more so |
137 |
far. It looks to me like Yahoo would eventually say "bugger off"!! LOL |
138 |
|
139 |
I remember that Yahoo removed images and some kind of profile thingy a |
140 |
while back. Could that be what it is trying to find but that no longer |
141 |
exists? |
142 |
|
143 |
Thoughts? |
144 |
|
145 |
Dale |
146 |
|
147 |
:-) :-) |