Re: [gentoo-user] Yahoo and strange traffic. - gentoo-user

From:	Dale <rdalek1967@×××××.com>
To:	gentoo-user@l.g.o
Subject:	Re: [gentoo-user] Yahoo and strange traffic.
Date:	Wed, 25 Aug 2010 02:36:51
Message-Id:	`4C74819A.90904@gmail.com`
In Reply to:	Re: [gentoo-user] Yahoo and strange traffic. by BRM

1

BRM wrote:

2

> Wireshark will show you the raw packet data, and decode only a little of it -

3

> enough to identify the general protocol, senders, etc.

4

> So to understand the packet, you will need to understand the application layer

5

> protocol - in this case HTTP - yourself as Wireshark won't help you there.

6

>

7

> But yet, Wireshark, nmap, and nessus security scanner are the tools, less so

8

> nessus as it really is more of a port scanner/security hole finder than a debug

9

> tool for applications (it's basically an interface for nmap for those purposes).

10

>

11

> HTH,

12

>

13

> Ben

14

>

15

>

16

>

17

18

If finally did it again, and is doing it as I type.  I captured some of 

19

the traffic with Wireshark.  Can someone tell me what to do with it 

20

now?  This is one frame of it:

21

22

Frame 4 (881 bytes on wire, 881 bytes captured)

23

     Arrival Time: Aug 24, 2010 21:03:35.518314000

24

     [Time delta from previous captured frame: 0.000383000 seconds]

25

     [Time delta from previous displayed frame: 0.000383000 seconds]

26

     [Time since reference or first frame: 0.010995000 seconds]

27

     Frame Number: 4

28

     Frame Length: 881 bytes

29

     Capture Length: 881 bytes

30

     [Frame is marked: False]

31

     [Protocols in frame: eth:ip:tcp:http]

32

     [Coloring Rule Name: HTTP]

33

     [Coloring Rule String: http || tcp.port == 80]

34

Ethernet II, Src: ArchtekT_81:d5:d3 (00:01:53:81:d5:d3), Dst: 

35

Motorola_aa:96:e4 (00:1d:6b:aa:96:e4)

36

     Destination: Motorola_aa:96:e4 (00:1d:6b:aa:96:e4)

37

         Address: Motorola_aa:96:e4 (00:1d:6b:aa:96:e4)

38

         .... ...0 .... .... .... .... = IG bit: Individual address 

39

(unicast)

40

         .... ..0. .... .... .... .... = LG bit: Globally unique address 

41

(factory default)

42

     Source: ArchtekT_81:d5:d3 (00:01:53:81:d5:d3)

43

         Address: ArchtekT_81:d5:d3 (00:01:53:81:d5:d3)

44

         .... ...0 .... .... .... .... = IG bit: Individual address 

45

(unicast)

46

         .... ..0. .... .... .... .... = LG bit: Globally unique address 

47

(factory default)

48

     Type: IP (0x0800)

49

Internet Protocol, Src: 192.168.1.2 (192.168.1.2), Dst: 98.136.112.30 

50

(98.136.112.30)

51

     Version: 4

52

     Header length: 20 bytes

53

     Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)

54

         0000 00.. = Differentiated Services Codepoint: Default (0x00)

55

         .... ..0. = ECN-Capable Transport (ECT): 0

56

         .... ...0 = ECN-CE: 0

57

     Total Length: 867

58

     Identification: 0xe5fb (58875)

59

     Flags: 0x02 (Don't Fragment)

60

         0.. = Reserved bit: Not Set

61

         .1. = Don't fragment: Set

62

         ..0 = More fragments: Not Set

63

     Fragment offset: 0

64

     Time to live: 64

65

     Protocol: TCP (0x06)

66

     Header checksum: 0xbd48 [correct]

67

         [Good: True]

68

         [Bad : False]

69

     Source: 192.168.1.2 (192.168.1.2)

70

     Destination: 98.136.112.30 (98.136.112.30)

71

Transmission Control Protocol, Src Port: 43281 (43281), Dst Port: http 

72

(80), Seq: 0, Ack: 1, Len: 815

73

     Source port: 43281 (43281)

74

     Destination port: http (80)

75

     [Stream index: 1]

76

     Sequence number: 0    (relative sequence number)

77

     [Next sequence number: 815    (relative sequence number)]

78

     Acknowledgement number: 1    (relative ack number)

79

     Header length: 32 bytes

80

     Flags: 0x18 (PSH, ACK)

81

         0... .... = Congestion Window Reduced (CWR): Not set

82

         .0.. .... = ECN-Echo: Not set

83

         ..0. .... = Urgent: Not set

84

         ...1 .... = Acknowledgement: Set

85

         .... 1... = Push: Set

86

         .... .0.. = Reset: Not set

87

         .... ..0. = Syn: Not set

88

         .... ...0 = Fin: Not set

89

     Window size: 92

90

     Checksum: 0x0d09 [validation disabled]

91

         [Good Checksum: False]

92

         [Bad Checksum: False]

93

     Options: (12 bytes)

94

NOP

95

NOP

96

         Timestamps: TSval 177975147, TSecr 3960038659

97

     [SEQ/ACK analysis]

98

         [Number of bytes in flight: 815]

99

Hypertext Transfer Protocol

100

     GET /v1/displayImage/custom/yahoo/<screen name was here>?redirect=0 

101

HTTP/1.1\r\n

102

         [Expert Info (Chat/Sequence): GET 

103

/v1/displayImage/custom/yahoo/<screen name was here>?redirect=0 

104

HTTP/1.1\r\n]

105

             [Message: GET /v1/displayImage/custom/yahoo/<screen name 

106

was here>?redirect=0 HTTP/1.1\r\n]

107

             [Severity level: Chat]

108

             [Group: Sequence]

109

         Request Method: GET

110

         Request URI: /v1/displayImage/custom/yahoo/<screen name was 

111

here>?redirect=0

112

         Request Version: HTTP/1.1

113

     Host: rest-img.msg.yahoo.com\r\n

114

     Connection: close\r\n

115

     User-Agent: Mozilla/5.0 (compatible; Konqueror/4.4; Linux 

116

2.6.30-gentoo-r8; X11; i686; en_US) KHTML/4.4.5 (like Gecko)\r\n

117

     Accept: text/html, image/jpeg;q=0.9, image/png;q=0.9, text/*;q=0.9, 

118

image/*;q=0.9, */*;q=0.8\r\n

119

     Accept-Encoding: x-gzip, x-deflate, gzip, deflate\r\n

120

     Accept-Charset: iso-8859-1, utf-8;q=0.5, *;q=0.5\r\n

121

     Accept-Language: en-US, en\r\n

122

     [truncated] Cookie: B=ailkv295qsqnr&b=3&s=dn; 

123

Y=v=1&n=bt77n8119ils3&l=30b4a_rzwx/o&p=m2316qt013000000&jb=16|47|&r=eg&lg=en-US&intl=us&np=1; 

124

T=z=b/fcMBbF1cMBqnoHCK8Lm6qNDAxBjU0NDE0MjVPMzI-&a=YAE&sk=DAAgQw54KM2VAc&ks=EAAQtPQ3LsapOyL9MIqyK3.8

125

     \r\n

126

127

No.     Time        Source                Destination           Protocol 

128

Info

129

       5 0.152339    98.136.112.30         192.168.1.2           

130

HTTP     HTTP/1.1 401 Authorization Required  (text/html)

131

132

133

I changed the screen name to protect the innocent.  She is a red head 

134

with attitude.  Anyway, looking at more than one frame here, it looks 

135

like it is trying to get info, image perhaps, for that contact but it 

136

fails so it keeps trying.  Been going at it for half hour or more so 

137

far.  It looks to me like Yahoo would eventually say "bugger off"!!  LOL

138

139

I remember that Yahoo removed images and some kind of profile thingy a 

140

while back.  Could that be what it is trying to find but that no longer 

141

exists?

142

143

Thoughts?

144

145

Dale

146

147

:-)  :-)

Gentoo Archives: gentoo-user

Replies

1	BRM wrote:
2	> Wireshark will show you the raw packet data, and decode only a little of it -
3	> enough to identify the general protocol, senders, etc.
4	> So to understand the packet, you will need to understand the application layer
5	> protocol - in this case HTTP - yourself as Wireshark won't help you there.
6	>
7	> But yet, Wireshark, nmap, and nessus security scanner are the tools, less so
8	> nessus as it really is more of a port scanner/security hole finder than a debug
9	> tool for applications (it's basically an interface for nmap for those purposes).
10	>
11	> HTH,
12	>
13	> Ben
14	>
15	>
16	>
17
18	If finally did it again, and is doing it as I type. I captured some of
19	the traffic with Wireshark. Can someone tell me what to do with it
20	now? This is one frame of it:
21
22	Frame 4 (881 bytes on wire, 881 bytes captured)
23	Arrival Time: Aug 24, 2010 21:03:35.518314000
24	[Time delta from previous captured frame: 0.000383000 seconds]
25	[Time delta from previous displayed frame: 0.000383000 seconds]
26	[Time since reference or first frame: 0.010995000 seconds]
27	Frame Number: 4
28	Frame Length: 881 bytes
29	Capture Length: 881 bytes
30	[Frame is marked: False]
31	[Protocols in frame: eth:ip:tcp:http]
32	[Coloring Rule Name: HTTP]
33	[Coloring Rule String: http \|\| tcp.port == 80]
34	Ethernet II, Src: ArchtekT_81:d5:d3 (00:01:53:81:d5:d3), Dst:
35	Motorola_aa:96:e4 (00:1d:6b:aa:96:e4)
36	Destination: Motorola_aa:96:e4 (00:1d:6b:aa:96:e4)
37	Address: Motorola_aa:96:e4 (00:1d:6b:aa:96:e4)
38	.... ...0 .... .... .... .... = IG bit: Individual address
39	(unicast)
40	.... ..0. .... .... .... .... = LG bit: Globally unique address
41	(factory default)
42	Source: ArchtekT_81:d5:d3 (00:01:53:81:d5:d3)
43	Address: ArchtekT_81:d5:d3 (00:01:53:81:d5:d3)
44	.... ...0 .... .... .... .... = IG bit: Individual address
45	(unicast)
46	.... ..0. .... .... .... .... = LG bit: Globally unique address
47	(factory default)
48	Type: IP (0x0800)
49	Internet Protocol, Src: 192.168.1.2 (192.168.1.2), Dst: 98.136.112.30
50	(98.136.112.30)
51	Version: 4
52	Header length: 20 bytes
53	Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
54	0000 00.. = Differentiated Services Codepoint: Default (0x00)
55	.... ..0. = ECN-Capable Transport (ECT): 0
56	.... ...0 = ECN-CE: 0
57	Total Length: 867
58	Identification: 0xe5fb (58875)
59	Flags: 0x02 (Don't Fragment)
60	0.. = Reserved bit: Not Set
61	.1. = Don't fragment: Set
62	..0 = More fragments: Not Set
63	Fragment offset: 0
64	Time to live: 64
65	Protocol: TCP (0x06)
66	Header checksum: 0xbd48 [correct]
67	[Good: True]
68	[Bad : False]
69	Source: 192.168.1.2 (192.168.1.2)
70	Destination: 98.136.112.30 (98.136.112.30)
71	Transmission Control Protocol, Src Port: 43281 (43281), Dst Port: http
72	(80), Seq: 0, Ack: 1, Len: 815
73	Source port: 43281 (43281)
74	Destination port: http (80)
75	[Stream index: 1]
76	Sequence number: 0 (relative sequence number)
77	[Next sequence number: 815 (relative sequence number)]
78	Acknowledgement number: 1 (relative ack number)
79	Header length: 32 bytes
80	Flags: 0x18 (PSH, ACK)
81	0... .... = Congestion Window Reduced (CWR): Not set
82	.0.. .... = ECN-Echo: Not set
83	..0. .... = Urgent: Not set
84	...1 .... = Acknowledgement: Set
85	.... 1... = Push: Set
86	.... .0.. = Reset: Not set
87	.... ..0. = Syn: Not set
88	.... ...0 = Fin: Not set
89	Window size: 92
90	Checksum: 0x0d09 [validation disabled]
91	[Good Checksum: False]
92	[Bad Checksum: False]
93	Options: (12 bytes)
94	NOP
95	NOP
96	Timestamps: TSval 177975147, TSecr 3960038659
97	[SEQ/ACK analysis]
98	[Number of bytes in flight: 815]
99	Hypertext Transfer Protocol
100	GET /v1/displayImage/custom/yahoo/<screen name was here>?redirect=0
101	HTTP/1.1\r\n
102	[Expert Info (Chat/Sequence): GET
103	/v1/displayImage/custom/yahoo/<screen name was here>?redirect=0
104	HTTP/1.1\r\n]
105	[Message: GET /v1/displayImage/custom/yahoo/<screen name
106	was here>?redirect=0 HTTP/1.1\r\n]
107	[Severity level: Chat]
108	[Group: Sequence]
109	Request Method: GET
110	Request URI: /v1/displayImage/custom/yahoo/<screen name was
111	here>?redirect=0
112	Request Version: HTTP/1.1
113	Host: rest-img.msg.yahoo.com\r\n
114	Connection: close\r\n
115	User-Agent: Mozilla/5.0 (compatible; Konqueror/4.4; Linux
116	2.6.30-gentoo-r8; X11; i686; en_US) KHTML/4.4.5 (like Gecko)\r\n
117	Accept: text/html, image/jpeg;q=0.9, image/png;q=0.9, text/*;q=0.9,
118	image/;q=0.9, /*;q=0.8\r\n
119	Accept-Encoding: x-gzip, x-deflate, gzip, deflate\r\n
120	Accept-Charset: iso-8859-1, utf-8;q=0.5, *;q=0.5\r\n
121	Accept-Language: en-US, en\r\n
122	[truncated] Cookie: B=ailkv295qsqnr&b=3&s=dn;
123	Y=v=1&n=bt77n8119ils3&l=30b4a_rzwx/o&p=m2316qt013000000&jb=16\|47\|&r=eg&lg=en-US&intl=us&np=1;
124	T=z=b/fcMBbF1cMBqnoHCK8Lm6qNDAxBjU0NDE0MjVPMzI-&a=YAE&sk=DAAgQw54KM2VAc&ks=EAAQtPQ3LsapOyL9MIqyK3.8
125	\r\n
126
127	No. Time Source Destination Protocol
128	Info
129	5 0.152339 98.136.112.30 192.168.1.2
130	HTTP HTTP/1.1 401 Authorization Required (text/html)
131
132
133	I changed the screen name to protect the innocent. She is a red head
134	with attitude. Anyway, looking at more than one frame here, it looks
135	like it is trying to get info, image perhaps, for that contact but it
136	fails so it keeps trying. Been going at it for half hour or more so
137	far. It looks to me like Yahoo would eventually say "bugger off"!! LOL
138
139	I remember that Yahoo removed images and some kind of profile thingy a
140	while back. Could that be what it is trying to find but that no longer
141	exists?
142
143	Thoughts?
144
145	Dale
146
147	:-) :-)