Gentoo Archives: gentoo-user

From: BRM <bm_witness@×××××.com>
To: gentoo-user@l.g.o
Subject: Re: [gentoo-user] Yahoo and strange traffic.
Date: Wed, 18 Aug 2010 03:03:12
Message-Id: 315581.361.qm@web51902.mail.re2.yahoo.com
In Reply to: Re: [gentoo-user] Yahoo and strange traffic. by Dale
1 ----- Original Message ----
2
3 > From: Dale <rdalek1967@×××××.com>
4 > Mick wrote:
5 > > On Tuesday 17 August 2010 21:15:51 Dale wrote:
6 > >> Mick wrote:
7 > >>> On 17 August 2010 15:29, BRM<bm_witness@×××××.com> wrote:
8 > >>>> ----- Original Message ----
9 > >>>>> From: Dale<rdalek1967@×××××.com>
10 > >>>>> Adam Carter wrote:
11 > >>>>>> Is this easy to do? I have no idea where to start except that
12 > >>>>>> wireshark is installed.
13 > >>>>>> Yep, start the capture with Capture -> Interfaces and click on
14 the
15 > >>>>>> start
16 > >>>>> button next to the correct interface, then right click on one of the
17 > >>>>> packets that is to the yahoo box and choose Decode As set the port
18 > >>>>> and protocol then apply. You'll
19 > >>>>> need to understand the semantics of HTTP for it to be of much use tho.
20 > >>>>> You had me until the last part. No semantics here. lol May see if
21 > >>>>> I can post a little and see if anyone can figure out what the heck it
22 > >>>>> is doing. I'm thinking some crazy bug or something. Maybe checking
23 > >>>>> for updates not realizing it's
24 > >>>>> Kopete instead of a Yahoo program.
25 > >>>> Wireshark will show you the raw packet data, and decode only a little of
26 > >>>> it - enough to identify the general protocol, senders, etc.
27 > >>>> So to understand the packet, you will need to understand the
28 application
29 > >>>> layer protocol - in this case HTTP - yourself as Wireshark won't help
30 > >>>> you there.
31 > >>>> But yet, Wireshark, nmap, and nessus security scanner are the tools,
32 > >>>> less so nessus as it really is more of a port scanner/security hole
33 > >>>> finder than a debug tool for applications (it's basically an interface
34 > >>>> for nmap for those purposes).
35 > >>> I'm not at home to experiment and I don't use yahoo, but port 5050 is
36 > >>> typically used for mmcc = multi media conference control - does yahoo
37 > >>> offer such a service? It could be a SIP server running there for VoIP
38 > >>> between Yahoo registered users or something similar.
39 > >>> The http connection could be offered as an alternative proxy
40 > >>> connection to the yahoo IM servers for users who are behind
41 > >>> restrictive firewalls. Have you asked as much in the Yahoo user
42 > >>> groups?
43 > >>> The fact that the threads continue after kopete has shut down is not
44 > >>> necessarily of concern as was already explained, unless it carries on
45 > >>> and on for a long time and the flow of packets continues. I don't
46 > >>> know how yahoo VoIP works. Did you install some plugin specific for
47 > >>> yahoo services? If it imitates the Skype architecture then it
48 > >>> essentially runs proxies on clients' machines and this could be an
49 > >>> explanation for the traffic.
50 > >> I don't have VoIP, Skype or that sort of thing here. Here is my Kopete
51 > >> info tho:
52 > >> [ebuild R ] kde-base/kopete-4.4.5-r1 USE="addbookmarks autoreplace
53 > >> contactnotes groupwise handbook highlight history nowlistening pipes
54 > >> privacy ssl statistics texteffect translator urlpicpreview yahoo
55 > >> zeroconf (-aqua) -debug -gadu -jabber -jingle (-kdeenablefinal)
56 > >> (-kdeprefix) -latex -meanwhile -msn -oscar -otr -qq -skype -sms -testbed
57 > >> -v4l2 -webpresence -winpopup" 0 kB
58 > >> Anything there that cold cause a problem?
59 > > No, I can't see anything suspicious, you don't even have skype or v4l2
60 > > enabled, so it is unlikely that it is running some webcam stream (as part
61 of
62 > > VoIP).
63 > I'm thinking it is Yahoo wanting to upgrade something but not realizing
64 > that I'm not using their client but using kopete. Yahoo isn't the
65 > sharpest tool in the shed you know?
66
67 I doubt that's the case. I use Pidgin with Yahoo, and haven't had that kind of
68 thing so far as I'm aware.
69
70 Ben

Replies

Subject Author
Re: [gentoo-user] Yahoo and strange traffic. Dale <rdalek1967@×××××.com>
Re: [gentoo-user] Yahoo and strange traffic. Dale <rdalek1967@×××××.com>