Wireshark-users: Re: [Wireshark-users] Analysing MSN traffic

From: "Antonio Cassidy" <antonio@xxxxxxxxxxxxxxxxxxxx>
Date: Mon, 8 Jan 2007 19:29:22 -0000
-----Original Message-----
From: wireshark-users-bounces@xxxxxxxxxxxxx [mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of Stephen Fisher
Sent: 07 January 2007 23:56
To: Community support list for Wireshark
Subject: Re: [Wireshark-users] Analysing MSN traffic

On Sun, Jan 07, 2007 at 11:39:23PM -0000, Antonio Cassidy wrote:

> Can anyone point me towards some papers which better describe the 
> processes MSN is making.

I'm not familiar with the MSN protocol, but this comment from the source code of the Wireshark dissector may help:

/*
 * The now-expired Internet-Draft for the MSN Messenger 1.0 protocol
 * can, as of the time of the writing of this comment, be found at:
 *
 *      
http://praya.sourceforge.net/draft-movva-msn-messenger-protocol-00.txt
 *
 *      http://mono.es.gnome.org/imsharp/tutoriales/msn/appendixa.html
 *
 *      http://www.hypothetic.org/docs/msn/ietf_draft.php
 *
 *      http://babble.wundsam.net/docs/protocol-msn-im.txt
 *
 * Note that it's Yet Another FTP-Like Command/Response Protocol,
 * so it arguably should be dissected as such, although you do have
 * to worry about the MSG command, as only the first line of it
 * should be parsed as a command, the rest should be parsed as the
 * message body.  We therefore leave "hf_msnms_command", "tokenlen",
 * and "next_token", even though they're unused, as reminders that
 * this should be done.
 */

> Is it possible to review the information/file being sent?  Either by 
> decoding it or resending the information to an MSN account ?

You want to extract the file that was sent and save it to be looked at?


Steve

_______________________________________________
Wireshark-users mailing list
Wireshark-users@xxxxxxxxxxxxx
http://www.wireshark.org/mailman/listinfo/wireshark-users


So far i have got this:

The file transfer data is prefixed with 105 chars and tailed by 104 chars ie:

When sending a text file with the content "the_quick_brown_fox_jumps_over_the_lazy_dog" the following was the MSN transfer

.0.......>.e/........................4P......p.......[...M..1=.e/........+.......+...0....4#1............ the_quick_brown_fox_jumps_over_the_lazy_dog0...M..15P..........................=.e/.4#1+...............?.e/........................4;#1............

By removing the first 105 and last 104 chars we're left with the content of the text file.  I have tried this with other text files and it's the same number of characters both at the start and at the end.

This is the same as when an image is transferred if I remove the first 105 and last 104 I'm left with the same number of characters as when I open the image in notepad however the characters are not exactly the same in the capture as the original file ie:

Original File:
%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyzƒ

Capture File:
.....%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz.

It looks like the non standard characters in the image file are being replaced by '.''s in the capture file.

Could anyone point me in the correct direction

I have uploaded the full files here:
http://nino.fruitvalestudios.com/storage/files.php?subcategory_id=7

Many thanks

Antonio