Wireshark-users: Re: [Wireshark-users] Analysing MSN traffic
From: "Hans Nilsson" <hasse_gg@xxxxxxxx>
Date: Mon, 08 Jan 2007 19:59:13 -1100
Make sure you select "RAW" when saving the data or "packet bytes" depending on how you're saving it. That way the characters/bytes will be saved exactly as captured instead of interpreted as ASCII. On Mon, 8 Jan 2007 19:29:22 -0000, "Antonio Cassidy" <antonio@xxxxxxxxxxxxxxxxxxxx> said: > -----Original Message----- > From: wireshark-users-bounces@xxxxxxxxxxxxx > [mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of Stephen > Fisher > Sent: 07 January 2007 23:56 > To: Community support list for Wireshark > Subject: Re: [Wireshark-users] Analysing MSN traffic > > On Sun, Jan 07, 2007 at 11:39:23PM -0000, Antonio Cassidy wrote: > > > Can anyone point me towards some papers which better describe the > > processes MSN is making. > > I'm not familiar with the MSN protocol, but this comment from the source > code of the Wireshark dissector may help: > > /* > * The now-expired Internet-Draft for the MSN Messenger 1.0 protocol > * can, as of the time of the writing of this comment, be found at: > * > * > http://praya.sourceforge.net/draft-movva-msn-messenger-protocol-00.txt > * > * http://mono.es.gnome.org/imsharp/tutoriales/msn/appendixa.html > * > * http://www.hypothetic.org/docs/msn/ietf_draft.php > * > * http://babble.wundsam.net/docs/protocol-msn-im.txt > * > * Note that it's Yet Another FTP-Like Command/Response Protocol, > * so it arguably should be dissected as such, although you do have > * to worry about the MSG command, as only the first line of it > * should be parsed as a command, the rest should be parsed as the > * message body. We therefore leave "hf_msnms_command", "tokenlen", > * and "next_token", even though they're unused, as reminders that > * this should be done. > */ > > > Is it possible to review the information/file being sent? Either by > > decoding it or resending the information to an MSN account ? > > You want to extract the file that was sent and save it to be looked at? > > > Steve > > _______________________________________________ > Wireshark-users mailing list > Wireshark-users@xxxxxxxxxxxxx > http://www.wireshark.org/mailman/listinfo/wireshark-users > > > So far i have got this: > > The file transfer data is prefixed with 105 chars and tailed by 104 chars > ie: > > When sending a text file with the content > "the_quick_brown_fox_jumps_over_the_lazy_dog" the following was the MSN > transfer > > .0.......>.e/........................4P......p.......[...M..1=.e/........+.......+...0....4#1............ > the_quick_brown_fox_jumps_over_the_lazy_dog0...M..15P..........................=.e/.4#1+...............?.e/........................4;#1............ > > By removing the first 105 and last 104 chars we're left with the content > of the text file. I have tried this with other text files and it's the > same number of characters both at the start and at the end. > > This is the same as when an image is transferred if I remove the first > 105 and last 104 I'm left with the same number of characters as when I > open the image in notepad however the characters are not exactly the same > in the capture as the original file ie: > > Original File: > %&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyzƒ > > Capture File: > .....%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz. > > It looks like the non standard characters in the image file are being > replaced by '.''s in the capture file. > > Could anyone point me in the correct direction > > I have uploaded the full files here: > http://nino.fruitvalestudios.com/storage/files.php?subcategory_id=7 > > Many thanks > > Antonio > > > > _______________________________________________ > Wireshark-users mailing list > Wireshark-users@xxxxxxxxxxxxx > http://www.wireshark.org/mailman/listinfo/wireshark-users -- Hans Nilsson hasse_gg@xxxxxxxx -- http://www.fastmail.fm - Choose from over 50 domains or use your own
- References:
- [Wireshark-users] Analysing MSN traffic
- From: Antonio Cassidy
- Re: [Wireshark-users] Analysing MSN traffic
- From: Stephen Fisher
- Re: [Wireshark-users] Analysing MSN traffic
- From: Antonio Cassidy
- [Wireshark-users] Analysing MSN traffic
- Prev by Date: Re: [Wireshark-users] Analysing MSN traffic
- Next by Date: Re: [Wireshark-users] Using Wireshark for IP fragments reassembling
- Previous by thread: Re: [Wireshark-users] Analysing MSN traffic
- Next by thread: [Wireshark-users] TCP round trip time calculations
- Index(es):