Wireshark-users: Re: [Wireshark-users] Analysing MSN traffic

From: "Hans Nilsson" <hasse_gg@xxxxxxxx>
Date: Mon, 08 Jan 2007 19:59:13 -1100
Make sure you select "RAW" when saving the data or "packet bytes"
depending on how you're saving it. That way the characters/bytes will be
saved exactly as captured instead of interpreted as ASCII.


On Mon, 8 Jan 2007 19:29:22 -0000, "Antonio Cassidy"
<antonio@xxxxxxxxxxxxxxxxxxxx> said:
> -----Original Message-----
> From: wireshark-users-bounces@xxxxxxxxxxxxx
> [mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of Stephen
> Fisher
> Sent: 07 January 2007 23:56
> To: Community support list for Wireshark
> Subject: Re: [Wireshark-users] Analysing MSN traffic
> 
> On Sun, Jan 07, 2007 at 11:39:23PM -0000, Antonio Cassidy wrote:
> 
> > Can anyone point me towards some papers which better describe the 
> > processes MSN is making.
> 
> I'm not familiar with the MSN protocol, but this comment from the source
> code of the Wireshark dissector may help:
> 
> /*
>  * The now-expired Internet-Draft for the MSN Messenger 1.0 protocol
>  * can, as of the time of the writing of this comment, be found at:
>  *
>  *      
> http://praya.sourceforge.net/draft-movva-msn-messenger-protocol-00.txt
>  *
>  *      http://mono.es.gnome.org/imsharp/tutoriales/msn/appendixa.html
>  *
>  *      http://www.hypothetic.org/docs/msn/ietf_draft.php
>  *
>  *      http://babble.wundsam.net/docs/protocol-msn-im.txt
>  *
>  * Note that it's Yet Another FTP-Like Command/Response Protocol,
>  * so it arguably should be dissected as such, although you do have
>  * to worry about the MSG command, as only the first line of it
>  * should be parsed as a command, the rest should be parsed as the
>  * message body.  We therefore leave "hf_msnms_command", "tokenlen",
>  * and "next_token", even though they're unused, as reminders that
>  * this should be done.
>  */
> 
> > Is it possible to review the information/file being sent?  Either by 
> > decoding it or resending the information to an MSN account ?
> 
> You want to extract the file that was sent and save it to be looked at?
> 
> 
> Steve
> 
> _______________________________________________
> Wireshark-users mailing list
> Wireshark-users@xxxxxxxxxxxxx
> http://www.wireshark.org/mailman/listinfo/wireshark-users
> 
> 
> So far i have got this:
> 
> The file transfer data is prefixed with 105 chars and tailed by 104 chars
> ie:
> 
> When sending a text file with the content
> "the_quick_brown_fox_jumps_over_the_lazy_dog" the following was the MSN
> transfer
> 
> .0.......>.e/........................4P......p.......[...M..1=.e/........+.......+...0....4#1............
> the_quick_brown_fox_jumps_over_the_lazy_dog0...M..15P..........................=.e/.4#1+...............?.e/........................4;#1............
> 
> By removing the first 105 and last 104 chars we're left with the content
> of the text file.  I have tried this with other text files and it's the
> same number of characters both at the start and at the end.
> 
> This is the same as when an image is transferred if I remove the first
> 105 and last 104 I'm left with the same number of characters as when I
> open the image in notepad however the characters are not exactly the same
> in the capture as the original file ie:
> 
> Original File:
> %&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz&#402;
> 
> Capture File:
> .....%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz.
> 
> It looks like the non standard characters in the image file are being
> replaced by '.''s in the capture file.
> 
> Could anyone point me in the correct direction
> 
> I have uploaded the full files here:
> http://nino.fruitvalestudios.com/storage/files.php?subcategory_id=7
> 
> Many thanks
> 
> Antonio
> 
> 
> 
> _______________________________________________
> Wireshark-users mailing list
> Wireshark-users@xxxxxxxxxxxxx
> http://www.wireshark.org/mailman/listinfo/wireshark-users
-- 
  Hans Nilsson
  hasse_gg@xxxxxxxx

-- 
http://www.fastmail.fm - Choose from over 50 domains or use your own