Wireshark-users: Re: [Wireshark-users] Analysing MSN traffic

From: Stephen Fisher <stephentfisher@xxxxxxxxx>
Date: Sun, 7 Jan 2007 15:56:18 -0800

On Sun, Jan 07, 2007 at 11:39:23PM -0000, Antonio Cassidy wrote:

> Can anyone point me towards some papers which better describe the 
> processes MSN is making.

I'm not familiar with the MSN protocol, but this comment from the source 
code of the Wireshark dissector may help:

/*
 * The now-expired Internet-Draft for the MSN Messenger 1.0 protocol
 * can, as of the time of the writing of this comment, be found at:
 *
 *      
http://praya.sourceforge.net/draft-movva-msn-messenger-protocol-00.txt
 *
 *      http://mono.es.gnome.org/imsharp/tutoriales/msn/appendixa.html
 *
 *      http://www.hypothetic.org/docs/msn/ietf_draft.php
 *
 *      http://babble.wundsam.net/docs/protocol-msn-im.txt
 *
 * Note that it's Yet Another FTP-Like Command/Response Protocol,
 * so it arguably should be dissected as such, although you do have
 * to worry about the MSG command, as only the first line of it
 * should be parsed as a command, the rest should be parsed as the
 * message body.  We therefore leave "hf_msnms_command", "tokenlen",
 * and "next_token", even though they're unused, as reminders that
 * this should be done.
 */

> Is it possible to review the information/file being sent?  Either by 
> decoding it or resending the information to an MSN account ?

You want to extract the file that was sent and save it to be 
looked at?


Steve