Make sure you select "RAW" when saving the data or "packet bytes"
depending on how you're saving it. That way the characters/bytes will be
saved exactly as captured instead of interpreted as ASCII.
On Mon, 8 Jan 2007 19:29:22 -0000, "Antonio Cassidy"
<antonio@xxxxxxxxxxxxxxxxxxxx> said:
> -----Original Message-----
> From: wireshark-users-bounces@xxxxxxxxxxxxx
> [mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of Stephen
> Fisher
> Sent: 07 January 2007 23:56
> To: Community support list for Wireshark
> Subject: Re: [Wireshark-users] Analysing MSN traffic
>
> On Sun, Jan 07, 2007 at 11:39:23PM -0000, Antonio Cassidy wrote:
>
> > Can anyone point me towards some papers which better describe the
> > processes MSN is making.
>
> I'm not familiar with the MSN protocol, but this comment from the source
> code of the Wireshark dissector may help:
>
> /*
> * The now-expired Internet-Draft for the MSN Messenger 1.0 protocol
> * can, as of the time of the writing of this comment, be found at:
> *
> *
> http://praya.sourceforge.net/draft-movva-msn-messenger-protocol-00.txt
> *
> * http://mono.es.gnome.org/imsharp/tutoriales/msn/appendixa.html
> *
> * http://www.hypothetic.org/docs/msn/ietf_draft.php
> *
> * http://babble.wundsam.net/docs/protocol-msn-im.txt
> *
> * Note that it's Yet Another FTP-Like Command/Response Protocol,
> * so it arguably should be dissected as such, although you do have
> * to worry about the MSG command, as only the first line of it
> * should be parsed as a command, the rest should be parsed as the
> * message body. We therefore leave "hf_msnms_command", "tokenlen",
> * and "next_token", even though they're unused, as reminders that
> * this should be done.
> */
>
> > Is it possible to review the information/file being sent? Either by
> > decoding it or resending the information to an MSN account ?
>
> You want to extract the file that was sent and save it to be looked at?
>
>
> Steve
>
> _______________________________________________
> Wireshark-users mailing list
> Wireshark-users@xxxxxxxxxxxxx
> http://www.wireshark.org/mailman/listinfo/wireshark-users
>
>
> So far i have got this:
>
> The file transfer data is prefixed with 105 chars and tailed by 104 chars
> ie:
>
> When sending a text file with the content
> "the_quick_brown_fox_jumps_over_the_lazy_dog" the following was the MSN
> transfer
>
> .0.......>.e/........................4P......p.......[...M..1=.e/........+.......+...0....4#1............
> the_quick_brown_fox_jumps_over_the_lazy_dog0...M..15P..........................=.e/.4#1+...............?.e/........................4;#1............
>
> By removing the first 105 and last 104 chars we're left with the content
> of the text file. I have tried this with other text files and it's the
> same number of characters both at the start and at the end.
>
> This is the same as when an image is transferred if I remove the first
> 105 and last 104 I'm left with the same number of characters as when I
> open the image in notepad however the characters are not exactly the same
> in the capture as the original file ie:
>
> Original File:
> �����%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyzƒ
>
> Capture File:
> .....%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz.
>
> It looks like the non standard characters in the image file are being
> replaced by '.''s in the capture file.
>
> Could anyone point me in the correct direction
>
> I have uploaded the full files here:
> http://nino.fruitvalestudios.com/storage/files.php?subcategory_id=7
>
> Many thanks
>
> Antonio
>
>
>
> _______________________________________________
> Wireshark-users mailing list
> Wireshark-users@xxxxxxxxxxxxx
> http://www.wireshark.org/mailman/listinfo/wireshark-users
--
Hans Nilsson
hasse_gg@xxxxxxxx
--
http://www.fastmail.fm - Choose from over 50 domains or use your own
