.

Question On Sniffing MSN Conversation Using Wireshark

<<

hitmen

Newbie
Newbie

Posts: 5

Joined: Mon Mar 22, 2010 6:17 am

Post Mon Aug 02, 2010 5:11 am

Question On Sniffing MSN Conversation Using Wireshark

I know that MSN uses tcp port 1683 and that using wireshark I get the protocol as MSNMS.

Sniffing packets is one thing but is there any way I can reconstruct the messages that are sent from one party to another?

Or are there better tools available that can do this job?

Wireshark only seem to display the start and final destination IP and the protocol.

Anyway, any wireshark tutorials?
<<

hayabusa

User avatar

Hero Member
Hero Member

Posts: 1662

Joined: Mon Jan 29, 2007 2:59 pm

Post Mon Aug 02, 2010 7:54 am

Re: Question On Sniffing MSN Conversation Using Wireshark

I've never tried sniffing MSN conversations, so someone else might have more specifics.  However, if the conversations are, in an way, encrypted, you'd need to have the proper certs, etc, to be able to decrypt the conversation.  If they are NOT, the  simply selecting one of the packets from the conversation, and right-clicking on it, you can choose 'Follow TCP Stream', and that'll separate out the conversation packets, and open a window of the decoded conversation between the two machines.

So, to clarify, if encrypted, prolly not.  If not, follow the stream, and see what you get.
~ hayabusa ~ 

"All men can see these tactics whereby I conquer, but what none can see is the strategy out of which victory is evolved." - Sun Tzu, 'The Art of War'


OSCE, OSCP , GPEN, C|EH
<<

jimbob

Post Mon Aug 02, 2010 9:19 am

Re: Question On Sniffing MSN Conversation Using Wireshark

If you right click on a TCP packet in wireshark there is an option to follow the TCP stream. Wireshark will filter all the packets from the given TCP connection and this might give you what you want.

Since this filters to a single TCP stream then you might want to make sure you haven't missed out some of the traffic. Take a look at the filter string and play around with it, perhaps filtering traffic on 1683 only. I've seen the tool Netwitness reconstruct chat sessions, there's a free version of that you can try.

As for tutorials for wireshark, <insert-name-of-search-engine-here> is your friend.

Jimbob
<<

Ketchup

User avatar

Hero Member
Hero Member

Posts: 1021

Joined: Fri Jul 04, 2008 7:44 pm

Location: Philadelphia, PA

Post Mon Aug 02, 2010 9:28 am

Re: Question On Sniffing MSN Conversation Using Wireshark

I think that NetWitness is a better option for this.  It has some nice features for automatic packet reassembly.  I am not sure about MSN IM, but it does a fantastic job rebuilding email conversations for example. 
~~~~~~~~~~~~~~
Ketchup
<<

don

User avatar

Administrator
Administrator

Posts: 4226

Joined: Sun Aug 28, 2005 10:47 pm

Location: Chicago

Post Wed Aug 04, 2010 11:59 am

Re: Question On Sniffing MSN Conversation Using Wireshark

Just in case, you can download Netwitness Investigator HERE.

Don
CISSP, MCSE, CSTA, Security+ SME

Return to Wireless

Who is online

Users browsing this forum: No registered users and 2 guests

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software