TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to
[EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any problems!
----------------------------------------------------------------------------
Hello all,
Be careful assuming that the AOL client will always be connecting on port
5190� this is the default, but can be changed to almost *any* port number
between 0 and 65K. Also, the servers the client connects to are farmed, and
thus the IP address of the server changes every time the client makes a
connection as demonstrated below�
C:\>ping login.oscar.aol.com
Pinging login.oscar.aol.com [205.188.7.172] with 32 bytes of data:
C:\>ping login.oscar.aol.com
Pinging login.oscar.aol.com [205.188.7.168] with 32 bytes of data:
C:\>ping login.oscar.aol.com
Pinging login.oscar.aol.com [205.188.7.172] with 32 bytes of data:
C:\>ping login.oscar.aol.com
Pinging login.oscar.aol.com [205.188.7.176] with 32 bytes of data:
C:\>ping login.oscar.aol.com
Pinging login.oscar.aol.com [205.188.7.176] with 32 bytes of data:
C:\>ping login.oscar.aol.com
Pinging login.oscar.aol.com [205.188.7.164] with 32 bytes of data:
The only constant is the host name that is being connected to
(login.oscar.aol.com), so any capture would have to be based solely on that.
One other option... if you have a particular client that you wish to
monitor... capture all their traffic, figure out what port they are running
the AOL IM client on and then filter just on that port. It can still be
messy however if they are running on a heavily used port such as 80, 135 or
139...
Hope that helps a bit...
Regards
Ric
-----Original Message-----
From: Matthew F. Caldwell [mailto:[EMAIL PROTECTED]]
Sent: Saturday, September 16, 2000 11:26 AM
To: [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Subject: Aol Instant Messeger
TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to
[EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any
problems!
----------------------------------------------------------------------------
Like Mark says you would be better off with a sniffer. However if you must
look at the traffic with real secure. You can create a connections rule in
your policy to watch for TCP port 5190 (realtime logging and play back).
Which I believe is the control port of the AIM protocol. Setup AIM on your
local machine and using netstat -an determine what ports the system is
communicating on then you can specify those ports in real secure or a
sniffer
--
Matthew F. Caldwell, CISSP - Chief Technical Officer
Guarded.Net, Inc. Email: [EMAIL PROTECTED]
Ph:404.880.3373 Fx:404.880.3374 Cl:678-428-5095
---------------------------------------------------------
This e-mail may contain proprietary commercial information and is intended
for the addressed recipient(s) only. If you are not an addressed recipient
of this e-mail and have received it in error, you must delete it. You may
not forward or disseminate information contained in this e-mail without
permission from Guarded.Net.
Questions? Contact [EMAIL PROTECTED]
---------------------------------------------------------
_________________________________________________________________________
Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com.
Share information about yourself, create your own public profile at
http://profiles.msn.com.
