Lots of the IM programs play nice - until you try and block them. For example, AIM uses port 5190. If that gets through, it's easy to track/monitor/capture. But if the 5190 port is blocked (for whatever reason), the AIM program tries other ports which are rarely blocked (e.g. 80) because they're common web user services.
-----Burton -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kurt Buff Sent: Tuesday, March 21, 2006 10:06 PM To: [email protected] Subject: RE: [Ntop] msn messenger traffic measurement Umm... Forgive me if I'm being less than insightful, but I don't seem to have a problem shutting down MSN Messenger, or logging it. My firewall is in a default deny setting (only recently, though - and I caught a lot of flack by shutting most everything down, but I'm a hard case - I told 'em it was for their own good.) When the VP of sales whinged about not being able to IM his remote sales droids, I read my firewall logs and noticed a curious thing - there was a content-type header for MSN Messenger called application/x-msn-messenger. I created a separate instance of the http proxy on the firewall, set the only allowed content-header as that, and only allowed two machines through it. They're happy, my manager's happy, and I'm less unhappy. :) I'm guessing that if your firewall chases that kinda stuff, it shouldn't be too hard to parse logs for it, either. Don't know about Yahoo!, AIM or googlechat do their thing as yet, but I believe I have figured MSN Messenger out. Unfortunately, it doesn't seem to fall in the realm of ntop's particular expertise. > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of > Chris Moore > Sent: Monday, March 20, 2006 07:43 > To: [email protected] > Subject: RE: [Ntop] msn messenger traffic measurement > > > > IIRC, MSN uses port 80 when it can - which of course makes it hard to > distinguish. These things (chat apps in general) are sneaky bastages. > They are essentially designed like a virus to evade security systems. > I have $$$$ IDS machines doing layer 5-7 deep packet inspection that > has trouble catching them. Working at layer 4 and lower, NTOP doesn't > have much of a chance. > > Chris > > > > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf > Of Burton Strauss > Sent: Monday, March 20, 2006 7:19 AM > To: [email protected] > Subject: RE: [Ntop] msn messenger traffic measurement > > IF (and that's a big IF) you can identify the ports used by MSN > messenger, you could add them to the monitored protocols list via the > --protocols option. You can then enable RRD, which can be tuned to > accumulate into whatever intervals you want (default is 5m, but it's > configurable on the plugin's page). > > -----Burton > > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf > Of Cevahir Pilpil > Sent: Monday, March 20, 2006 5:45 AM > To: [email protected] > Subject: [Ntop] msn messenger traffic measurement > > Hi everybody, > > I am using ntop last version on Fedora Core 4. > > In my corporate network, I would like to collect all MSN Messenger > traffic and report it daily basis by dividing into 30 minute parts. > Is it possible to do it? > > Thanks for everybody. > > Cevahir > > _______________________________________________ Ntop mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop _______________________________________________ Ntop mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop
