[Snort-users] IM Logging - How to?

Gonzalez, Albert albert.gonzalez at ...7950...
Fri Jan 17 10:39:02 EST 2003

I suggest ethereal, you can pass it some BPF filters to
concentrate on exactly what you want to sniff. I have used
it to sniff port 5190 and see what AIM traffic is being sent
on my network. 

-----Original Message-----
From: Mike Shaw [mailto:mshaw at ...3165...]
Sent: Friday, January 17, 2003 1:26 PM
To: Matt Yackley; 'Angel Gabriel'; snort-users at lists.sourceforge.net
Subject: RE: [Snort-users] IM Logging - How to?

At 11:44 AM 1/17/2003 -0600, Matt Yackley wrote:
>I believe that there is an IM capture util included with dsniff
>http://naughty.monkey.org/~dugsong/dsniff/ called msgsnarf, but since this
>package is a bit old I don't know how well it would work.

I haven't had much luck with msgsnarf.  It seems the products and protocols 
might have changed since then.

I've used ngrep to snag IM transactions before.  I think AIM is port 
5190.  MSN is a different port (can't remember).

IIRC, yahoo's messenger uses http and is much harder to track states, 
etc.  Maybe someone else has had better luck.


This SF.NET email is sponsored by: Thawte.com - A 128-bit supercerts will
allow you to extend the highest allowed 128 bit encryption to all your 
clients even if they use browsers that are limited to 40 bit encryption. 
Get a guide here:http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0030en
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:

More information about the Snort-users mailing list