Dissected Yahoo Messenger Voice Traffic

Conventions
Dissected packets are shown in a box notation depicting the offsets of bytes and their HEX/ASCII
values.
Highlighted in Yellow - This notation indicates byte(s) which can be used as a signature field.
Highlighted in green - This notation indicates byte(s) which are unique per peer or can be
correlated across messages. This notation indicates the length.
Yahoo Messenger Voice

Device: iPad 3(iOS)
App: Yahoo Messenger
Version: 2.2.8
Traffic: SIP, Yahoo proprietary protocol and RTP flows
Content detected in PXE: SIP, ymsg_conf(only classification) and RTP(voice conversation)
Classification:
Capture name: 20130820_ipad_ymsg_mobile_voice_chat_with_desktop.pcap
Yahoo Messenger Voice Identification

Filter: tcp.stream eq 23 (up stream)
Description: Yahoo Messenger proprietary protocol(ymsg_conf), if the starting 2 bytes of
the packet header is 0x0003 then the client send the token value and expects the IP and port
on which the server accepts the voice conversation. PXE supports only ymsg_conf
classification.
Packet No.: 330
UP STREAM
TCP Payload in HEX view
0000
0010
0020
0030
0040
0050
0060
0070
0080
0090
00a0
Offset
0000
0002
00
00
75
02
5f
76
46
79
63
00
00
03
00
6d
54
6b
44
36
63
57
00
00
Length
(Bytes)
2
2
00
00
79
72
6f
76
75
53
55
00
00
90
00
43
38
66
4a
6e
32
47
01
01
00
10
46
30
6b
71
39
64
6a
10
00
02
74
56
59
69
5a
79
64
01
00
00
73
34
34
70
61
43
51
00
00
74
6b
49
62
6a
50
53
2d
04
00
58
59
6b
7a
2e
58
7a
2d
00
00
43
4b
78
4d
35
6a
50
00
00
00
5f
6d
6e
6e
30
76
64
00
00
00
71
63
5f
44
4f
6f
62
00
00
00
76
68
66
69
66
45
69
10
10
00
52
67
6a
39
69
42
58
03
00
00
39
2d
4d
76
72
4b
47
00
00
00
51
2d
58
5f
78
41
58
04
04
................
.......tXC_qvR9Q
umyCFtskYKmchg-.Tr80V4Ikxn_fjMX
_kofkY4bzMnDi9v_
vDvJqipj.50Ofirx
F6un9ZaPXjvoEBKA
ycS2dyCSzPdbiXGX
cWUGjdQ--.......
................
....
Description (HEX values)
Packet header (always 00 03) (ymsg_conf upstream header)

00 90 Length of the payload
NOTE: Payload considered after 16 bytes of zeros i.e., from offset 0x0014
0004
16
Always remain zero. 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0014
2
Internal packet header, value 10 02
0016
2
Length of the data. Value 00 74
0018
116
This data is nothing but the token value in the SIP INVITE
Value
XC_qvR9QumyCFtskYKmchg--.Tr80V4Ikxn_fjMX_kofkY4bzMnDi9v_vDvJqipj.50
OfirxF6un9ZaPXjvoEBKAycS2dyCSzPdbiXGXcWUGjdQ--. The same token
used in the first packet of RTP flow.
Pkt no.: 322 (SIP INVITE Token)
TCP Payload data is complete binary happening always over the port 443, but not encrypted;
Using Yahoo propriety protocol.
The above signatures are same for Android, iOS and desktop platforms.
Packet No.: 331

DOWN STREAM
0000
0010
Offset
01 03 00 0c 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 01 00 08 e0 01 b2 8c 6a 0a 99 1d
0000
0002
Length
(Bytes)
2
2
0004
0014
0016
0018
000a
16
2
2
02
02
000c
04
................
............j...

Unknown (always 01 03) (ymsg_conf downstream header)
00 0c Length of the payload
Unknown e0 01
Server Port used by the RTP flow(Voice conversation) b2 8c (Decimal
value=45708)
Server IP Address used by the RTP flow(Voice conversation) 6a 0a 99 1d
(IP:106.10.153.29)
Yahoo Messenger Voice Conversation

Filter: (ip.addr eq 106.10.153.29 and ip.addr eq 192.168.0.103) and (udp.port eq 45708 and
udp.port eq 8817)
Description: Yahoo Messenger Voice conversation stream, which contains the signalling
information on the first two UDP packets followed by the RTP stream, the signalling
information can be used to link this flow to the SIP (using token & sid values).
The packet structuring of the below dissected packets are identical to ymsg_conf protocol
plugin, the only difference that these packets happen over UDP, ymsg_conf classifies over
TCP. Interestingly the same uplink and downlink packets are seen over TCP in the tcp.stream
eq 25 (packet no: 348 & 351)which are classified as ymsg_conf.
IP address, protocol and the port information of RTP voice conversation was found in
SIP INVITE (packet no: 355 & 356).
Packet No.: 335
UPLINK PACKET
UDP Payload in HEX view
0000
0010
0020
0030
0040
0050
0060
0070
0080
0090
Offset
0000
0002
90
00
75
02
5f
76
46
79
63
00
03
00
6d
54
6b
44
36
63
57
00
Length
(Bytes)
2
2
00
00
79
72
6f
76
75
53
55
00
88
00
43
38
66
4a
6e
32
47
01
00
10
46
30
6b
71
39
64
6a
10
00
02
74
56
59
69
5a
79
64
09
00
00
73
34
34
70
61
43
51
00
00
74
6b
49
62
6a
50
53
2d
04
00
58
59
6b
7a
2e
58
7a
2d
00
00
43
4b
78
4d
35
6a
50
00
00
00
5f
6d
6e
6e
30
76
64
00
b2
00
71
63
5f
44
4f
6f
62
00
8c
00
76
68
66
69
66
45
69
10
00
52
67
6a
39
69
42
58
08
00
39
2d
4d
76
72
4b
47
00
00
51
2d
58
5f
78
41
58
04
................
.......tXC_qvR9Q
_kofkY4bzMnDi9v_
vDvJqipj.50Ofirx
F6un9ZaPXjvoEBKA
ycS2dyCSzPdbiXGX
cWUGjdQ--.......
............
Packet Header (always 90 03) (ymsg_conf upstream header)

0004
16
0014
2
0016
2
0018
116
Value
Note: Attribute not extracted from SIP INVITE by PXE Engine.
008c
02
008e
02
0090
04
Unknown Data 00 00 00 02
0094
02
0096
02
0098
04
Data(voice conversation) (server port 45708 for RTP flow) 00 00 b2 8c
UDP Payload data is complete binary, using Yahoo propriety protocol.
Packet No.: 342

DOWNLINK PACKET
0000
0010
0020
0030
Offset
90
00
2d
34
04
00
30
34
0000
0002
Length
(Bytes)
2
2
0004
0014
0016
0018
16
2
2
24
00
00
39
31
28
00
37
65
00
10
38
61
00
04
2d
31
00
00
31
36
00
24
31
31
00
64
65
30
00
32
33
61
00
64
2d
31
00 00 00 00 00
63 62 63 36 36
39 34 62 30 2d
30
...(............
.......$d2dcbc66
-0978-11e3-94b0441ea1610a10

Packet header (always 90 04)
SIP/SDP Media Attribute sid1 d2dcbc66-0978-11e3-94b0-441ea1610a10
(In Pkt no.:351 SIP/SDP Media Attribute sid2 d2dcba66-0978-11e3-94e5441ea1610a10)
Pkt no.: 356 (SIP INVITE message_body)
ymsg_conf
Filter: tcp.stream eq 24/25
Description: ymsg_conf classification was supported by PXE. Below dissected packets are
seen in the first 2 packets in the RTP flow (filter: (ip.addr eq 106.10.153.29 and ip.addr eq
192.168.0.103) and (udp.port eq 45709 and udp.port eq 8816)).
Packet No.: 346/348
UPSTREAM
TCP Payload in HEX view
0000
0010
0020
0030
0040
0050
0060
0070
0080
0090
Offset
0000
0002
90
00
75
02
5f
76
46
79
63
00
03
00
6d
54
6b
44
36
63
57
00
Length
(Bytes)
2
2
00
00
79
72
6f
76
75
53
55
00
88
00
43
38
66
4a
6e
32
47
02
00
10
46
30
6b
71
39
64
6a
10
00
02
74
56
59
69
5a
79
64
09
00
00
73
34
34
70
61
43
51
00
00
74
6b
49
62
6a
50
53
2d
04
00
58
59
6b
7a
2e
58
7a
2d
00
00
43
4b
78
4d
35
6a
50
00
00
00
5f
6d
6e
6e
30
76
64
00
b2
00
71
63
5f
44
4f
6f
62
00
8d
00
76
68
66
69
66
45
69
10
00
52
67
6a
39
69
42
58
08
00
39
2d
4d
76
72
4b
47
00
00
51
2d
58
5f
78
41
58
04
................
.......tXC_qvR9Q
_kofkY4bzMnDi9v_
vDvJqipj.50Ofirx
F6un9ZaPXjvoEBKA
ycS2dyCSzPdbiXGX
cWUGjdQ--.......
............
Packet header (always 90 03) (ymsg_conf upstream header)

0004
16
0014
2
0016
2
0018
116
Value
Note: Attribute not extracted SIP INVITE by PXE Engine.
008c
02
008e
02
0090
04
Unknown Data 00 00 00 02
0094
02
0096
02
0098
04
Data (server port 45708 for RTP flow) 00 00 b2 8d
TCP Payload data is complete binary happening always over the port 443, but not encrypted;
Using Yahoo propriety protocol.
NOTE: The above TCP payload appears as the first UDP packet in the RTP flow(Packet no: 333)
Packet No.: 352/351
DOWNSTREAM
0000
0010
90 04 00 28 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 10 04 00 24 64 32 64 63 62 63 35 30
...(............
.......$d2dcbc50
0020
0030
Offset
0000
0002
2d 30 39 37 38 2d 31 31 65 33 2d 39 34 62 30 2d
34 34 31 65 61 31 36 31 30 61 31 30
Length
(Bytes)
2
2
-0978-11e3-94b0441ea1610a10
Unknown (always 90 04) (ymsg_conf downstream header)

0004
16
0014
2
0016
2
0018
24
SIP/SDP Media Attribute sid2 d2dcbc50-0978-11e3-94b0-441ea1610a10
(In Pkt no.:351 SIP/SDP Media Attribute sid1 d2dcba66-0978-11e3-94e5441ea1610a10)
Pkt no.: 356 (SIP INVITE message_body)
NOTE: The above TCP payload appears as the second UDP packet in the RTP flow followed by
the actual RTP flow(Packet no: 341) (wireshark filter: (ip.addr eq 192.168.0.103 and ip.addr eq
106.10.153.29) and (udp.port eq 8816 and udp.port eq 45709) ).

Dissected Yahoo Messenger Voice Traffic

Hochgeladen von

Dokumentinformationen

Originalbeschreibung:

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

Dissected Yahoo Messenger Voice Traffic

Hochgeladen von

Copyright:

Verfügbare Formate

Conventions

Yahoo Messenger Voice

Yahoo Messenger Voice Identification

Description (HEX values)

Packet header (always 00 03) (ymsg_conf upstream header)

Packet No.: 331

Description (HEX values)

Yahoo Messenger Voice Conversation

Description (HEX values)

Packet Header (always 90 03) (ymsg_conf upstream header)

Packet No.: 342

Description (HEX values)

Description (HEX values)

Packet header (always 90 03) (ymsg_conf upstream header)

Description (HEX values)

Unknown (always 90 04) (ymsg_conf downstream header)

Das könnte Ihnen auch gefallen