I have been working on how to find use of online messenger (e.g imo.im, ebuddy) using wireshark. I'm doing , as i need to build SIEM (security information event management) use-cases which detects usage of online web-messenger.
To do little about of research, i went on a few online web-messenger and turned on the wireshark in the background. After a couple of minutes of browsing the online messenger sites , i stopped the wireshark and went straight on analysis. At first, I found nothing special / unique which tells me (as a user) an online messaging service / protocol i used as all these sites works on http or https.
However, as i dig deep i find something interesting. The reference is given below:-
Hypertext Transfer Protocol
HTTP/1.1 200 OK\r\n
**[Expert Info (Chat/Sequence): HTTP/1.1 200 OK\r\n]**
[Message: HTTP/1.1 200 OK\r\n]
[Severity level: Chat]
[Group: Sequence]
Request Version: HTTP/1.1
Status Code: 200
Response Phrase: OK
Content-Encoding: gzip\r\n
Cache-Control: max-age=10800\r\n
Content-Type: text/html; charset=utf-8\r\n
Date: Thu, 24 Jan 2013 17:58:46 GMT\r\n
Expires: Thu, 24 Jan 2013 20:58:46 GMT\r\n
Last-Modified: Thu, 24 Jan 2013 01:07:06 GMT\r\n
p3p: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"\r\n
Server: ECS (fra/D439)\r\n
SVR: SP002B7\r\n
Vary: Accept-Encoding\r\n
X-Cache: HIT\r\n
Content-Length: 387\r\n
\r\n
Content-encoded entity body (gzip): 387 bytes -> 942 bytes
Line-based text data: text/html
I have searched the src code and beside PI_CHAT constant declaration in header file expert.c. If i follow the code in packet-http.c I see the following code.
saw_req_resp_or_header = TRUE;
if (is_request_or_reply) {
char *text = tvb_format_text(tvb, offset, next_offset - offset);
if (tree) {
hdr_item = proto_tree_add_text(http_tree, tvb,
offset, next_offset - offset, "%s", text);
}
expert_add_info_format(pinfo, hdr_item, PI_SEQUENCE, PI_CHAT, "%s", text);
if (reqresp_dissector) {
if (tree) req_tree = proto_item_add_subtree(hdr_item, ett_http_request);
else req_tree = NULL;
reqresp_dissector(tvb, req_tree, offset, line,
lineend, conv_data);</code></pre><p>From the code above its hard to comprehend as to what conditions or input brings PI_CHAT variable to be set. Beside code , if anyone can explain in terms of theory as to how wireshark detects chatting behavior. The theory I have read on the wireshark official sites says expert info is to detect changes which are abnormal / anomalies in nature. I'm more interested in knowing the 'how' part.</p><p>Thanks.</p></div><div id="question-tags" class="tags-container tags"><span class="post-tag tag-link-expert-info" rel="tag" title="see questions tagged 'expert-info'">expert-info</span></div><div id="question-controls" class="post-controls"></div><div class="post-update-info-container"><div class="post-update-info post-update-info-user"><p>asked <strong>24 Jan '13, 10:32</strong></p><img src="https://secure.gravatar.com/avatar/a5e36ef8cc4416aa199a3a82dcb1deb4?s=32&d=identicon&r=g" class="gravatar" width="32" height="32" alt="lazerz's gravatar image" /><p><span>lazerz</span><br />
41●8●10●14
accept rate: 0%
PI_CHAT refers to rhe severity level of the expert info.