Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP
branch: master
Fetching contributors…

Cannot retrieve contributors at this time

executable file 105 lines (86 sloc) 2.391 kB
#!/usr/bin/env ruby
##
## Written by: Matthew Lee Hinman
## lee [at] writequit [dot] org
## http://writequit.org
## Grabs Yahoo messages out of a pcap live stream or file
##
## Usage: ./yahsnarf -i <dev> or ./yahsnarf -r <pcap_file>
#
# Requires bit-struct:
# http://redshift.sourceforge.net/bit-struct/
#
# and ruby-pcap:
# http://www.goto.info.waseda.ac.jp/~fukusima/ruby/pcap-e.html
#
##
# Library for pcap reading
require 'pcaplet'
include Pcap
# Libray for struct -> class mapping
require 'bit-struct'
# Encapsulation class for a Yahoo Message Packet
class YahooPacket < BitStruct
text :ymsg, 32, "Yahoo MSG protocol"
unsigned :version, 16, "Version"
padding :p1, 16
unsigned :length, 16, "Packet length"
unsigned :service, 16, "Service"
unsigned :status, 32, "Status"
unsigned :sessid, 32, "Session ID"
rest :content, "Content"
end
# Class for decoding a Yahoo packet
class YahooPacketDecoder
def initialize(p)
@pkt = p
@data = p.tcp_data
end
def decode_packet
# Here's where the magic happens
p = YahooPacket.new(@data)
# If it's not a YMSG and service 6 (message), ignore it
return unless (p.ymsg=="YMSG" and p.service==6)
# Debugging output
#puts p.inspect_detailed
d = decode_content(p.content)
if d.nil?
puts "Unable to decode content"
return
end
# The escape sequence is to get rid of color
puts "\033[0m#{ d['src'] } --> #{ d['dst'] }: #{ d['msg'].chomp }"
end
private
def decode_content(c)
res = {}
c = c.split("\300\200")
i = 0
c.each { |k|
i = i + 1
next if (i % 2 == 0)
if k.to_i == 1
res['src'] = c[i] unless res.has_key?('src')
elsif k.to_i == 5
res['dst'] = c[i] unless res.has_key?('dst')
elsif k.to_i == 14
c[i] = c[i].gsub(/"/,"'")
res['msg'] = c[i] unless res.has_key?('msg')
return res
end
}
return nil
end
end
## The actual main part of the program
STDERR.puts "Use '-h' to display usage"
pcaplet = Pcaplet.new("-n -s 65536")
STDERR.puts "Capture/Decoding..."
## Filter, all Yahoo message traffic runs on 5190
YAHOO_DATA = Pcap::Filter.new('tcp and port 5050', pcaplet.capture)
pcaplet.add_filter(YAHOO_DATA)
pcaplet.each_packet { |pkt|
yp = YahooPacketDecoder.new(pkt)
yp.decode_packet()
}
pcaplet.close
Jump to Line
Something went wrong with that request. Please try again.