| 1 |
4ae45b10
|
Ermal Luçi
|
# Yahoo messenger - an instant messenger protocol - http://yahoo.com
|
| 2 |
|
|
# Pattern attributes: good fast fast
|
| 3 |
|
|
# Protocol groups: chat proprietary
|
| 4 |
|
|
# Wiki: http://www.protocolinfo.org/wiki/Yahoo_Messenger
|
| 5 |
66f2dd0e
|
Ermal Lu?i
|
# Copyright (C) 2008 Matthew Strait, Ethan Sommer; See ../LICENSE
|
| 6 |
4ae45b10
|
Ermal Luçi
|
#
|
| 7 |
|
|
# Usually runs on port 5050
|
| 8 |
|
|
#
|
| 9 |
|
|
# This pattern has been tested and is believed to work well.
|
| 10 |
|
|
|
| 11 |
|
|
yahoo
|
| 12 |
|
|
# http://www.venkydude.com/articles/yahoo.htm says:
|
| 13 |
|
|
# All Yahoo commands start with YMSG.
|
| 14 |
|
|
# (Well... http://ethereal.com/faq.html#q5.32 suggests that YPNS and YHOO
|
| 15 |
|
|
# are also possible, so let's allow those)
|
| 16 |
|
|
# The next 7 bytes contain command (packet?) length and version information
|
| 17 |
|
|
# which we won't currently try to match.
|
| 18 |
|
|
# L means "YAHOO_SERVICE_VERIFY" according to Ethereal
|
| 19 |
|
|
# W means "encryption challenge command" (YAHOO_SERVICE_AUTH)
|
| 20 |
|
|
# T means "login command" (YAHOO_SERVICE_AUTHRESP)
|
| 21 |
|
|
# (there are others, i.e. 0x01 "coming online", 0x02 "going offline",
|
| 22 |
|
|
# 0x04 "changing status to available", 0x06 "user message", but W and T
|
| 23 |
|
|
# should appear in the first few packets.)
|
| 24 |
|
|
# 0xC080 is the standard argument separator, it should appear not long
|
| 25 |
|
|
# after the "type of command" byte.
|
| 26 |
|
|
|
| 27 |
|
|
^(ymsg|ypns|yhoo).?.?.?.?.?.?.?[lwt].*\xc0\x80
|