how to write a qq patterns?

心想事成 · 发表于 2004-12-2 16:39:55

马上注册，结交更多好友，享用更多功能，让你轻松玩转社区。

您需要登录才可以下载或查看，没有账号？注册

×

i compile l7-layer into coyote router.and i want to write a QQ patterns.look:http://l7-filter.sourceforge.net/http://l7-filter.sourceforge.net/layer7-patterns/HOWTOwww.qq.comthis is a english edition for qq:http://qqdl.tencent.com/qq2003iii_eng.exeBecause over six multimillionaire people to use QQ in china.QQ have three method to conncet to server.one is udp to port 61.144.238.145:8000,and another is tcp connect to 218.17.209.23:80,three is connect to 218.17.209.42:443.when i login my qq,i use tcpdump command :

CODE
gtr@cjzzf [/home/gtr] # tcpdump -n -v -X -s 500 src host 192.168.1.15 and dst port 8000tcpdump: listening on rl016:33:23.189422 192.168.1.15.4001 > 61.144.238.145.8000: [udp sum ok] udp 13 (ttl 128, id 29759, len 41)0x0000 4500 0029 743f 0000 8011 d8ab c0a8 010f E..)t?..........0x0010 3d90 ee91 0fa1 1f40 0015 3533 020c 3900 =......@..53..9.0x0020 6226 ee00 10a3 0f00 03ff ffff ffff b&............16:33:23.261195 192.168.1.15.4002 > 61.144.238.145.8000: [udp sum ok] udp 28 (ttl 128, id 29761, len 56)0x0000 4500 0038 7441 0000 8011 d89a c0a8 010f E..8tA..........0x0010 3d90 ee91 0fa2 1f40 0024 b1ad 020c 3900 =......@.$....9.0x0020 5926 ee00 10a3 0fef 2540 f50e b794 a83b Y&......%@.....;0x0030 cf3a 741e 86fb 4a03 .:t...J.16:33:23.272875 192.168.1.15.4001 > 61.144.238.145.8000: udp 460 (ttl 128, id 29762, len 488)0x0000 4500 01e8 7442 0000 8011 d6e9 c0a8 010f E...tB..........0x0010 3d90 ee91 0fa1 1f40 01d4 f110 020c 3900 =......@......9.0x0020 2226 ee00 10a3 0f1c ec74 5fc8 0125 bd9a "&.......t_..%..0x0030 08dc 722c 802f 8c95 6d34 3eb6 833e 492d ..r,./..m4>..>I-0x0040 a68b 4d41 8d77 1ae9 6b28 9cfe 695e 55af ..MA.w..k(..i^U.0x0050 a18d b9eb a4f3 0e57 0769 fb25 9fcc 026e .......W.i.%...n0x0060 8611 cbea 5ea6 42a5 1f59 c100 93c9 9129 ....^.B..Y.....)0x0070 147c 8908 5679 60a3 e86e da0a 8f37 29eb .|..Vy`..n...7).0x0080 2b0f 82b9 1d32 76e3 d163 28c5 52f1 2b78 +....2v..c(.R.+x0x0090 7dd1 bdce b98c 7f11 2d4e ba8a 3ac3 b5db }.......-N..:...0x00a0 38cf b42f d9ce e2f5 15ae ac8b e02c 27f0 8../.........,'.0x00b0 2754 e509 5327 4518 360b c933 8225 6cbf 'T..S'E.6..3.%l.0x00c0 ed7e 0574 2301 3bc6 8597 84b5 b892 44a7 .~.t#.;.......D.0x00d0 242b e5b6 e414 36fa 1eb3 2f1a 051d 2b57 $+....6.../...+W0x00e0 a5d3 1cad b98d 9291 8b78 3824 0c2d 54c0 .........x8$.-T.0x00f0 d5b4 d672 46ae 9bf0 0078 9271 5d27 60ae ...rF....x.q]'`.0x0100 637f 0abc b528 3b79 4bc1 8ce5 0744 ff11 c....(;yK....D..0x0110 bf27 f568 328b 4ec3 0c45 84f5 1733 90d3 .'.h2.N..E...3..0x0120 9a53 dc50 a8e5 f59b 7b87 8cf9 5a1f 2c4f .S.P....{...Z.,O0x0130 5a14 7c8c a922 ed25 f828 d47b 1f6e 16e4 Z.|..".%.(.{.n..0x0140 0b75 0583 3728 c5db d5fe 17c5 5fb9 927a .u..7(......_..z0x0150 2733 8184 de19 ef6f 7ea6 6438 4fda dee4 '3.....o~.d8O...0x0160 d28a 9856 f1ba 4a22 7b6d 8fb5 1f75 f5de ...V..J"{m...u..0x0170 a43b 93fa a3b1 734a 37ea c087 018a 9ec8 .;....sJ7.......0x0180 f262 a8d0 6f9c bcf7 5441 32dc ae79 0725 .b..o...TA2..y.%0x0190 84f3 d98a 8486 4bf0 d0d6 bf31 7606 0342 ......K....1v..B0x01a0 2f71 2405 fda4 5973 c24b c174 a6c0 7e0b /q$...Ys.K.t..~.0x01b0 c2d6 658b 8d7b 74d6 0e1f 7965 8880 22b0 ..e..{t...ye..".0x01c0 2419 1b12 71ea 7a75 57c4 3e3c d8be d544 $...q.zuW.>..M0x01e0 4409 f6bf 7215 D...r.16:33:23.331322 192.168.1.15.4001 > 61.144.238.145.8000: [udp sum ok] udp 28 (ttl 128, id 29763, len 56)0x0000 4500 0038 7443 0000 8011 d898 c0a8 010f E..8tC..........0x0010 3d90 ee91 0fa1 1f40 0024 9b03 020c 3900 =......@.$....9.0x0020 1d26 ee00 10a3 0f4b e355 9a24 3024 490e .&.....K.U.$0$I.0x0030 4d13 7574 2b8e fd03 M.ut+...16:33:23.331406 192.168.1.15.4001 > 61.144.238.145.8000: [udp sum ok] udp 28 (ttl 128, id 29764, len 56)0x0000 4500 0038 7444 0000 8011 d897 c0a8 010f E..8tD..........0x0010 3d90 ee91 0fa1 1f40 0024 3450 020c 3900 =......@.$4P..9.0x0020 1d26 ef00 10a3 0f02 7062 e055 63c3 8752 .&......pb.Uc..R0x0030 daa6 657e 97cc 3403 ..e~..4.16:33:23.331932 192.168.1.15.4001 > 61.144.238.145.8000: [udp sum ok] udp 36 (ttl 128, id 29765, len 64)0x0000 4500 0040 7445 0000 8011 d88e c0a8 010f E..@tE..........0x0010 3d90 ee91 0fa1 1f40 002c 8a6e 020c 3900 =......@.,.n..9.0x0020 0626 ee00 10a3 0f12 bda6 919e 40a8 ab3b .&..........@..;0x0030 b75e e188 302f 12de 7cb6 f281 5d2b 2603 .^..0/..|...]+&.16:33:23.345665 192.168.1.15.4001 > 61.144.238.145.8000: [udp sum ok] udp 28 (ttl 128, id 29767, len 56)0x0000 4500 0038 7447 0000 8011 d894 c0a8 010f E..8tG..........0x0010 3d90 ee91 0fa1 1f40 0024 f6c7 020c 3900 =......@.$....9.0x0020 0d26 ee00 10a3 0f37 6359 37f6 19d2 63c5 .&.....7cY7...c.0x0030 30f5 0de0 d856 6603 0....Vf.16:33:23.366842 192.168.1.15.4001 > 61.144.238.145.8000: [udp sum ok] udp 28 (ttl 128, id 29768, len 56)0x0000 4500 0038 7448 0000 8011 d893 c0a8 010f E..8tH..........0x0010 3d90 ee91 0fa1 1f40 0024 c95e 020c 3900 =......@.$.^..9.0x0020 6526 ee00 10a3 0f5c 5f27 6024 036b db4a e&.....\_'`$.k.J0x0030 1fd1 6cdb fba8 4503 ..l...E.16:33:23.370678 192.168.1.15.4001 > 61.144.238.145.8000: [udp sum ok] udp 308 (ttl 128, id 29769, len 336)0x0000 4500 0150 7449 0000 8011 d77a c0a8 010f E..PtI.....z....0x0010 3d90 ee91 0fa1 1f40 013c 1871 020c 3900 =......@...0x0090 d67e 3477 16c3 b384 de38 4ee6 0f95 462a .~4w.....8N...F*0x00a0 7865 e384 e263 c542 61a0 5f88 a26a cbc1 xe...c.Ba._..j..0x00b0 8c6e d54c 47e1 224f 533a 348a cbdc 9ced .n.LG."OS:4.....0x00c0 2c13 a6f5 73a8 6fbc b46a baca 4852 4cf4 ,...s.o..j..HRL.0x00d0 13c8 86cc 9eb4 faff 0644 fd50 01c6 0283 .........D.P....0x00e0 1143 9b38 9c63 694c 2c2e 5761 4fca 465c .C.8.ciL,.WaO.F\0x00f0 665d e8da 81d1 3bb0 5f48 2d87 a21d e2e7 f]....;._H-.....0x0100 7df1 5bcc 7afa 4b28 104d 9d14 3b0e 90c8 }.[.z.K(.M..;...0x0110 8298 42e1 fb3d 3523 9041 25a1 4b41 215f ..B..=5#.A%.KA!_0x0120 ca5d 7fad 82d9 fb4b 2301 2a3a dd5c 20e6 .].....K#.*:.\..0x0130 bc7d 9569 41e5 2140 bb4e 11a4 ad5f 804d .}.iA.!@.N..._.M0x0140 bcd4 0095 c86c 735c cc3b 044a f7c9 5103 .....ls\.;.J..Q.16:33:23.382730 192.168.1.15.4001 > 61.144.238.145.8000: [udp sum ok] udp 28 (ttl 128, id 29770, len 56)0x0000 4500 0038 744a 0000 8011 d891 c0a8 010f E..8tJ..........0x0010 3d90 ee91 0fa1 1f40 0024 32aa 020c 3900 =......@.$2...9.0x0020 2726 ee00 10a3 0fa0 d9af 5553 2883 faf3 '&........US(...0x0030 b5a9 68cc 4ad7 8403 ..h.J...16:33:23.416312 192.168.1.15.4001 > 61.144.238.145.8000: [udp sum ok] udp 28 (ttl 128, id 29771, len 56)0x0000 4500 0038 744b 0000 8011 d890 c0a8 010f E..8tK..........0x0010 3d90 ee91 0fa1 1f40 0024 91f5 020c 3900 =......@.$....9.0x0020 6526 ef00 10a3 0f5c 5f27 6024 036b db37 e&.....\_'`$.k.70x0030 9fc3 7bb2 d85b 1003 ..{..[..16:33:23.434826 192.168.1.15.4001 > 61.144.238.145.8000: [udp sum ok] udp 308 (ttl 128, id 29772, len 336)0x0000 4500 0150 744c 0000 8011 d777 c0a8 010f E..PtL.....w....0x0010 3d90 ee91 0fa1 1f40 013c 1469 020c 3900 =......@. 61.144.238.145.8000: [udp sum ok] udp 28 (ttl 128, id 29798, len 56)0x0000 4500 0038 7466 0000 8011 d875 c0a8 010f E..8tf.....u....0x0010 3d90 ee91 0fa1 1f40 0024 2029 020c 3900 =......@.$.)..9.0x0020 6526 f200 10a3 0f11 7aba c36c 2839 caff e&......z..l(9..0x0030 6e18 5f41 f61d 1c03 n._A....16:33:23.822623 192.168.1.15.4001 > 61.144.238.145.8000: [udp sum ok] udp 308 (ttl 128, id 29799, len 336)0x0000 4500 0150 7467 0000 8011 d75c c0a8 010f E..Ptg.....\....0x0010 3d90 ee91 0fa1 1f40 013c c1a3 020c 3900 =......@.

心想事成 · 发表于 2004-12-2 16:52:23

hereinbefore is i use udp login,and now is tcp login:

CODE
gtr@cjzzf [/home/gtr] # tcpdump -n -v -X -s 500 src host 192.168.1.15 and dst port 80tcpdump: listening on rl016:48:52.607596 192.168.1.15.1034 > 218.17.209.23.80: S [tcp sum ok] 3805079781:3805079781(0) win 65535 (DF) (ttl 128, id 41427, len 48)0x0000 4500 0030 a1d3 4000 8006 ec13 c0a8 010f E..0..@.........0x0010 da11 d117 040a 0050 e2cc e8e5 0000 0000 .......P........0x0020 7002 ffff 4632 0000 0204 05b4 0101 0402 p...F2..........16:48:52.646666 192.168.1.15.1034 > 218.17.209.23.80: . [tcp sum ok] ack 3908849595 win 65535 (DF) (ttl 128, id 41428, len 40)0x0000 4500 0028 a1d4 4000 8006 ec1a c0a8 010f E..(..@.........0x0010 da11 d117 040a 0050 e2cc e8e6 e8fc 4fbb .......P......O.0x0020 5010 ffff 3a2e 0000 ffff ffff ffff P...:.........16:48:52.675197 192.168.1.15.1033 > 218.17.209.23.80: P [tcp sum ok] 131959823:131959853(30) ack 2522293605 win 65535 (DF) (ttl 128, id 41429, len 70)0x0000 4500 0046 a1d5 4000 8006 ebfb c0a8 010f E..F..@.........0x0010 da11 d117 0409 0050 07dd 8c0f 9657 2565 .......P.....W%e0x0020 5018 ffff 7a88 0000 001e 020c 3900 5932 P...z.......9.Y20x0030 c700 10a3 0f79 c853 3cb1 d208 b343 8f1d .....y.S 218.17.209.23.80: P [tcp sum ok] 0:15(15) ack 1 win 65535 (DF) (ttl 128, id 41430, len 55)0x0000 4500 0037 a1d6 4000 8006 ec09 c0a8 010f E..7..@.........0x0010 da11 d117 040a 0050 e2cc e8e6 e8fc 4fbb .......P......O.0x0020 5018 ffff b325 0000 000f 020c 3900 6232 P....%......9.b20x0030 c700 10a3 0f00 03 .......16:48:52.726095 192.168.1.15.1034 > 218.17.209.23.80: P 15:477(462) ack 37 win 65499 (DF) (ttl 128, id 41431, len 502)0x0000 4500 01f6 a1d7 4000 8006 ea49 c0a8 010f E.....@....I....0x0010 da11 d117 040a 0050 e2cc e8f5 e8fc 4fdf .......P......O.0x0020 5018 ffdb 9cc8 0000 01ce 020c 3900 2232 P...........9."20x0030 c700 10a3 0f5f c45c 700f 5021 261c dba9 ....._.\p.P!&...0x0040 5192 d102 d4dc beb8 3e1b fe99 f483 bdb6 Q.......>.......0x0050 3b1f 143c 3eb8 88c8 968a 6ebf 9d3e 4294 ;.......n..>B.0x0060 00ac 2b91 068d f137 e53b 15b6 11eb 6b89 ..+....7.;....k.0x0070 1511 b4d7 9ae8 de9e fb74 d06d e579 d65f .........t.m.y._0x0080 daeb 3f79 2e84 680d d76d 5159 a698 fda6 ..?y..h..mQY....0x0090 7413 6276 d293 ce12 3d24 8837 1ffd 4e43 t.bv....=$.7..NC0x00a0 9727 a170 cfa5 b277 c9e7 d7ff db6c ad70 .'.p...w.....l.p0x00b0 5378 0082 a7ae af6d 8e69 bfd2 2873 f6b1 Sx.....m.i..(s..0x00c0 f342 3274 da9a 34ae c51a 1a46 753c 5749 .B2t..4....Fu 218.17.209.23.80: P [tcp sum ok] 1345:1685(340) ack 4417 win 65535 (DF) (ttl 128, id 41442, len 380)0x0000 4500 017c a1e2 4000 8006 eab8 c0a8 010f E..|..@.........0x0010 da11 d117 040a 0050 e2cc ee27 e8fc 60fb .......P...'..`.0x0020 5018 ffff 17e2 0000 001e 020c 3900 6532 P...........9.e20x0030 cd00 10a3 0f4f 5c4e 042a 1909 3da3 86ed .....O\N.*..=...0x0040 7a2d 9023 6e03 0136 020c 3900 5c32 cd00 z-.#n..6..9.\2..0x0050 10a3 0f6f 4e99 7327 f5eb 0835 c40a cae0 ...oN.s'...5....0x0060 ee1d b4ab 2eb8 f5dc 87d9 ffd7 7132 899e ............q2..0x0070 36ba 78e4 5453 1e66 c0ed ce08 ad9c d9b0 6.x.TS.f........0x0080 2e7d 1097 3a17 379b 0730 fe5d 964c 3943 .}..:.7..0.].L9C0x0090 c671 1826 20aa 7f2a 833f 5e54 619d a91d .q.&...*.?^Ta...0x00a0 717b 24a8 44aa 1f44 e6e4 d43e a2c6 b8a1 q{$.D..D...>....0x00b0 d92a cde6 d749 e76c ea59 d1e2 f426 c7df .*...I.l.Y...&..0x00c0 e8ec a4d1 a795 1cf6 0129 bff4 83ca d19a .........)......0x00d0 75b8 665c 9659 0f09 744e b57a 0fcf 9501 u.f\.Y..tN.z....0x00e0 1175 f6f5 25f3 936b 8a3d e92e 3b17 e697 .u..%..k.=..;...0x00f0 06bb 543a d42d 6444 f6c1 d409 843e 8e7b ..T:.-dD.....>.{0x0100 273e 607f da4b f3a3 adbb 2b32 6682 2a19 '>`..K....+2f.*.0x0110 a0cf 1bcb f1fe d8aa 402d 2fc3 f16d 9072 ........@-/..m.r0x0120 2466 084b d48e 9d32 0bb7 9bcf eb6c e755 $f.K...2.....l.U0x0130 ea85 4efd d039 85d7 2d45 68c2 b1a7 106e ..N..9..-Eh....n0x0140 98aa b355 e3cd 2505 cf98 787a 1e6f b335 ...U..%...xz.o.50x0150 7ba9 2fe9 e83a 59dc 699a 85c2 8654 3dc9 {./..:Y.i....T=.0x0160 765d cb4a ef44 7370 3a85 a871 bd17 cf67 v].J.Dsp:..q...g0x0170 16db f771 b470 44a2 8249 2a03 ...q.pD..I*.16:48:53.114141 192.168.1.15.1034 > 218.17.209.23.80: P [tcp sum ok] 1685:1715(30) ack 5043 win 64909 (DF) (ttl 128, id 41443, len 70)0x0000 4500 0046 a1e3 4000 8006 ebed c0a8 010f E..F..@.........0x0010 da11 d117 040a 0050 e2cc ef7b e8fc 636d .......P...{..cm0x0020 5018 fd8d 10bc 0000 001e 020c 3900 6532 P...........9.e20x0030 ce00 10a3 0f2b df67 b778 0f69 86e9 79a4 .....+.g.x.i..y.0x0040 30b5 e0ba cb03 0.....16:48:53.158576 192.168.1.15.1034 > 218.17.209.23.80: P [tcp sum ok] 1715:2025(310) ack 5909 win 65535 (DF) (ttl 128, id 41444, len 350)0x0000 4500 015e a1e4 4000 8006 ead4 c0a8 010f E..^..@.........0x0010 da11 d117 040a 0050 e2cc ef99 e8fc 66cf .......P......f.0x0020 5018 ffff f6d7 0000 0136 020c 3900 5c32 P........6..9.\20x0030 ce00 10a3 0f53 6693 a293 a74b a97e 8701 .....Sf....K.~..0x0040 71a8 71eb 6f77 05a9 e7be b2d4 be4e 88e2 q.q.ow.......N..0x0050 8988 6417 8456 5112 6c5d de70 c97b 31d2 ..d..VQ.l].p.{1.0x0060 6bb1 21d0 2977 66fe 900e b2ab 1527 3368 k.!.)wf......'3h0x0070 c2e0 48f1 15ee 2652 d914 734e d86c cabe ..H...&R..sN.l..0x0080 8e3f 1aa1 2420 2372 36ae bc49 d6f0 077a .?..$.#r6..I...z0x0090 d701 43b8 d9ba 69a4 c607 128b 876e f02f ..C...i......n./0x00a0 24e0 d921 c882 9c96 af01 63f6 bd0f 64a5 $..!......c...d.0x00b0 bd9d fcbd b762 59f4 2168 5bb9 afc3 f798 .....bY.!h[.....0x00c0 ffe6 6d50 4229 36b1 ffe0 3da7 bd04 4acf ..mPB)6...=...J.0x00d0 9174 62c2 ab2f b11e c7c7 aa7c 869d ff3f .tb../.....|...?0x00e0 bd18 3666 4b68 2bb5 9872 eaeb 063c fca3 ..6fKh+..r.....I.r....16:48:53.203086 192.168.1.15.1034 > 218.17.209.23.80: P [tcp sum ok] 2025:2055(30) ack 6535 win 64909 (DF) (ttl 128, id 41445, len 70)0x0000 4500 0046 a1e5 4000 8006 ebeb c0a8 010f E..F..@.........0x0010 da11 d117 040a 0050 e2cc f0cf e8fc 6941 .......P......iA0x0020 5018 fd8d 147d 0000 001e 020c 3900 6532 P....}......9.e20x0030 cf00 10a3 0fd2 dfe1 e260 72b5 9bd1 2d24 .........`r...-$0x0040 6f26 eca3 1d03 o&....16:48:53.244665 192.168.1.15.1034 > 218.17.209.23.80: P [tcp sum ok] 2055:2365(310) ack 7401 win 65535 (DF) (ttl 128, id 41446, len 350)0x0000 4500 015e a1e6 4000 8006 ead2 c0a8 010f E..^..@.........0x0010 da11 d117 040a 0050 e2cc f0ed e8fc 6ca3 .......P......l.0x0020 5018 ffff de37 0000 0136 020c 3900 5c32 P....7...6..9.\20x0030 cf00 10a3 0ff5 2b98 0037 4f01 3a85 1063 ......+..7O.:..c0x0040 adf6 d53d efe2 b2f7 5532 d1d9 3152 3150 ...=....U2..1R1P0x0050 51dd 3f9c 44b9 a250 3fab a2bb e334 a4ee Q.?.D..P?....4..0x0060 3257 f2f3 17aa 7d17 9a86 cf00 3dc8 d1b7 2W....}.....=...0x0070 5e18 6e83 b4ca 5deb 3a21 e0b5 c3dc 55eb ^.n...].:!....U.0x0080 83df 1cd8 22f6 bb35 8a52 436c ef55 4d56 ...."..5.RCl.UMV0x0090 0ba3 419a 735b 047c 146b 6984 1c6e 1492 ..A.s[.|.ki..n..0x00a0 fdc2 025f 6ec7 062d c4c4 5c18 4258 1111 ..._n..-..\.BX..0x00b0 6ebe 7ec3 d9a4 012d 3bf6 d4af 8479 2179 n.~....-;....y!y0x00c0 f4ca 95ac 8be4 d41e 2ec4 cd7e c917 7ffa ...........~....0x00d0 7a69 f801 d7ba 1047 4308 6e13 8112 23f3 zi.....GC.n...#.0x00e0 fd31 3f46 6992 287e 1601 2545 211d 6166 .1?Fi.(~..%E!.af0x00f0 ea38 af43 21cd 88a3 d6b0 8ed4 3bc4 5002 .8.C!.......;.P.0x0100 c2a5 c248 d22d fb3d 0662 b694 b590 a96c ...H.-.=.b.....l0x0110 a760 13ff 81be a64a 66cd 07ab c111 57b7 .`.....Jf.....W.0x0120 11b5 4efd ec43 156a 0591 af42 7111 9557 ..N..C.j...Bq..W0x0130 9fc0 9dd6 2d2d 09c0 e69c c47d 8a64 2931 ....--.....}.d)10x0140 c9a0 7b09 34f4 d44a 936e ce8b 8ec8 8008 ..{.4..J.n......0x0150 234d 4fdb ebad 702a c14a 69dc 8403 #MO...p*.Ji...16:48:53.288521 192.168.1.15.1034 > 218.17.209.23.80: P [tcp sum ok] 2365:2667(302) ack 7691 win 65245 (DF) (ttl 128, id 41447, len 342)0x0000 4500 0156 a1e7 4000 8006 ead9 c0a8 010f E..V..@.........0x0010 da11 d117 040a 0050 e2cc f223 e8fc 6dc5 .......P...#..m.0x0020 5018 fedd d3ac 0000 012e 020c 3900 6732 P...........9.g20x0030 cb00 10a3 0f38 160c 6c3f 8ed0 fbf7 f8ce .....8..l?......0x0040 096f 07d8 379f 8050 cbd2 b7a2 f4f7 1cf4 .o..7..P........0x0050 d6c4 1b6e 6f00 608e d272 bd4d 36b8 de43 ...no.`..r.M6..C0x0060 4096 7706 dcfe c3a8 0c33 1702 16f5 f7aa @.w......3......0x0070 654c 6493 3dda 02d4 eb0e adaa 4bf6 2969 eLd.=.......K.)i0x0080 1ec2 addd dfca a856 3929 71ca c9a0 ea56 .......V9)q....V0x0090 79f3 8860 2cc0 5bd4 6187 1edc f90c 369e y..`,.[.a.....6.0x00a0 545c e367 408d 5285 5d0e 3d38 4089 2833 T\.g@.R.].=8@.(30x00b0 004f b230 fa16 f4fc be17 ff65 7967 8f46 .O.0.......eyg.F0x00c0 01ff ab11 c194 40f7 beae 35e7 2eba 9b75 ......@...5....u0x00d0 87c4 6aff d642 c968 37a7 7bce 233d 47f5 ..j..B.h7.{.#=G.0x00e0 2603 6b5b a3b9 114d 3b00 a4a4 da68 f65c &.k[...M;....h.\0x00f0 9a6b 5d5d 8d33 85a2 b895 1039 d060 160b .k]].3.....9.`..0x0100 4292 041a f9ff 2903 8f28 7db4 5c87 e918 B.....)..(}.\...0x0110 81cc fad9 b74b 6032 7d3a b1d2 8800 c030 .....K`2}:.....00x0120 e20b fc43 96bd 6625 2f22 8902 b11a ea71 ...C..f%/".....q0x0130 6619 d14a 3019 f137 4092 e172 5e74 1256 f..J0..7@..r^t.V0x0140 5f02 ddb0 766b e815 cc2a 08e5 d43b 8036 _...vk...*...;.60x0150 62d7 9037 b503 b..7..16:48:53.330926 192.168.1.15.1034 > 218.17.209.23.80: P [tcp sum ok] 2667:2977(310) ack 8557 win 64379 (DF) (ttl 128, id 41448, len 350)0x0000 4500 015e a1e8 4000 8006 ead0 c0a8 010f E..^..@.........0x0010 da11 d117 040a 0050 e2cc f351 e8fc 7127 .......P...Q..q'0x0020 5018 fb7b 0936 0000 0136 020c 3900 5c32 P..{.6...6..9.\20x0030 d000 10a3 0f1b 6026 0aca 132d 207e 82ab ......`&...-.~..0x0040 4ab9 5c4a 1af1 b114 0c46 58b9 e81c 3722 J.\J.....FX...7"0x0050 6564 3bd0 d2a8 0b93 3ef3 d77b cdf3 2150 ed;.....>..{..!P0x0060 13c7 28b3 4015 0ac6 72a2 d5e7 4dd8 0020 ..(.@...r...M...0x0070 8371 2eb3 4191 a2d1 a02d 6997 58e5 4177 .q..A....-i.X.Aw0x0080 1ee0 76e4 908d d936 f012 0f34 2b29 1a8c ..v....6...4+)..0x0090 f508 ceab 8c3a 8ecb 6618 0fd6 3abc 94c8 .....:..f...:...0x00a0 a92a a602 6f95 85db b346 63c3 15b0 8c50 .*..o....Fc....P0x00b0 f9c8 6682 4119 0116 0231 e46a b0d7 9865 ..f.A....1.j...e0x00c0 98c0 7166 50a5 7ee8 b232 a0bb 7285 78b3 ..qfP.~..2..r.x.0x00d0 6409 9b53 a83c 616f 3f2d 85d9 5a16 b7e9 d..S.:Div...j,0x00d0 819d ee3c a023 4ca9 bc64 03fb 3603 ... 218.17.209.23.80: . [tcp sum ok] ack 9931 win 65053 (DF) (ttl 128, id 41467, len 40)0x0000 4500 0028 a1fb 4000 8006 ebf3 c0a8 010f E..(..@.........0x0010 da11 d117 040a 0050 e2cc f53d e8fc 7685 .......P...=..v.0x0020 5010 fe1d 08ef 0000 ffff ffff ffff P.............^C762 packets received by filter0 packets dropped by kerne

心想事成 · 发表于 2004-12-2 18:33:15

I noticed all UDP packet have a character:020c 3900 XX26 XX00 10a3(XX is variable)and all TCP packet have a character:020c 3900 XX32 XX00 10a3(XX is variable)examples:16:33:23.331322 192.168.1.15.4001 > 61.144.238.145.8000: [udp sum ok] udp 28 (ttl 128, id 29763, len 56)0x0000 4500 0038 7443 0000 8011 d898 c0a8 010f E..8tC..........0x0010 3d90 ee91 0fa1 1f40 0024 9b03 020c 3900 =......@.$....9.0x0020 1d26 ee00 10a3 0f4b e355 9a24 3024 490e .&.....K.U.$0$I.0x0030 4d13 7574 2b8e fd03 16:33:23.261195 192.168.1.15.4002 > 61.144.238.145.8000: [udp sum ok] udp 28 (ttl 128, id 29761, len 56)0x0000 4500 0038 7441 0000 8011 d89a c0a8 010f E..8tA..........0x0010 3d90 ee91 0fa2 1f40 0024 b1ad 020c 3900 =......@.$....9.0x0020 5926 ee00 10a3 0fef 2540 f50e b794 a83b Y&......%@.....;0x0030 cf3a 741e 86fb 4a03

心想事成 · 发表于 2004-12-10 19:50:03

http://alumnus.caltech.edu/~chamness/qwPackets.html

心想事成 · 发表于 2004-12-11 07:43:53

From: Deepak Seshadri RE: Re: how to writing QQ patterns? 2004-12-10 07:22 Pattern Quality: Untested Application: Tencent/QQ Protocol: UDP Ports: 6000,8000,6001,8001 Initial communication establishment packet size: 72 bytes (client side) & 56 bytes (server side) Client side pattern: ^\x02\x01\x4a\xf5\x01\x01\x0b\x39\x10\x09\x57\x6f\x96\xff\xff\xff\xff Server-side patterns: ^\x02\x01\x10\x08\x01\x02\x41\xb9\xb4\x74\x57\xee\x79\xd4\xa0\x8c\xa6\xc1\x7 a\x40\x2a\x1f\xdb\xfa\x24\x4f\x01\x0b\x39 ^\x02\x01\xe8\xd1\x01\x01\xdb\x85\x26\x13\x1f\x41\x01\x0b\x39 Observation: The client side packet pattern stays the same at all times. Server side has 2 patterns. I would like to block this application with just the client side pattern. The server side pattern is too long. I have not had time to test the patterns. Hope this helps as a starting point to test & fine-tune the pattern. Regards, Deepak Seshadri

xiexie · 发表于 2005-6-7 15:25:15

3q again.

账号		自动登录	找回密码
密码			注册