how to detect msn file transfer - layer7 doesn't work

kolorasta · January 28, 2009, 2:40am

hi
y have a MT as a traffic shapper and i have traffic priorization.

i try to use layer7 to mark msn-filetransfer packets but it doesn’t work… y transfer files and counter mangle rule counter doen’t change

i search the net to find what ports are used and i find different port ranges everywhere…

does someone succeed in doing this???

thanks and sorry for poor english

mojiro · January 28, 2009, 8:11am

Try to run wireshark before sending a file in order to capture all the packets when the transfer will begin. Then find something common in all transfers that identify them and make rules using that.

For example, using wireshark I have found how to block the msn advertisements. There are transfered via an XML file. So I blocked this file. I have created that for 2.9.32 version.

chapex · January 29, 2009, 3:32am

6891 - 6900 (used for filetransfer), If you detect that are used other ports, it is that assurance that using alternative messengers as Gaim, Pidgin, amsn, etc. Microsoft respects these ports for the transference. .

saludos rastafari

kolorasta · January 29, 2009, 9:53am

take a look at this page http://support.microsoft.com/kb/927847
it says:

File Transfer TCP 443, 1863 TCP/UDP 1025 - 65535

jajaja 1025-65535 they are joking, aren’t they???

i have transfer files via WLM to another WLM and I saw ports like TCP 4844

i think the best way is to use layer7 but the string suggested in the layer7 proyect site doesn’t work for me

thanks

pd:gracias por el saludo rastafari

mojiro · January 29, 2009, 9:33pm

1863 TCP, is primarily used for chat messages
443 TCP, is used for the transfer of the XML file that carries the contact file(backup), extra tabs, advertisement url’s
UDP Ports, should be used for video and talk

I do not think that they use UDP for file transfer, it is ridiculous!

kolorasta · January 29, 2009, 10:21pm

i agree w/u

mojiro · January 30, 2009, 7:50am

I searched in some old work for MSN, and I had found that also uses 7001 port. I do not know why it does.

Also 131.107.111.0/24 and 131.107.112.0/21 are being used to send Application Usage Feedback, so block them.

normis · January 30, 2009, 8:20am

did you try this with L7?
http://l7-filter.sourceforge.net/layer7-protocols/protocols/msn-filetransfer.pat

kolorasta · January 30, 2009, 3:40pm

hi normis.
i’m currently using that and 0 bytes counted in a couple of days… strange
*^(ver [ -~]msnftp\x0d\x0aver msnftp\x0d\x0ausr|method msnmsgr:)

do i have to put that whole string in the Regexp field??? or without the initial “^(” and the ending “)” ???

NetworkPro · January 30, 2009, 9:16pm

RouterOS Version? Maybe problem is in hex values representation with \x0d\x0a etc.

kolorasta · February 11, 2009, 10:58pm

i’m using RouterOS 3.20

thanks