monitoring IM and MSN Messanger

[spudgunman]

I am looking for good toolset to quickly turn a pcap of im/msn messenger back to clear text for auditing of employees sending confidential data. using wireshark or whatever to rebuild streams is costly on the time and billing.

I was looking at one tool imsniff but you apparently need to be layer4 ... I want something that can 100% passive (or from a monitor/span port capture and convert data to something more human readable.

oh yes... my 1st post... seems that with all things new a new forum was born and had to make a new ID for myself!

[lupin]

The BackTrack connection of this post seems pretty tenuous to me... but since my answer will mention at least one tool available on BackTrack I will allow this.

What do you mean by "need to be layer4" exactly? From what I have read about imsniff (in the last 30 seconds) it listens as a daemon, and I see no evidence that it sends anything onto the network so it sounds 100% passive to me.

If you want to feed a pcap file into the program check to see if imsniff can read from a pcap instead of listening as a daemon (most programs based on the pcap libraries can do this), and if it cant use tcpreplay to resend the data in the pcap file to the program.

You also might want to check out xplico, which is available in the repositories.

[spudgunman]

roger, thanks for the info. I guess to rephrase it was more of... is any tool in backtrack capable of it. I was searching the repo's but just didnt know ..

yea the imsniff tool was complaining about no "ip address attached to interface" or something of the likes so assume it needs a route-able to do something didnt look into it to far .. was trying to cheat and see if a tool in backtrack already did this and I was missing it... not something I have had to do before is snoop the chatting.

if the thread isnt in line with the new forum policy go ahead and hack it. if not and anyone has any advice of a tool that can be manipulated to provide chat stream data in a more reportable format.

I will also check out xplico a bit more see if it gives up handy info.

[streaker69]

Aren't there better methods to deal with this issue than attempting to intercept the communications? After all, if you intercept it, then you have to read it, if it's a fairly large company with a lot of people using IM, that could be a very daunting, time consuming and expensive task.

If the company is truly concerned about data leakage through those methods, MSN Messenger can be killed off with a simple GPO. Other IM clients can also be controlled via GPO by prohibiting their installation. IM servers can be blocked at the firewall. Employees can be made aware of a policy that prohibits the usage of all IM client software and anyone violating that policy is subject to disciplinary action.

By you wanting to intercept it, you're setting yourself up for failure. If you miss something, then it's your ass on the line.

[spudgunman]

true true but Im not trying to block or stop anything ... that would hurt my goal. working on a pen-test setup and the company is concerned that this might be happening. so I am trying to brush up before I go on site to see if I can capture things. So yes your point is very valid indeed however I just want to know how to trap MSN and read the data with out having to deal with a lot of work or fussing around. I see a lot of windows tools that look like a simple script kiddy parser of the pcap data. Just didnt know if anyone here ran into same issue with BT tools before.