Since March 10, 2003 - Version 2.1
hypothetic.org

MSN Messenger Protocol

Research - Research Practice

Back To Normal Layout

Overview

Our understanding of the MSN Messenger protocol is based largely on research which has been done by the messenger community, and reported to the discussion forum. This section talks about some techniques which are useful when trying to reverse-engineer the protocol.

Watch Network Traffic

It is possible to eavesdrop on communications between the MSN client and the server using special programs that "sniff" data sent over a network. The MSN Messenger protocol (like all good Internet protocols) is text-based, so it's relatively easy to work things out by eye.

Many packet sniffers exist for different operating systems. Ethereal is a very capable program, available for Windows and various Unix-based operating systems. Another sniffer is tcpdump for Linux, or its Windows-based cousin, Windump. Alternatively, WPE Pro Alpha has better handling for dial-up connections under Windows NT/2000/XP. I think the official WPE website is here.

You should start a packet sniffer before logging in to MSN Messenger, and stop it after logging out - that way, you'll get a complete record of an MSN Messenger session. It's often the case that the client or server sends information early on in a session which isn't used until later on - for example, the PAG command only works if you sent a CVR command earlier on in the session.

If you have several computers on a LAN, you must make sure that it isn't working in "promiscuous" mode, or that you have permission from everyone on the LAN, before running a packet sniffer. Otherwise, the program will capture all the data sent on the network, breaching other peoples' privacy (not to mention the law in most countries).

A small Perl script by Andrew Sayers is available which takes live or previously captured data in Pcap format, and creates a tree of HTML files, with one TCP stream per file. The files (deliberately) use the same syntax as this website, so put our style-sheet into the base directory created by the script for best effect. This script uses the NetPacket and Net::Pcap libraries, as well as several standard GNU tools. It was a quick hack, and has not been well tested. Use it at your own risk.

Search Online

You'd be amazed what you can find with Google. In fact, learning to make effective use of search engines is incredibly useful on-line.

MSN Messenger makes use of (or is inspired by) many technologies - MIME, for example. Many of these technologies are well documented elsewhere on-line. It's always a good idea to spend a little while looking around to see if someone else has solved a problem before spending a long time re-inventing the wheel.

Google Help has a good tutorial covering the techniques of searching, but the most important thing is to find key words and phrases which will occur in all of the web pages you want, and none of the pages you don't want. This needn't be prominent, succinct, or easy to understand. For example, if you wanted to find instances of the original IETF draft of the MSN Messenger protocol, you might search for "Parameters that contain spaces or extended (non 7-bit ASCII) characters" (a line in the middle of the draft).

Conduct Experiments

Experiments are by far the best way of testing a theory. In computing, this means checking what input to a program causes what output. In MSN Messenger, that can mean examining the behaviour of the official client or the server when it is sent a particular command.

Forum

The discussion forum is a great source of new research about the protocol. It's quite possible that somebody has already discovered and posted what you are looking for. Make sure you aren't asking something that has already been asked or posting discoveries that have already been discovered. The search page will help you with that.

It's a good idea to post your findings to the forum sooner rather than later. Someone else might have already encountered the same thing, or might have an interesting perspective on the information. When you post findings, please include a complete log of what you've found, rather than just the bits you think are significant - there might be an important piece of the puzzle elsewhere. If you like, you can include links to pages you've found, or highlight text you think is important using the forum's advanced posting features.

Some people like to talk about "Alice and Bob", which are terms borrowed from cryptography. They are well explained in the jargon file.

Copyright ©2002-2004 to Mike Mintz.
<http://www.mikemintz.com/>