I want to monitor the usage of msn at my office using squid, so i setup the msn connection to use http proxy but then i found that user can connect directly to msn without going through proxy. At the firewall direct connection to the internet is only allowed for some port. How can messenger connect to the internet without going through the proxy?

Becos MSN used port 80

the firewall only allow direct connection to internet for ssh, telnet and mail, how can msn go to the internet directly using port 80?

Wrong info, port for yahoo messenger.

Here are list of ports used by MSN

389 : TCP MSN NetMeeting
522 : TCP MSN NetMeeting
1024 : UDP MSN NetMeeting (ports 1024 - 65535)
1503 : TCP MSN NetMeeting Whitebord and Application Sharing
1720 : TCP MSN NetMeeting
1731 : TCP MSN NetMeeting
1838 : TCP MSN Messenger (Gamevoice)
1863 : TCP/UDP MSN Messenger primary (incoming)
2300 : TCP/UDP MSN Gaming Zone DX (incoming) - ports 2300-2400
2880 : TCP MSN Gaming Zone (ports 2880-29000). Caution: all ports open will become a security problem!
3389 : TCP MSN/Microsoft RDP (Remote Desktop Protocol) for Remote Assistance
5004 : UDP MSN Messenger, ports 5004-65535. Used for AUDIO and VIDEO. Caution: securty risc! Do not open ALL these ports!
5004 : UDP MSN messenger (dynamically uses a port in this range 5004 - 65535 - requires uPNP in your NAT router and/or firewall). Used for AUDIO and VIDEO. See Microsoft website for details.
5190 : UDP MSN Messenger (incoming)
6667 : TCP MSN Gaming Zone (incoming)
6891 : TCP MSN Messenger Filetransfer (incoming) - ports 6891 - 6900, one port per file transfer
6901 : TCP/UDP MSN Messenger Voice Telephony (incoming)
28800 : TCP MSN Gaming Zone (incoming) - ports 28800 to 29000
47624 : TCP MSN Gaming Zone DX (incoming)

these port except for the MSN gaming zone used to be allow in the firewall rules but now these port are not open, but messenger can still directly connect to the internet

If I am not mistaken, some of the Messenger clients can tunnel through your legitimate connections such as email, web etc.

It is almost impossible to stop them, unless you have a deep-inspection firewal that can see the real traffic inside the tunnel.

Another solution is to come out with a security policy that prohibits the use of MSN messenger, and then use Snort to detect for MSN traffic.

tcpdump's your friend here..

why would you want to monitor msn conversation? issues with the colleagues or the boss? that would be so lame. i'd installed a keylogger instead, more fun with them.

to elaborate further on wkkay's post, in conjuction with tcpdump you can use tcpflow or flowgrep to reconstruct the tcp streams so that you'll get close to a coherent reading. on a busy network these tools can be very valuable in getting that killer lines of conversation you so desperately need.

if your motive is to block msn or other bandwidth-hogging traffic, then you would need a different kind of solution.

This post has been edited by ihsan: Mar 1 2005, 10:27 PM

Which mean you cannot block port 80 if MSN uses http tunneling, but you can configure squid's ACL block msn domains

i dont want to block msn traffic becouse this is useful for our company, but my boss want to be able to monitor msn so that employee does not spend their time chatting with their friend all day.

your boss should be doing something more beneficial than monitoring his employees surfing habit. impose a policy and use the monitoring to supplant the policy, your boss will spend less time micro managing. with disciplinary threat and job security, the employees will think twice about overspending time on the internet.

is there anyway to know who they have been chatting with on msn, i dont need to know what they are talking about, just the lenght of the converstation.

I can't remember of such tools avaliable yet but this is an interesting report for managment.

Otherwise writing a Perl or Python script grep all packets going to MSN domain and source IP address and parse to RRDtool that output results in graphical format.

you can try configuring a transparent proxy in your firewall...

with transparent proxy, you can setup a deny acl for the msn server

This post has been edited by rootlinux: Mar 5 2005, 08:31 AM

i already have have a squid proxy on my firewall server, now i need to make sure that every one can only use msn through proxy and that i can have some way to monitor these traffic. Now the problem is that ppl can directly go to msn network, if 92grad is correct thet this may be becouse msn use email connect to bypass the proxy.

The MSN Messenger will try to connect to baym-gw20.msgr.hotmail.com via port 80 if port 1863 is blocked

baym-gw20.msgr.hotmail.com is one of the MSN server, am i rite?