From vile@usmo.com Sat Jun 13 10:39:50 1998 Date: Tue, 2 Jun 1998 11:13:38 -0500 From: Anber Rybar Reply-To: icq-devel@tjsgroup.com To: icq-devel@tjsgroup.com Subject: [ICQdev] ICQ Message Protocol (TCP). This is what I got out of sniffing a TCP Message session. Sorry if this has already been done and/or is erroneous. I'm posting the summary, if you would like to see a commented sniff session let me know. CQ_MSG_HDR consists of six parts (u_long, u_short, u_short, u_short, u_long, u_short) Your UIN. Your ICQ Version (0x0002). C_SEND_MSG (0x07EE). Spacing Null (2 bytes). Your UIN. Static type of u_short (0x0001). ICQ_MSG consists of three parts: (u_short, char *): Size of Message+1 (type u_short) Message Null of type u_char. (typical to a string :) ) ICQ_MSG_FOOTER is nine parts: (u_long twice, u_short, u_char, u_short, u_short, u_char, u_char, u_long) Your IP twice. Your Port (u_short). Null (0x00). His Port (u_short). Static (0x0010). Dynamic Variable I don't really understand (type u_char). Static (0xFF). Static (0xFFFF). If you can help me out with the dynamic u_char i would be greatly appreciative :) ICQ_MSG_ACK is two parts (with subparts): ICQ_MSG_ACK_HDR consists of: Your uin. ICQ Version (0x0002) Command (0x07DA) NULL (0x0000) Your uin. 0x0001 twice. ICQ_MSG_ACK_FOOTER contains: Your IP Address x 2 (for v2). Your Port. His Port Null (type u_long). Ref Code (type u_char). 0xFF and 0xFFFF. I'm calling the dynamic u_char a reference code here because it contains the same code in the ACK as in the message, but it seems to change from message to message, might it be a checksum? -- [ vile@usmo.com | http://www.usmo.com/~vile | Ryan T. Barber ] [ "You have reached the edge of within, and it goes on forever." ] ===================================================== The "unoffical, not-sponsored-by-Mirabilis-one-bit" ICQ Clone Development List