1# Yahoo messenger - an instant messenger protocol - http://yahoo.com 2# Pattern attributes: good fast fast 3# Protocol groups: chat proprietary 4# Wiki: http://www.protocolinfo.org/wiki/Yahoo_Messenger 5# 6# Usually runs on port 5050 7# 8# This pattern has been tested and is believed to work well. 9 10yahoo 11# http://www.venkydude.com/articles/yahoo.htm says: 12# All Yahoo commands start with YMSG. 13# (Well... http://ethereal.com/faq.html#q5.32 suggests that YPNS and YHOO 14# are also possible, so let's allow those) 15# The next 7 bytes contain command (packet?) length and version information 16# which we won't currently try to match. 17# L means "YAHOO_SERVICE_VERIFY" according to Ethereal 18# W means "encryption challenge command" (YAHOO_SERVICE_AUTH) 19# T means "login command" (YAHOO_SERVICE_AUTHRESP) 20# (there are others, i.e. 0x01 "coming online", 0x02 "going offline", 21# 0x04 "changing status to available", 0x06 "user message", but W and T 22# should appear in the first few packets.) 23# 0xC080 is the standard argument separator, it should appear not long 24# after the "type of command" byte. 25 26^(ymsg|ypns|yhoo).?.?.?.?.?.?.?[lwt].*\xc0\x80 27