So I'll be using SockSniffer scripts I prepared and wrote about [1], [2].
$ tar xvzf SockSniffer.0.2.tar.gz
$ mkdir jail
$ cd jail
$ $HOME/SockSniffer.0.2/makejail.sh
$ sudo $HOME/SockSniffer.0.2/mountjail.sh
$ sudo chroot $PWD
$ su my_user_name
$ cd
$ gdlinux
No we should have two Google Desktop icons in taskbar.
In chrooted console:
$ cd .google/desktopIn Another console:
$ rm a1_sock
$ mkdir socksniff_logs
$ cd socksniff_logs
$ $HOME/SockSniffer.0.2/socksniff $HOME/.google/desktop/a1_sock $HOME/jail$HOME/.google/desktop/a1_sock
Now use the Google Desktop for a while.
Close it.
Kill the socksniff process (e.g. using ^c).
In socksniff console:
$ $HOME/SockSniffer.0.2/sockmerge
Open $HOME/socksniff_logs/dumps/merge.pcap in wireshark.
That's it. Now we can analyze the traffic.
And here's an example dump.
3 comments:
Looks like boring usage statistics. What are you hoping to find?
Google Destopt API:
< quote >
Getting the Stored Query URL
The stored query URL has the first part of the URL that you need to perform any Google Desktop query. It looks something like the following:
http://127.0.0.1:4664/search&s=1ftR7c_hVZKYvuYS-RWnFHk91Z0?q=
How you get the stored query URL depends on whether your code is running on Windows or Mac OS X.
Windows
Get the query URL from the registry using the following value name:
HKEY_CURRENT_USER\Software\Google\Google Desktop\API\search_url
Mac OS X
Use CFPreferences to fetch the stored query URL from the user preferences domain com.google.Desktop.WebServer using the key search_url. For example:
CFStringRef val = CFPreferencesCopyValue(
CFSTR("search_url"),
CFSTR("com.google.Desktop.WebServer"),
kCFPreferencesCurrentUser,
kCFPreferencesAnyHost);
if (val) {
// act on the value
CFRelease(val);
}
< /quote >
Nothing like this for linux so far.
Looking in the dump we have:
* Client *
0000
2f 23 25 be 03 00 00 00 21 00 00 00 00 00 00 00
/#%.....!.......
0010
00 00 00 00 00 00 00 00 01 00 00 00 07 00 00 00
................
0020
5c 43 6f 6d 6d 6f 6e 0a 00 00 00 4c 69 73 74 65
\Common....Liste
0030
6e 50 6f 72 74 04 00 00 00
nPort....
* Server *
0000
2f 23 25 be 06 00 00 00 0c 00 00 00 00 00 00 00
/#%.............
0010
00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00
................
0020
5e 7b 00 00 ^{..
Key here is: 5e 7b => 94 123
123 + 94*256 = 24187 - and this was port on which Google Desktop was listenning.
Also there is:
* Client *
0000
2f 23 25 be 03 00 00 00 27 00 00 00 00 00 00 00
/#%.....'.......
0010
00 00 00 00 00 00 00 00 01 00 00 00 07 00 00 00
................
0020
5c 43 6f 6d 6d 6f 6e 10 00 00 00 53 65 63 75 72
\Common....Secur
0030
69 74 79 54 6f 6b 65 6e 4b 65 79 08 00 00 00
ityTokenKey....
Which sounds promising as without the security token we cannot make custom queries. But I didn't have time to decode the response.
what about the linux key ?
Post a Comment