ICQ filter classifies OSCAR protocol used by ICQ/AIM clients.

Category: Protocol filter

Supported flags:


Object types:
OT_ICQ_LOGIN - outgoing OSCAR login request packet
OT_ICQ_REQUEST - outgoing OSCAR packet (FLAP)
OT_ICQ_RESPONSE - incoming OSCAR packet (FLAP)
OT_ICQ_CHAT_MESSAGE_OUTGOING - outgoing chat message
OT_ICQ_CHAT_MESSAGE_INCOMING - incoming chat message

Indicates object parts: no

Each indicated object contains a main stream ICQS_RAW with packet contents. The other streams are informational, i.e. ProtocolFilters ignores them when client application posts OT_ICQ_* objects to destination.

OT_ICQ_LOGIN object is indicated when ICQ client initiates a connection with server. The object contains two streams:
- ICQS_RAW - packet contents.
- ICQS_USER_UIN - ANSI string with user account UIN.

OT_ICQ_REQUEST and OT_ICQ_RESPONSE contain outgoing/incoming ICQ packets (FLAP structures) in ICQS_RAW stream. These objects are indicated for all unclassified ICQ requests/responses.

OT_ICQ_CHAT_MESSAGE_OUTGOING and OT_ICQ_CHAT_MESSAGE_INCOMING contain an outgoing/incoming chat message, sent or received via ICBM service. Each message object contains ICQS_RAW stream with packet contents and the following informational streams:
- ICQS_USER_UIN - ANSI string with user account UIN.
 -ICQS_CONTACT_UIN - ANSI string with UIN of remote contact.
- ICQS_TEXT_FORMAT - 4-byte integer that describes the format of ICQS_TEXT stream.
- ICQS_TEXT - Sequence of ANSI, UTF8 or Unicode characters, depending on ICQS_TEXT_FORMAT value (no zero byte/short at the end).

The following values are defined for ICQS_TEXT_FORMAT:
- ICQTF_ANSI - ICQS_TEXT contains a sequence of ANSI characters.
- ICQTF_UTF8 - ICQS_TEXT contains a sequence of UTF8 characters.
- ICQTF_UNICODE - ICQS_TEXT contains a sequence of Unicode characters.
- ICQTF_FILE_TRANSFER - ICQS_TEXT contains an informational ANSI string, describing incoming/outgoing file transfer request. According to OSCAR specification the clients send transfer requests via ICBM service, used for sending chat messages. The filter converts some information about file transfer to text format and saves the result to ICQS_TEXT stream. This text is formatted as list of <name>: <value> strings, delimited with \r\n sequences.

The following headers are added to ICQS_TEXT for file transfer requests:
File-Count - number of transmitted files.
Total-Bytes - total number of bytes in transmitted files.
File-Name - ANSI string with a file name. It is empty when File-Count is larger than 1, i.e. a client transmits multiple files.

Supported clients:

FT_ICQ supports filtering ICQ and clones that use OSCAR v7+ protocol. Some clients use own servers as proxies for communicating with ICQ (AOL) servers. For example Digsby connects to ICQ network via own server using port 443, and encrypts the transmitted data with SSL. To apply FT_ICQ filter in this case add to chain FT_SSL preprocessor before FT_ICQ. The latest versions of AIM also protect the data connections with SSL. To filter the encrypted connections the root certificate of ProtocolFilters must be imported to AIM storage with import_root_cert.

It makes sense to add FT_PROXY preprocessor first in chain, to allow filtering OSCAR communications via HTTPS and SOCKS proxies.

Note that users can upload files to remote servers, and simply send a link instead of using native OSCAR file transfer service. Some ICQ clients like QIP can do this automatically.


The official OSCAR protocol specification: http://dev.estage.aol.com/aim/oscar/
Third-party OSCAR specification: http://iserverd.khstu.ru/oscar/