FT_ICQ
ICQ filter classifies OSCAR protocol used by ICQ/AIM clients.
Category: Protocol filter
Supported flags:
FF_READ_ONLY_IN
FF_READ_ONLY_OUT
Object types:
OT_ICQ_LOGIN - outgoing OSCAR login request packet
OT_ICQ_REQUEST - outgoing OSCAR packet (FLAP)
OT_ICQ_RESPONSE - incoming OSCAR packet (FLAP)
OT_ICQ_CHAT_MESSAGE_OUTGOING - outgoing chat message
OT_ICQ_CHAT_MESSAGE_INCOMING - incoming chat message
Indicates object parts: no
Each indicated object contains a main stream ICQS_RAW with packet contents. The
other streams are informational, i.e. ProtocolFilters ignores them when client application
posts OT_ICQ_* objects to destination.
OT_ICQ_LOGIN object is indicated when ICQ client initiates a connection with server.
The object contains two streams:
- ICQS_RAW - packet contents.
- ICQS_USER_UIN - ANSI string with user account UIN.
OT_ICQ_REQUEST and OT_ICQ_RESPONSE contain outgoing/incoming ICQ packets (FLAP structures)
in ICQS_RAW stream. These objects are indicated for all unclassified ICQ requests/responses.
OT_ICQ_CHAT_MESSAGE_OUTGOING and OT_ICQ_CHAT_MESSAGE_INCOMING contain an outgoing/incoming
chat message, sent or received via ICBM service. Each message object contains ICQS_RAW
stream with packet contents and the following informational streams:
- ICQS_USER_UIN - ANSI string with user account UIN.
-ICQS_CONTACT_UIN - ANSI string with UIN of remote contact.
- ICQS_TEXT_FORMAT - 4-byte integer that describes the format of ICQS_TEXT stream.
- ICQS_TEXT - Sequence of ANSI, UTF8 or Unicode characters, depending on ICQS_TEXT_FORMAT
value (no zero byte/short at the end).
The following values are defined for ICQS_TEXT_FORMAT:
- ICQTF_ANSI - ICQS_TEXT contains a sequence of ANSI characters.
- ICQTF_UTF8 - ICQS_TEXT contains a sequence of UTF8 characters.
- ICQTF_UNICODE - ICQS_TEXT contains a sequence of Unicode characters.
- ICQTF_FILE_TRANSFER - ICQS_TEXT contains an informational ANSI string, describing
incoming/outgoing file transfer request. According to OSCAR specification the clients send transfer
requests via ICBM service, used for sending chat messages. The filter converts some
information about file transfer to text format and saves the result to ICQS_TEXT
stream. This text is formatted as list of <name>: <value> strings, delimited
with \r\n sequences.
The following headers are added to ICQS_TEXT for file transfer requests:
File-Count - number of transmitted files.
Total-Bytes - total number of bytes in transmitted files.
File-Name - ANSI string with a file name. It is empty when File-Count is larger
than 1, i.e. a client transmits multiple files.
Supported clients:
FT_ICQ supports filtering ICQ and clones that use OSCAR v7+ protocol. Some clients
use own servers as proxies for communicating with ICQ (AOL) servers. For example
Digsby connects to ICQ network via own server using port 443, and encrypts the transmitted
data with SSL. To apply FT_ICQ filter in this case add to chain FT_SSL preprocessor
before FT_ICQ. The latest versions of AIM also protect the data connections with
SSL. To filter the encrypted connections the root certificate of ProtocolFilters
must be imported to AIM storage with
import_root_cert.
It makes sense to add FT_PROXY preprocessor first in chain, to allow filtering OSCAR
communications via HTTPS and SOCKS proxies.
Note that users can upload files to remote servers, and simply send a link instead
of using native OSCAR file transfer service. Some ICQ clients like QIP can do this
automatically.
References:
The official OSCAR protocol specification:
http://dev.estage.aol.com/aim/oscar/
Third-party OSCAR specification:
http://iserverd.khstu.ru/oscar/