January 25th, 2009 Leave a comment Go to comments

IMSpector works by intercepting connections to IM servers, when those connections are to the “official” port number assigned to the protocol.

It is normally run on the routing machine in the network. This would typically be the Linux box shoved in the corner doing NATing onto an Internet connection. It wll run anywhere that a webproxy could be used to do transparent proxying including on an ethernet bridge.  Please note that the clients themselves do not have to be routed directly through the IMSpector host; they might alternativly be HTTP proxying through a webproxy such as Squid, situated behind the machine running IMSpector.  In this instance, the client would have to be making a HTTP CONNECT request through the proxy; if the IM session is encapsulated in GET requests then IMSpector will not see the IM session.

Using redirect trickery, it is also possible to combine the proxy server (be it HTTP or SOCKS) onto a single machine.

Finally, using IMSpector’s built-in HTTP CONNECT proxy, you can configure your client to proxy through IMSpector directly. This does not require any iptable redirects, and would work nicely if the IM client and IMSpector were running on the same host. Note that this only works with clients that use the CONNECT method to connect to the IM server. It will not work on clients that encapsulate the IM connetion through GET requests.  This unfortunately excludes the official Microsoft MSN client, and Yahoo! Messenger.  Multi-protocol clients (such as pidgin and Adium) generally proxy with HTTP CONNECT so will work fine in this setup.

In short, in all but exceptional circumstances the best and simplest deployment method is to install IMSpector onto your network’s router.  You are then guaranteed to capture all outgoing IM traffic.

System requirements are minimal, although with a large number of local users IMSpector will fork many copies of itself (a typical MSN connection can consist of a dozen or more concurrent connections).

Download the code, and untar. Currently there is no configure script, so you must configure the Makefile by hand (if needed) and run make. There are no dependancies beyond a working C++ compiler, unless you are planning to use a SQL logging plugin. Also, if you want to enable SSL interception, the OpenSSL libraries should also be present. Please note that GCC prior to v3 is known not to work due to its incomplete STL implementation. In the event that you wish to build the SQL logging plugins, you will also need the client libraries. The SQLite plugin requires the sqlite3 client libraries and headers to be installed.

The Makefile, trivial that it is, contains one variable, PREFIX that you can set to the target dir of the install. The default is /usr, which is probably okay for most people.

By default, IMSpector will link against OpenSSL and assume that the headers and libraries are under /usr. If you have an OpenSSL install in a non-standard location, or you do not requre SSL support, please modify the Makefile accordingly.

Note that if you chagne the PREFIX value (say to /usr/local) you will need to adjust the plugin_dir config option to tell IMSpector where to look for plugins.

To build IMSpector under BSD, follow the instructions in the Makefile.

sudo make install

If you require SSL support (for monitoring SSL IM sessions) then you will require a CA certificate. The Makefile includes commands for making a simple CA certificate that is valid for 1 year:

sudo make install-ca-cert

IMSpector is capable of setuid-ing to a non root user (indeed it has no requirement to run as root, or even be started as the root user), but the install target does not currently attempt to make a special user. Thus the default config will run as the whatever use started the program.

This will install the files as follows, assuming a PREFIX of /usr:

  • /usr/sbin/imspector – the imspector binary.
  • /usr/lib/ – a shared library that the main program and plugins share.
  • /usr/lib/imspector/* – the protocol plugins.
  • /usr/lib/imspector/* – the logging plugins.
  • /usr/lib/imspector/* – the filtering and content-manipulation plugins.
  • /usr/etc/imspector/imspector.conf – an example config file, good enough for quick playing.
  • /usr/etc/imspector/badwords.txt – an example list of swear words to block.
  • /usr/etc/imspector/acl.txt – an example of a trivial and useless ACL.
  • /usr/etc/imsepctor/servercert.pem – optional server ssl certificate.
  • /usr/etc/imspector/serverkey.pem – optional server ssl key.
  • /usr/etc/imsepctor/cacert.pem – optional ca ssl certificate.
  • /usr/etc/imspector/cakey.pem – optional ca ssl key.

Note that the plugins are loaded at runtime and can use config file entries. The plugins loaded will be logged to syslog.

After compiling and installing IMSpector, the following iptables rules are required to transparently proxy the various IM ports. This is required if you are using transparent proxying. You can of course choose which protocols you wish to proxy into IMSpector:

  • MSN: iptables -t nat -A PREROUTING -p tcp --destination-port 1863 -j REDIRECT --to-ports 16667
  • Jabber: iptables -t nat -A PREROUTING -p tcp --destination-port 5222 -j REDIRECT --to-ports 16667
  • Jabber over SSL: iptables -t nat -A PREROUTING -p tcp --destination-port 5223 -j REDIRECT --to-ports 16667
  • ICQ/AIM: iptables -t nat -A PREROUTING -p tcp --destination-port 5190 -j REDIRECT --to-ports 16667
  • Yahoo: iptables -t nat -A PREROUTING -p tcp --destination-port 5050 -j REDIRECT --to-ports 16667
  • IRC: iptables -t nat -A PREROUTING -p tcp --destination-port 6667 -j REDIRECT --to-ports 16667
  • Gadu-Gadu: iptables -t nat -A PREROUTING -p tcp --destination-port 8074 -j REDIRECT --to-ports 16667

If you are also running a webproxy, like Squid, or a SOCKS proxy, on the same machine which is operating as your network gateway, you can also redirect the outgoing Squid traffic into IMSpector:

  • MSN: iptables -t nat -A OUTPUT -p tcp --destination-port 1863 -m owner --uid-owner 100 -j REDIRECT --to-ports 16667
  • Jabber: iptables -t nat -A OUTPUT -p tcp --destination-port 5222 -m owner --uid-owner 100 -j REDIRECT --to-ports 16667
  • Jabber over SSL: iptables -t nat -A OUTPUT -p tcp --destination-port 5223 -m owner --uid-owner 100 -j REDIRECT --to-ports 16667
  • ICQ/AIM: iptables -t nat -A OUTPUT -p tcp --destination-port 5190 -m owner --uid-owner 100 -j REDIRECT --to-ports 16667
  • Yahoo: iptables -t nat -A OUTPUT -p tcp --destination-port 5050 -m owner --uid-owner 100 -j REDIRECT --to-ports 16667
  • IRC: iptables -t nat -A OUTPUT -p tcp --destination-port 6667 -m owner --uid-owner 100 -j REDIRECT --to-ports 16667
  • Gadu-Gadu: iptables -t nat -A OUTPUT -p tcp --destination-port 8074 -m owner --uid-owner 100 -j REDIRECT --to-ports 16667

Here, 100 is the User ID which the webproxy or SOCKS proxy is running as; replace it as appropriate to your system. This is needed to stop a cyclic loop whereby IMSpector’s outgoing packets to the IM servers are themselves fed into IMSpector.

These commands will obviously have to be run in your startup script.

For an inital test, run the program in debug mode:

imspector -d

Login to MSN on a machine behind the IMSpector box and you should see some debug output. Finally, send someone a message and it should be logged both on the console and into a logfile within the logging directory. Rerun the program without the -d switch to force it into the background.

Also included in the code archive (contrib directory) is a CGI, imspector.cgi. This CGI is a log viewer of IMSpector logs, written in perl. It has no dependancies other then a working perl installation and should be installed under a webserver’s cgi-bin directory. Before deployment, the script should be edited and the configuration variables (set at the top of the file) changed to match your installation. If you are feeling adventerous, the script can also be customised and the colours changed etc. Please note that this viewer can only view text file logs, and is not able to view logs stored in a database.

  1. notRly
    April 6th, 2009 at 13:42 | #1

    I’ve installed socks5 dante proxy and imspector under ubuntu linux.
    socks5 running on port 1080. Imspector is on 16667 and on 18080 for HTTP.

    ICQ is working nicely directly throught socks5.

    Then, I add:
    iptables -t nat -A PREROUTING -p tcp –destination-port 1080 -j REDIRECT –to-ports 16667
    iptables -t nat -A OUTPUT -p tcp –destination-port 1080 -m owner –uid-owner 0 -j REDIRECT –to-ports 16667

    And get the following error:
    imspector: Non-HTTP connection from:
    imspector: Client is connecting to:
    imspector: Error: Don’t know how to handle connection to
    imspector: Finished with child:

    I get the same error, when connecting directly to imspector on port 16667 as to SOCK5 proxy.

    When I use imspector as a HTTP proxy on 18080 and connect directly to it everything is working ok, but i need it working as socks5. What am I doing wrong? It seems to me something is wrong with iptables routing.

  2. notRly
    April 6th, 2009 at 13:43 | #2

    P.S. my imspector version is 0.8 and my icq client is connecting to on port 5190

  3. April 7th, 2009 at 17:27 | #3

    You are using the wrong destination port. The port that you want to put into IMSPector is the ICQ port (5190). So in your iptables rule, change –destination-port 1080 to –destination-port 5190. Think about it like this: IMSpector does not care what port your SOCKs server is listening on; it is interested only in the outgoing connectiont to the ICQ server that it will make via the tunnel to the client.

  4. notRly
    April 8th, 2009 at 14:03 | #4

    Thanks for your answer.

    I just don’t get how should my redirects work.
    I see it like:
    client ( via socks5:1080) -> socks5:1080 -> imspector:16667 ->

    In theory, I need a redirect for that:
    iptables -t nat -A OUTPUT -p tcp –destination-port 5190 -m owner –uid-owner 0 -j REDIRECT –to-ports 16667

    But in fact imspector get no data and client connects to icq server directly via socks5 proxy. So I need to make another redirect, but I don’t know which one. Could you help me with that?

  5. lel
    May 11th, 2009 at 08:50 | #5

    Hi, I’m having trouble installing in UBUNTU 8.10 32Bits, this gives me this error,

    This is the error that gives

    root@gateway:~/imspector-0.8# make
    g++ -Wall -O2 -fPIC -I/usr/include -DHAVE_SSL main.cpp -c
    In file included from main.cpp:10:
    imspector.h:40:25: error: openssl/ssl.h: No such file or directory
    imspector.h:41:25: error: openssl/bio.h: No such file or directory
    imspector.h:42:25: error: openssl/err.h: No such file or directory

  6. May 11th, 2009 at 18:08 | #6

    You need to install the openssl dev package. In ubuntu you can do this by doing:

    apt-get install libssl-dev

    IMSpector will hopefully build properly then.


  7. May 12th, 2009 at 20:44 | #7

    I’m doing a test on Ubuntu 9.0.4, I correindo IMSpector, but not as a result of this view, as I can see the result of IMSpector in UBUNTU 9.0.4

  8. May 12th, 2009 at 20:46 | #8

    How to access IMSpactor in ubuntu. I got it running, but I do not know how to choose the outcome,
    have a web console, where I can see the results, which I view the results of IMSpector under ubuntu 9.0.4

  9. lel
    May 13th, 2009 at 08:20 | #9

    How to start the imspector daemon.

  10. fingerslan
    June 4th, 2009 at 11:17 | #10

    I have several issues here.
    1. Nothing was logged in /var/log/imspector
    I have removed #log_typing_events=on and file_logging_dir=/var/log/imspector in imspector.conf.
    After installing imspector, I did not find imspector directory created under /var/log. So I created imspector directory.

    2. badwords were not blocked

    can you please help? Thanks alot.

  11. fingerslan
    June 4th, 2009 at 11:19 | #11

    Oh one more thing.
    Can you please tell me how do I know if my im sessions actually redirected to imspector (port 16667)?

    Thanks alot.

  12. June 4th, 2009 at 19:03 | #12

    You need to run imspector with the -d switch to track this down. It will show you if imspector is catching the outgoing requests.

  13. darthanubis
    June 10th, 2009 at 06:07 | #13

    imspector: Client is connecting to:
    imspector: Error: Don’t know how to handle connection to
    imspector: Finished with child:

    Having issues with my smoothwall express 3 improxy not even generating a log file? I got this input by running xchat through the privoxy proxy installed on the smoothie. I have the advanced web proxy running as well. It seems like my data is being directed to the correct port (16667) but no joy. The guys at the forums have not been able to help as of yet, and was hoping you could provide some insight?

    Thank you.

  14. darthanubis
    June 10th, 2009 at 14:55 | #14

    Changing my DNS servers resolved the issue.

  15. July 14th, 2009 at 14:52 | #15

    It sounds like you are not using IMSpector transparently? You should not configure the client to connect to the IMSpector 16667 port.

  16. Andrew
    September 21st, 2009 at 06:02 | #16

    Hellow all
    I want make actual version imspector on FreeBSD 6.2 and have a little compile problem with icqprotocolplugin.ccp:
    Compile process:
    c++ -O2 -fno-strict-aliasing -pipe main.cpp -c
    c++ -O2 -fno-strict-aliasing -pipe protocolplugin.cpp -c
    c++ -O2 -fno-strict-aliasing -pipe loggingplugin.cpp -c
    c++ -O2 -fno-strict-aliasing -pipe filterplugin.cpp -c
    c++ -O2 -fno-strict-aliasing -pipe responderplugin.cpp -c
    c++ -O2 -fno-strict-aliasing -pipe socket.cpp -c
    c++ -O2 -fno-strict-aliasing -pipe options.cpp -c
    c++ -O2 -fno-strict-aliasing -pipe tools.cpp -c
    c++ socket.o options.o tools.o -fPIC -shared -Wl,-soname, -o
    c++ main.o protocolplugin.o loggingplugin.o filterplugin.o responderplugin.o -o imspector -L/usr/bin/lib -lssl
    c++ -O2 -fno-strict-aliasing -pipe msnprotocolplugin.cpp -c
    c++ msnprotocolplugin.o -fPIC -shared -Wl,-soname, -o

    c++ -O2 -fno-strict-aliasing -pipe icqprotocolplugin.cpp -c
    icqprotocolplugin.cpp: In function `int getmessage(char**, char*, int, std::string&, int&, int&)’:
    icqprotocolplugin.cpp:676: error: invalid conversion from `char**’ to `const char**’
    *** Error code 1
    grep from icqprotocolplugin.cpp:

    #define GET_ARGS char **p, char *startp, int lengthp
    int getmessage(GET_ARGS, std::string &message, int &mestart, int &melength);

    It’s a not one problem with “make install” IMSpector on FreeBSD, but other problems are already solved.

    Thnx 4u support.

  17. September 22nd, 2009 at 15:35 | #17

    Change line 671 to “const char *inbuf = string;”. Should help. Or see if you can get gcc to not error on those “warnings”.

    What are the other issue you had to fix? Could you email me a diff?

  18. Andrew
    September 24th, 2009 at 07:37 | #18

    Good time 4u, Lawrence!
    I have written you the letter with the detailed description of my operations and I hope together with you to understand this problem.
    I mailed u on “lawrence aslak dot net”.

  19. Andrew
    October 7th, 2009 at 03:55 | #19

    I do not receive the answer from you on e-mail.
    Now, I stopped with:
    # imspector -d
    imspector: dlopen(): /usr/lib/imspector/ Undefined symbol “dl_iconv”
    I have iconv-2.0_3 is already installed and I used this 4 compile Imspector together

  20. October 7th, 2009 at 14:25 | #20

    Unfortunately I don’t know much about BSD, sorry…. Do you need ICQ/AIM? If not, just rm that plugin.

  21. tauri
    December 8th, 2009 at 05:11 | #21

    tauri :
    bad english, sorry
    for imspector 0.9, freeBSD 7.2 stable
    in Makefile
    $(CXX) icqprotocolplugin.o $(PLUGIN_FLAGS)
    $(CXX) icqprotocolplugin.o $(PLUGIN_FLAGS) -L$(PREFIX)/lib -liconv

  22. tauri
    December 9th, 2009 at 07:05 | #22
  23. ildoctorxli
    March 25th, 2010 at 15:40 | #23

    I had a problem when trying to run the command make from fedora 12

    g++ -Wall -O2 -fPIC -I/usr/include -DHAVE_SSL sslstate.cpp -c
    sslstate.cpp: In member function âbool SSLState::init(Options&, bool)â:
    sslstate.cpp:32: error: invalid conversion from âconst SSL_METHOD*â to âSSL_METHOD*â
    make: ** [sslstate.o] Erro 1

    What is this and have some solution?

  24. klif_leopard
    April 29th, 2010 at 05:56 | #24

    Hi all!
    I had a problem when trying to run the command make from fedora 12

    g++ -Wall -O2 -fPIC -I/usr/include -DHAVE_SSL sslstate.cpp -c
    sslstate.cpp: In member function ‘bool SSLState::init(Options&, bool)’:
    sslstate.cpp:54: ошибка: некорректное преобразование из ‘const SSL_METHOD*’ в ‘SSL_METHOD*’
    make: *** [sslstate.o] Ошибка 1

    What is this and have some solution? Version imspector-20100324.tar.gz

  25. senomoto
    August 17th, 2010 at 20:33 | #25

    My network has a firewall with NAT, I installed imspector and block any 443/tcp (https) connection on proxy rule.

    I had this symptom: msn messenger can log into MSN Network, he can receive messages anytime, but after 2 minutes of last received message, I cant send any message. After few hours debugging, the solution was: on my proxy rules, enable client access to the domains and using 443/tcp port.

  26. cassioseffrin
    September 20th, 2010 at 14:35 | #26

    Hello Klif Leopard,

    Where you donwloaded this file: imspector-20100324.tar.gz?

    Best Regards

  27. cassioseffrin
    September 20th, 2010 at 14:43 | #27

    Sorry Klif,

    Now I found in snapshots donwloads, I have this problem in Debian, I don’t know why, but it’s some problem with the build packages. I just reinstall debianm, the same version debian5 lenny and this problem dont’t occours again. I guess it’s a problem with a gcc library.


  28. cassioseffrin
    September 20th, 2010 at 14:54 | #28

    cassioseffrin :
    Sorry Klif,
    Now I found in snapshots donwloads, I have this problem in Debian, I don’t know why, but it’s some problem with the build packages. I just reinstall debian, the same version debian5 lenny and this problem dont’t occours again. I guess it’s a problem with a gcc library.

  29. cassioseffrin
    September 21st, 2010 at 13:55 | #29

    Hello Klif

    I had a similar problem with debian. The instalation of package libssl-dev solved the problem.

    apt-get install libssl-dev
    openssl/ssl.h, openssl/bio.h, openssl/err.h

    This package is reponsable for some needed files located in /usr/include/openssl/

    Please verify if you have similar package installed in your fedora12. Type in shell: rpm -qa |grep ssl and verify the results.


  1. February 21st, 2009 at 14:50 | #1
  2. March 4th, 2010 at 15:48 | #2
  3. April 29th, 2011 at 19:26 | #3
You must be logged in to post a comment.