Protocols > Yahoo Instant Messenger

Yahoo Instant Messenger is the (bloated) offering of IM software from the internet conglomerate Yahoo.  This messenger would be nearly impossible to classify by any port based mechanism as it decides to randomly connect to very standard ports (80,23,21,53, etc) on the servers if it is unable to open its common ports.  However, based on inspection, it's actually very easy to classify.  The first four bytes of almost every Yahoo Messenger packet will be:

YMSG

Furthermore, it can be observed that the header portions of these packets tag a "data size" in the 8th and 9th (from 0) bytes of the TCP data section.  This data size plus 20 will be equal to the size of the TCP data section, or in other words, this size plus 20 plus the size of the TCP header plus the size of the IP header will be the size specified in the IP header.  Upon these two observations, any Yahoo Messenger session can be very easily identified, and with high accuracy.