napisani Posted March 16, 2009 Share Posted March 16, 2009 i have been trying to learn wireshark and how to use it. so what i did is i set up wireshark to capture packets while i went on facebook and chatted with my friends. my question is is there a way to display a facebook chat (instant message) in a list form? for example sent: hi received: hey whats going on sent: not much if not is there another tool that will help me analyze the packets in this manner sincerely napisani note* this capturing session was done strictly for learning purposes only. nothing malicious! Quote Link to comment Share on other sites More sharing options...
dr0p Posted March 16, 2009 Share Posted March 16, 2009 You'd have to write a custom script to parse the pcap file for facebook chats. Quote Link to comment Share on other sites More sharing options...
napisani Posted March 16, 2009 Author Share Posted March 16, 2009 would running the pcap though tcpreplay and msgsnarf help? Quote Link to comment Share on other sites More sharing options...
Sparda Posted March 16, 2009 Share Posted March 16, 2009 Some thing like this probably has a relay easy to spot signature. You just have to find one of the packets that is part of the chat then find some thing unique about it, at least for capturing sent messages. Capturing received messages might be a bit more difficult. Quote Link to comment Share on other sites More sharing options...
digip Posted March 16, 2009 Share Posted March 16, 2009 I havent used a face book chat, but I imagine you could create your own filter, then capture only packets for facebook chats. you can sort them after capture, or set the filter up before capturing, so its the only packets it saves. Then you right click and follow TCP stream, save the output as plain text and you don't have to parse anything, since wireshark will do all this for you. Quote Link to comment Share on other sites More sharing options...
vector Posted March 16, 2009 Share Posted March 16, 2009 i have been trying to learn wireshark and how to use it. so what i did is i set up wireshark to capture packets while i went on facebook and chatted with my friends. my question is is there a way to display a facebook chat (instant message) in a list form? for example sent: hi received: hey whats going on sent: not much if not is there another tool that will help me analyze the packets in this manner sincerely napisani note* this capturing session was done strictly for learning purposes only. nothing malicious! if youre on windows i would recommend netresident or commview/commview for wifi. i use netresident almost daily, and it will do exactly what you're wanting to do, reconstruct data packets on the fly in real time so you can view webmails on 80, chat sessions jabber/icq/aim/yahoo/irc etc, ftp sessions, http/80/8080/443, msn 1863, mail 25/110/143, and the list goes on. even decode and playback voip sessions. commview will allow you to do most of the same but dosnt have the search/filtering options that netresident has. you can customize search sets and have it alert you when its captured your specific search targets, for example secure.myspace.login, if you want to cap someones myspace login and have it alert you. heres a screenshot of yahoo chat session reconstruction Quote Link to comment Share on other sites More sharing options...
PC646 Posted March 19, 2009 Share Posted March 19, 2009 Did you see my posting on Netwitness's Investigator software? Its free and crazy powerful for recreating data packets. http://www.netwitness.com/products/investigator.aspx Or look on youtube for some samples of it... Quote Link to comment Share on other sites More sharing options...
dimitar Posted March 19, 2009 Share Posted March 19, 2009 Normally packets are fragmented (into the so called frames) when they go through a network. When your computer receives the frames it reassembles them and then processes them. What you see in Wireshark are fragmented packets. First, filter by IP address, so that you only get fragments that are part of your chat. Then, if you want to see a whole packet, so you can make sense of it, right click on one fragment (that is part of your chat) then select "Follow TCP Stream". Quote Link to comment Share on other sites More sharing options...
blackball Posted May 17, 2011 Share Posted May 17, 2011 If you're using wireshark you may be able to filter by the host which is likely chat.facebook.com. If anyone has recommendations on parsing the data passed from this URL I'd love to hear it, too. Quote Link to comment Share on other sites More sharing options...
digip Posted May 17, 2011 Share Posted May 17, 2011 This thread is a bit old, but given recent advances by Facebook, I would hope they use SSL for chats and it can't be seen/or encrypted. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.