Jump to content

wireshark facebook question


napisani
 Share

Recommended Posts

i have been trying to learn wireshark and how to use it.

so what i did is i set up wireshark to capture packets while i went on facebook and chatted with my friends.

my question is

is there a way to display a facebook chat (instant message) in a list form?

for example

sent: hi

received: hey whats going on

sent: not much

if not is there another tool that will help me analyze the packets in this manner

sincerely

napisani

note*

this capturing session was done strictly for learning purposes only. nothing malicious!

Link to comment
Share on other sites

Some thing like this probably has a relay easy to spot signature. You just have to find one of the packets that is part of the chat then find some thing unique about it, at least for capturing sent messages. Capturing received messages might be a bit more difficult.

Link to comment
Share on other sites

I havent used a face book chat, but I imagine you could create your own filter, then capture only packets for facebook chats. you can sort them after capture, or set the filter up before capturing, so its the only packets it saves. Then you right click and follow TCP stream, save the output as plain text and you don't have to parse anything, since wireshark will do all this for you.

Link to comment
Share on other sites

i have been trying to learn wireshark and how to use it.

so what i did is i set up wireshark to capture packets while i went on facebook and chatted with my friends.

my question is

is there a way to display a facebook chat (instant message) in a list form?

for example

sent: hi

received: hey whats going on

sent: not much

if not is there another tool that will help me analyze the packets in this manner

sincerely

napisani

note*

this capturing session was done strictly for learning purposes only. nothing malicious!

if youre on windows i would recommend netresident or commview/commview for wifi. i use netresident almost daily, and it will do exactly what you're wanting to do, reconstruct data packets on the fly in real time so you can view webmails on 80, chat sessions jabber/icq/aim/yahoo/irc etc, ftp sessions, http/80/8080/443, msn 1863, mail 25/110/143, and the list goes on. even decode and playback voip sessions. commview will allow you to do most of the same but dosnt have the search/filtering options that netresident has. you can customize search sets and have it alert you when its captured your specific search targets, for example secure.myspace.login, if you want to cap someones myspace login and have it alert you.

heres a screenshot of yahoo chat session reconstruction

chatsniff.jpg

quizimg.png

Link to comment
Share on other sites

Normally packets are fragmented (into the so called frames) when they go through a network. When your computer receives the frames it reassembles them and then processes them. What you see in Wireshark are fragmented packets.

First, filter by IP address, so that you only get fragments that are part of your chat.

Then, if you want to see a whole packet, so you can make sense of it, right click on one fragment (that is part of your chat) then select "Follow TCP Stream".

Link to comment
Share on other sites

  • 2 years later...

This thread is a bit old, but given recent advances by Facebook, I would hope they use SSL for chats and it can't be seen/or encrypted.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...