wireshark facebook question

[napisani]

i have been trying to learn wireshark and how to use it.

so what i did is i set up wireshark to capture packets while i went on facebook and chatted with my friends.

my question is

is there a way to display a facebook chat (instant message) in a list form?

for example

sent: hi

received: hey whats going on

sent: not much

if not is there another tool that will help me analyze the packets in this manner

sincerely

napisani

note*

this capturing session was done strictly for learning purposes only. nothing malicious!

[dr0p]

You'd have to write a custom script to parse the pcap file for facebook chats.

[napisani]

would running the pcap though tcpreplay and msgsnarf help?

[Sparda]

Some thing like this probably has a relay easy to spot signature. You just have to find one of the packets that is part of the chat then find some thing unique about it, at least for capturing sent messages. Capturing received messages might be a bit more difficult.

[digip]

I havent used a face book chat, but I imagine you could create your own filter, then capture only packets for facebook chats. you can sort them after capture, or set the filter up before capturing, so its the only packets it saves. Then you right click and follow TCP stream, save the output as plain text and you don't have to parse anything, since wireshark will do all this for you.

[vector]

i have been trying to learn wireshark and how to use it.

so what i did is i set up wireshark to capture packets while i went on facebook and chatted with my friends.

my question is

is there a way to display a facebook chat (instant message) in a list form?

for example

sent: hi

received: hey whats going on

sent: not much

if not is there another tool that will help me analyze the packets in this manner

sincerely

napisani

note*

this capturing session was done strictly for learning purposes only. nothing malicious!

if youre on windows i would recommend netresident or commview/commview for wifi. i use netresident almost daily, and it will do exactly what you're wanting to do, reconstruct data packets on the fly in real time so you can view webmails on 80, chat sessions jabber/icq/aim/yahoo/irc etc, ftp sessions, http/80/8080/443, msn 1863, mail 25/110/143, and the list goes on. even decode and playback voip sessions. commview will allow you to do most of the same but dosnt have the search/filtering options that netresident has. you can customize search sets and have it alert you when its captured your specific search targets, for example secure.myspace.login, if you want to cap someones myspace login and have it alert you.

heres a screenshot of yahoo chat session reconstruction

[PC646]

Did you see my posting on Netwitness's Investigator software? Its free and crazy powerful for recreating data packets.

http://www.netwitness.com/products/investigator.aspx

Or look on youtube for some samples of it...

[dimitar]

Normally packets are fragmented (into the so called frames) when they go through a network. When your computer receives the frames it reassembles them and then processes them. What you see in Wireshark are fragmented packets.

First, filter by IP address, so that you only get fragments that are part of your chat.

Then, if you want to see a whole packet, so you can make sense of it, right click on one fragment (that is part of your chat) then select "Follow TCP Stream".

[blackball]

If you're using wireshark you may be able to filter by the host which is likely chat.facebook.com. If anyone has recommendations on parsing the data passed from this URL I'd love to hear it, too.

[digip]

This thread is a bit old, but given recent advances by Facebook, I would hope they use SSL for chats and it can't be seen/or encrypted.