This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Using Wireshark, how can you tell whether an instant-message Website has been accessed?

0

I have been working on how to find use of online messenger (e.g imo.im, ebuddy) using wireshark. I'm doing , as i need to build SIEM (security information event management) use-cases which detects usage of online web-messenger.

To do little about of research, i went on a few online web-messenger and turned on the wireshark in the background. After a couple of minutes of browsing the online messenger sites , i stopped the wireshark and went straight on analysis. At first, I found nothing special / unique which tells me (as a user) an online messaging service / protocol i used as all these sites works on http or https.

How using wireshark one can tell IM website has been accessed ?

asked 24 Jan '13, 12:07

lazerz's gravatar image

lazerz
4181014
accept rate: 0%

converted 24 Jan '13, 18:03

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196


2 Answers:

1

If you know the name of the site in question, you can filter on:

http.host contains imo.im || ssl.handshake.extensions_server_name contains imo.im

This will return either the Clear Text HTTP command they sent to that page or, depending on browser used by the client, the SSL Client Hello sent during SSL negotiation to the offending website.

answered 24 Jan '13, 18:56

Magnus%20Mortensen's gravatar image

Magnus Morte...
56114
accept rate: 50%

0

In general, there is no easy way to do that. To post a message on a Web site, almost any sort of mechanism can be used (posting forms, etc.). You'd have to figure out some patterns in the HTTP requests that suggest that the site is an IM site.

answered 24 Jan '13, 18:11

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196
accept rate: 19%