This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.
1
1

Hi there. Im having a bit of difficulty trying to decipher all the packet info on my machine and was looking for a way to detect the information easier.

Im looking to detect a facebook successful login via wireshark as well as detecting if a user uses the chat feature. But i have no idea what all these packets are that are showing up. Is there a filtering option that can be setup just to detect facebook information?

cheers

asked 05 Jul '11, 04:01

jgraham95's gravatar image

jgraham95
16123
accept rate: 0%


Assuming the monitored Facebook chat users are not using IM-encryption clients, you can watch Facebook chat messages by applying this display filter: json contains message

Login is encrypted over SSL, so it would be difficult (if not impossible) for a display filter to detect whether a login is successful. You can, however, detect SSL Facebook traffic (which might be for login) using this display filter: tcp contains facebook and ssl

EDIT: Facebook supports Secure Browsing, which encrypts all Facebook traffic, including chat messages. They've also updated their chat protocol. See recent post.

permanent link

answered 05 Jul '11, 22:43

helloworld's gravatar image

helloworld
3.1k42041
accept rate: 28%

edited 22 Jan '12, 08:31

thanks again. :)

(06 Jul '11, 07:44) jgraham95

The easiest way to follow facebook chats is to use the search function. Use the searchstring 'subject":"","body":"' and search for the string in the packet bytes. As result you see only the text which is displayed on the users screen, no matter whether the transmission is encrypted or not.

permanent link

answered 22 Jan '12, 01:30

Anon's gravatar image

Anon
84237
accept rate: 16%

1

As result you see only the text which is displayed on the users screen, no matter whether the transmission is encrypted or not.

That's incorrect. If one were easily able to read encrypted traffic simply by using search functions in Wireshark (or any other packet sniffer), that would defeat the purpose of encryption.

You can prove this to yourself by enabling "Secure Browsing" in Facebook (Account Settings > Security > Secure Browsing) and then trying your Wireshark filter on live chat traffic.

(22 Jan '12, 08:23) helloworld

The above described search shows the html-packages, which are displayed on the receivers screen and not the encrypted message package. I for myself use facebook with secure browsing and can read my own messages in the captured traffic easily, even so there are encrypted in the relevant packages. Don't ask me why, but I tested it this way, and was astonished that i could read it anyway....

(25 Jan '12, 08:22) Anon

It should be obvious that your chat message(s) are not actually encrypted (in your particular case). To say that Facebook chats are readable in Wireshark despite it being encrypted is overgeneralizing.

I've confirmed that Secure Browsing still (as of today) encrypts my chat messages as well as other Facebook traffic. However, I did notice a small hiccup immediately after setting Secure Browsing from off to on: one of my chat messages came through in cleartext, but encryption took effect thereafter.

Rest assured, your chat messages are secure (except the first one sometimes ;).

(25 Jan '12, 17:05) helloworld
-3

i don't know

permanent link

answered 16 Oct '11, 18:59

dyess002's gravatar image

dyess002
0
accept rate: 0%

ok, so what would a facebook packet look like?

(16 Oct '15, 11:31) Steve328
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×1,620
×16
×12
×5

question asked: 05 Jul '11, 04:01

question was seen: 147,073 times

last updated: 16 Oct '15, 11:31

p​o​w​e​r​e​d by O​S​Q​A