This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Hi,

After some sniffing i can see profiles being viewed, photos being looked at etc - I'm looking to see if i can see if a message is sent to a person. I searched for things containing "message" but no returns.

Does anyone know what to filter on to see when i message someone?

asked 08 Nov '11, 12:30

poopftw's gravatar image

poopftw
1111
accept rate: 0%


This display filter worked in July:

json contains message

but it looks like Facebook recently changed their protocol. Try this new display filter:

http.host==www.facebook.com && data-text-lines contains msg_text

The display filter explained:

  • http.host==www.facebook.com : show HTTP packets to/from www.facebook.com
  • data-text-lines contains msg_text : show packets w/line-based text data that has the string "msg_text", which is the name of the variable containing the text contents of the Facebook IM.

Using only the second predicate (similar to the working filter in July) may suffice, but it might catch some unwanted packets that coincidentally contain "msg_text".

EDIT: If your Facebook settings have Secure Browsing enabled, Wireshark can't see the contents of your outgoing IMs (but it can still detect the TLS packet). Even if you turn off Secure Browsing in Facebook, that only affects your own IMs. Your friend can still turn his Secure Browsing on, which protects his IMs from Wireshark.

permanent link

answered 08 Nov '11, 16:18

helloworld's gravatar image

helloworld
3.1k42041
accept rate: 28%

edited 09 Nov '11, 15:46

I tried this but unfortunatly i couldnt get it to work.

I logged into facebook, sent a couple mates a message then waited for responses etc - lodaded log file into wireshark but cannot see any msg_text - they may have clamped down now? - i am however using https, which may disguise this?

(09 Nov '11, 05:11) poohbrains

(thanks for the detailed response btw)

(09 Nov '11, 05:11) poohbrains

https would definitely prevent you from reading the data.

(09 Nov '11, 05:35) zachad

True. https would encrypt your traffic. I updated my answer to cover Facebook's "Secure Browsing" setting.

(09 Nov '11, 15:48) helloworld

Thought so, i did a test following on from this by disabling secure browsing, i could indeed see the messages.

To identify the TLS Packets, what would i be searching for? - sorry for newbie questions... only just started using wireshark.

(10 Nov '11, 01:47) poohbrains

K, im still lost on this one - anyone got any ideas?

I dont need to see the message, all im trying, for now is to see whether a message is being sent.. i followed these steps.

  1. new log
  2. logged into facebook.
  3. sent myself a message "test 12345"
  4. went to message box.
  5. read email.
  6. logged out.

i then looked through the entire log, the only thing i can kinda see is contains message, this allows me to see that mailbox was accessed but not who i sent the message to..

I tried to seach on port 443, but i cant figure out how to look for the TLS messages, any further ideas?

(13 Nov '11, 11:36) poopftw

Use ssl.record as a display filter to show TLS packets. For TLS from facebook.com, try this:

ssl.record and (ip.addr==69.171.0.0/16 or ip.addr==66.220.0.0/16)
(13 Nov '11, 12:21) helloworld

Maybe im being stupid, so... i searched for ..

ssl.record && ip.addr==69.171.0.0/16 and ssl.record && ip.addr==69.220.0.0/16

Neither turned up any results..

searching for either ip.addr==69.171.0.0/16 or ip.addr==69.220.0.0/16 does return results.

searching for ssl.record alone returns no results.. is it correct for facebook TLS post their recent security updates?

Thanks for taking the time to respond and help with this.

(13 Nov '11, 14:37) poopftw

By "search", I assume you mean you entered the display filter into the Display Filter textbox and clicked Apply. If you don't see results, it means you don't have TLS in your capture. Did you enable Facebook's "Secure Browsing"?

(13 Nov '11, 16:07) helloworld

yeah, sorry display filter..

yep, i'm using secure browsing..

I managed to figure something out..

filter on ip.src == my laptop iP && tcp contains c_user && tcp contains message

This showed me that i looked at messages and looking for c_user would give me the persons message ID, which you can they paste into URL bar to see who was messaged....

Which is a step..

Any reasons why your ssl.record is showing nothing?

(14 Nov '11, 12:58) poopftw

Yes, there are a few possibilities:

1) The description for the Facebook "Secure Browsing" setting is: "Browse Facebook on a secure connection (https) when possible". This suggests that it can possibly send traffic in the clear. Perhaps your setup (browser, OS, etc) is such that it prevents traffic encryption. This seems unlikely, since you were using https on Facebook at one point.

2) You don't actually have "Secure Browsing" enabled even though you think you do.

(14 Nov '11, 16:08) helloworld

3) You're looking at an old packet capture instead of the one that samples your test case.

4) You accidentally set a capture filter that omits the packets you're expecting.

(14 Nov '11, 16:09) helloworld

If "Secure Browsing" were enabled for you (and working properly), the packets for Facebook IM/email would not be discernible in Wireshark; you'd only see a bunch of TLS packets, and they're easily identifiable: Wireshark's protocol column shows "TLSv1" instead of "HTTP". Note that the Facebook setting is immediate; there's no need to restart or logout/in. The fact that your display filter of "tcp contains message" is catching anything is an indication that Facebook is not actually using HTTPS.

(14 Nov '11, 16:11) helloworld

I should note that "Secure Browsing" indeed encrypts my traffic. When it's enabled, I only see TLS packets and no display filter can pick up my IMs/emails. I'm using Chrome 15 on OSX Lion 10.7.2, and I tested just a few minutes ago.

(14 Nov '11, 16:13) helloworld
showing 5 of 14 show 9 more comments

ip.addr == 192.168.1.xxx and http.host==www.facebook.com && data-text-lines contains user-generated-message

replace ip address with the one you want to follow or omit to scan all users messages like this...

http.host==www.facebook.com && data-text-lines contains user-generated-message

as always it will not work if secure browsing is enabled.

permanent link

answered 22 Mar '12, 16:35

Scottoliolis's gravatar image

Scottoliolis
11
accept rate: 0%

edited 22 Mar '12, 16:38

Actually I found out, that somehow the relevant packages are compressed since a few weeks, so the search-function can not longer be used, instead of this I use the filterstring http && data-text-lines contains "subject" and then I only klick on html-packets with plain text, then on the lower tabs I choose the uncompressed view to see the chat-messages. Works for other social-networks like "Wer kennt wen" too.

permanent link

answered 26 Mar '12, 05:09

Anon's gravatar image

Anon
84237
accept rate: 16%

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×16

question asked: 08 Nov '11, 12:30

question was seen: 35,325 times

last updated: 21 Jun '16, 07:01

p​o​w​e​r​e​d by O​S​Q​A