This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Read “WhatsApp” messages over wlan

0

How can I follow messages sent over a mobile phone with WhatsApp Messenger in a local wlan?

asked 22 Jan '12, 01:39

Anon's gravatar image

Anon
84237
accept rate: 16%

edited 22 Jan '12, 07:55

helloworld's gravatar image

helloworld
3.1k42041

2 Answers:

0

There is even an easier way to follow the conversations, if you use only the filter expression ssl contains F8:03:83:BD:AD you get the same result.

The structure of WhatsApp-messages looks like this:

Incoming WhatsAppMessage

00:[LENGTH]:{ #Header# F8:[LENGTH]:{ #CallingNumber# 5D:38:FA: FC:[LENGTH]:{ASCII}: #UserID# 8A:43: FC:[LENGTH]:{ASCII}: #MessageID# A2:1B:9D: FC:[LENGTH]:{ASCII}: } #Content# F8:[LENGTH]:{ #Name# F8:[LENGTH]:{ 65:BD:AE:61: FC:[LENGTH]:{ASCII}: } #Seperator ???# F8:[LENGTH]:{ 83:BD:AD: } #MessageText# F8:[LENGTH]:{ 16: FC:[LENGTH]:{ASCII}:
} #Date (optional)# F8:[LENGTH]:{ 25:BD:AB:38:8A:92: FC:[LENGTH]:{ ASCII: ### YYYY-MM-DD "T": ASCII: ### HH:MM:SS }
5A:66: } #Date (optional)# F8:[LENGTH]:{ BA:BD:4E:92: FC:[LENGTH]:{ ASCII: ### YYYYMMDD "T": ASCII: ### HH:MM:SS }
} } }

Outgoing WhatsAppMessage

00:[LENGTH]:{ #Header# F8:[LENGTH]:{ #CallingNumber# 5D:A2:1B:A0:FA: FC:[LENGTH]:{ASCII}: #UserID# 8A:43: FC:[LENGTH]:{ASCII}: } #Content# F8:[LENGTH]:{ #MessageText# F8:[LENGTH]:{ 16: FC:[LENGTH]:{ASCII}:
} #Seperator ???# F8:[LENGTH]:{ 83:BD:AD: } #EndOfMessage ???# F8:[LENGTH]:{ BA:BD:4F: F8:[LENGTH]:{ F8:[LENGTH]:{ 8C } }
} } }

answered 25 Mar '12, 09:08

Anon's gravatar image

Anon
84237
accept rate: 16%

edited 26 Mar '12, 05:00

Hello, above filter isn't working. Maybe due to my Wireshark configuration. I'm using a Mac (OS 10.7.3) in a wireless network (Netgear WNR2000 (WPA2)). Any suggestions on tutorials setting up Wireshark and configuring right filters for Whatsapp reading? Thanks, Stan

(23 May '12, 01:19) jojo

-2

Use the filter expression: --- (ssl contains f8:08:5d:a2 and ssl contains f8:02:16:fc) or (ssl contains f8:0a:5d and ssl contains bd:ae:61:fc) --- and you get only the relevant packets.

answered 22 Jan '12, 01:41

Anon's gravatar image

Anon
84237
accept rate: 16%

edited 22 Jan '12, 01:41