This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

I recently downloaded Wireshark to monitor my son's internet activity, which has been suspicious lately. He has his Facebook Password saved to the computer, but not his e-mail's (I have a feeling they might be the same). Wireshark is recording packets, but when I log into his Facebook, all the Packet information is in Wireshark except for Username and Password when I go to "Follow TCP Stream." In fact, Username and Password are not appearing for any site after logging in. I even tried plugging an Ethernet cord directly into the computer from the modem after wireless did not work. Please help.

asked 10 Mar '12, 11:43

cats10's gravatar image

cats10
1111
accept rate: 0%


From an experiment I just did, logging out from Facebook and logging back in, it appears that the login process is - not surprisingly - done over SSL/TLS-encapsulated HTTP ("https"), but the process of browsing Facebook, at least, is done over regular HTTP (I never post to Facebook, so I don't know whether that's done with regular or SSL/TLS-encapsulated HTTP).

This means that the user name and password are probably sent over port 443 rather than port 80, so it's not in the same TCP stream as the rest of the Facebook traffic and thus won't show up in Follow TCP Stream.

In addition, it means that it's encrypted; Wireshark can decrypt SSL/TLS-encapsulated traffic, if enough information is supplied - see the Wireshark Wiki page on SSL - but that might require you to get some information from your son's computer. (It's encrypted to prevent people from doing exactly what you're trying to do - capture private information such as passwords. Your traffic to a Web site could, if not SSL/TLS-encapsulated, be sniffed, in principle, by, for example, somebody at your ISP.)

permanent link

answered 10 Mar '12, 17:03

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196
accept rate: 19%

Wireshark is a packet analyser not a network monitor. Having said that, it can be used to determine log on credentials for web sites, but only if those websites don't use any form of security when logging in. AFAIK Facebook has optional security enabled on a per-account basis. Email accounts, especially web based ones, usually have security enabled.

See this previous question and the answers regarding facebook logins: facebook logins

permanent link

answered 10 Mar '12, 12:12

grahamb's gravatar image

grahamb ♦
19.8k330206
accept rate: 22%

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×549
×248
×26
×3

question asked: 10 Mar '12, 11:43

question was seen: 6,772 times

last updated: 10 Mar '12, 17:03

p​o​w​e​r​e​d by O​S​Q​A