LoveMyTool - Open Community for Network Management and Monitoring

Creating a "Facebook" filter

The reason why this is tough is because sites like Facebook often use several servers to provide content to users. We can't just filter on one ip address and be done with it. It can involve many different addresses, and usually changes per user.

First, capture traffic at your edge, and at least at the beginning of learning to do this, generate some Facebook traffic so you know you have some to find.

The simplest way to set a filter for Facebook users is to use the “tcp contains” filter. For example, after capturing the sample at the edge, type in:

After applying this filter, all Facebook traffic that contains the word “facebook” will be displayed. What is handy about this list is that all generators of traffic are easy to see. The traffic source will be shown under the Source address list. As for the destination, you’ll probably notice that many different servers are used when accessing Facebook. Also, notice that only the GET requests and HTTP POSTs are listed when setting a text filter like this. Remember that only those packets with the word “facebook” in them will be listed. This will be a small sample of all traffic to and from Facebook.

In order to set a filter for this complete Facebook transaction, we need to set a filter for all traffic to and from the listed servers. How can we do this? One way I like to do this (there are others, so list your way in the comments below this article) is to use the destination column to prepare a quick filter. Simply right-click the Facebook server IP, then select Prepare a Filter….   Then click Selected.

This will create a display filter with this server as a destination. Up in the filter definition window, change “ip.dst” to “ip.addr”. Instead of filtering on only traffic to this server, the filter will apply for traffic in both directions. Note – do not yet apply this filter, we are still building it.

Select the next Facebook server that is displayed in the destination column and right-click it. Select Prepare a filter, only this time, click  "or selected". This will add the server IP to the filter list. Again, change the “ip.dst” to “ip.addr” in the filter bar to create a conversation filter on this address, not a one way filter. Do this for every server in the list, or for just those with the majority of traffic. When you are done the filter will look something like this:

Next, hit the apply button, and this filter will be applied to the full trace. Now you will have all packets for all servers involved in the Facebook transaction. Now we can use the I/O graphs to look at how much traffic was generated, or other statistics on this traffic. It may seem tedious at first, but after you set a filter like this a few times, you’ll get quick at it. It’s a great one to learn with an application like Facebook, but you will use this filter for all kinds of different applications and services which are hosted from several sources.

That's how we can find who is using Facebook, and how much traffic they are generating with Wireshark.

Please comment below with other ways to go about filtering for this type of traffic!

Author Profile - Chris Greer is a Network Analyst for Packet Pioneer. Chris has many years of experience in analyzing and troubleshooting networks. He regularly assists companies in tracking down the source of network and application performance problems using a variety of protocol analysis and monitoring tools including Wireshark. When he isn’t hunting down problems at the packet level, he can be found teaching various analysis workshops at Interop and other industry trade shows. Chris also delivers training and develops technical content for several analysis vendors.