Recent statistics show that people spend over 700 billion minutes per month on Facebook. In some environments, people are using Facebook from work, and generate more traffic to Facebook servers than to their email and application servers combined! Not to say that this social networking site is a bad thing, but in many networking environments, over-use of sites like Facebook can impact the performance of business-critical applications, especially at remote offices with small WAN links.
It’s important to get an idea of who on the network are using Facebook and other sites like it, and how much traffic is being generated on a given day. Sure, in some places there are fancy tools monitoring all web usage, and with a click of a button we can find out what we are looking for. But at times we may need to find a user in the act. How can we do this with Wireshark and other tools? I’ll show you a couple of tricks that you can use to track down these users, as well as other types of no-no web traffic.
This really isn’t too hard with Wireshark. It simply involves setting a free string filter for the word “facebook”. So let’s look at how to do it.
Creating a "Facebook" filter
The reason why this is tough is because sites like Facebook often use several servers to provide content to users. We can't just filter on one ip address and be done with it. It can involve many different addresses, and usually changes per user.
First, capture traffic at your edge, and at least at the beginning of learning to do this, generate some Facebook traffic so you know you have some to find.
The simplest way to set a filter for Facebook users is to use the “tcp contains” filter. For example, after capturing the sample at the edge, type in:
After applying this filter, all Facebook traffic that contains the word “facebook” will be displayed. What is handy about this list is that all generators of traffic are easy to see. The traffic source will be shown under the Source address list. As for the destination, you’ll probably notice that many different servers are used when accessing Facebook. Also, notice that only the GET requests and HTTP POSTs are listed when setting a text filter like this. Remember that only those packets with the word “facebook” in them will be listed. This will be a small sample of all traffic to and from Facebook.
In order to set a filter for this complete Facebook transaction, we need to set a filter for all traffic to and from the listed servers. How can we do this? One way I like to do this (there are others, so list your way in the comments below this article) is to use the destination column to prepare a quick filter. Simply right-click the Facebook server IP, then select Prepare a Filter…. Then click Selected.
This will create a display filter with this server as a destination. Up in the filter definition window, change “ip.dst” to “ip.addr”. Instead of filtering on only traffic to this server, the filter will apply for traffic in both directions. Note – do not yet apply this filter, we are still building it.
Select the next Facebook server that is displayed in the destination column and right-click it. Select Prepare a filter, only this time, click "or selected". This will add the server IP to the filter list. Again, change the “ip.dst” to “ip.addr” in the filter bar to create a conversation filter on this address, not a one way filter. Do this for every server in the list, or for just those with the majority of traffic. When you are done the filter will look something like this:
Next, hit the apply button, and this filter will be applied to the full trace. Now you will have all packets for all servers involved in the Facebook transaction. Now we can use the I/O graphs to look at how much traffic was generated, or other statistics on this traffic. It may seem tedious at first, but after you set a filter like this a few times, you’ll get quick at it. It’s a great one to learn with an application like Facebook, but you will use this filter for all kinds of different applications and services which are hosted from several sources.
That's how we can find who is using Facebook, and how much traffic they are generating with Wireshark.
Please comment below with other ways to go about filtering for this type of traffic!
Continue reading other LoveMyTool posts by Chris Greer »
Author Profile - Chris Greer is a Network Analyst for Packet Pioneer. Chris has many years of experience in analyzing and troubleshooting networks. He regularly assists companies in tracking down the source of network and application performance problems using a variety of protocol analysis and monitoring tools including Wireshark. When he isn’t hunting down problems at the packet level, he can be found teaching various analysis workshops at Interop and other industry trade shows. Chris also delivers training and develops technical content for several analysis vendors.Chris can be contacted at chris (at) packetpioneer (dot) com.