This is our old Q&A Site. Please post any new questions and answers at

I suspect a keylogger on a client's PC, but cannot isolate it. My fear is that this keylogger transmits data outbound to an indeterminate location.

So I am seeking a tool which may allow me to look at any outbound activity, and then isolate destinations and take it from there.

Time is of the essence, so I only have a limited time to familiarize myself with a tool.

Will Wireshark address my needs? Thanks!

asked 29 Jan '11, 12:34

lastditch's gravatar image

accept rate: 0%

Yes, Wireshark can help but depending on the usage pattern of the PC it can be difficult to determine which traffic is harmless and which is malicious.

This is what I would do if I suspect a keylogger transmitting data:

  1. If you can, put Wireshark on a 2nd PC and use a Hub/SPAN Port to capture the suspicious PC's data. If you can't you might have to go with installing Wirehark on the actual client's PC which has some drawbacks but sometimes can't be helped.
  2. Start the client's PC and let Wireshark capture the data coming and going to it's network card
  3. Close as much programs that use the network as you can, so make sure that there is as little valid network traffic created as possible
  4. Open a text editor and start typing. Now if there's a keylogger it should at some point start to send out the captured data. You should see that as communications coming from the PC that have no other reason to be there. You can filter on that by using something like "ip.src==X.X.X.X" where X.X.X.X is the PC's IP address. This way you see everything that goes out. If there is something that you have no explanation for you can filter on this communication bidirectionaly, for example by using the "Follow TCP stream" filter (if it is in fact a TCP session). Then you need to determine what is happening and if this is in fact a keylogger.
  5. You may have to monitor the PC for a while because not all keyloggers send their data out right away. If you have a Wireshark on a 2nd PC you can try to shut down the suspicious PC and see if there is a transmission right before the keylogger is terminated.

BTW, if you suspect a keylogger you should also check the PC for physical dongles - nobody checks the back of the PC for PS/2 or USB keyloggers in hardware unless it's a notebook ;-)

permanent link

answered 30 Jan '11, 05:19

Jasper's gravatar image

Jasper ♦♦
accept rate: 18%

Well, it may. You'll have to be prepared to chew on some raw data packets, the keylogger most likely tries to conceal its communications. Still Wireshark should show them, and allows some higher level view on the connections. Take a stroll through the User's Guide to get an idea what's possible.

permanent link

answered 30 Jan '11, 05:09

Jaap's gravatar image

Jaap ♦
accept rate: 14%

What's type of protocol that keylog using to tranfer file outbound my PC? I used wireshark but couldn't find smtp or ftp protocol :(

permanent link

answered 02 Apr '16, 20:41

Tr%E1%BA%A7n%20Th%C3%A0nh%20%C4%90%E1%BB%A9c's gravatar image

Trần Thành Đức
accept rate: 0%

It is not a Wireshark question so I won't ask you to convert your "Answer" into a Question (which would be the right thing to do if it wasn't totally off-topic). As it is, the right thing according to site policy is to remove your non-Answer.

To the subject: if you would be creating a keylogger yourself, would you like it to be easily noticeable? That's the reason why any keylogger is not likely to use smtp or ftp but rather some encrypted proprietary protocol using tcp (or even udp) as transport layer.

(03 Apr '16, 07:43) sindy
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here



Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text]( "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:


question asked: 29 Jan '11, 12:34

question was seen: 10,664 times

last updated: 03 Apr '16, 07:43

p​o​w​e​r​e​d by O​S​Q​A