This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

How do I use Wireshark as a keylogger?

0

I'm very new to this software but because of some recent discoveries about our daughter's internet use, we are very suspicious. We would like to extend some freedom to her and have agreed on the "trust but monitor" tactic. Can someone point me in the right direction for learning how to use Wireshark as a keylogger?

asked 03 Jan '17, 18:03

djattracta's gravatar image

djattracta
6112
accept rate: 0%


2 Answers:

2

Wireshark can only act as a keylogger, in the sense of a program that monitors keystrokes, if the keyboard being used is a hardware keyboard that connects to a host over a network that Wireshark can sniff.

If the keyboard you're trying to monitor is a software keyboard on a smartphone or tablet, that won't work.

If it's a USB keyboard plugged into a personal computer, that'd work only if you could tap the USB connection, which can currently be done by Wireshark only by running it on the personal computer; that currently only works if the machine is running Linux or Windows. Furthermore, you may get a lot of USB traffic that's not relevant to the keyboard.

If it's a wireless Bluetooth keyboard, that'd work only if you could tap the Bluetooth connection, which would only work on Linux and only work if you ran Wireshark on the machine to which the keyboard is communicating, or if you could do Bluetooth passive sniffing, which could only be done with Ubertooth hardware.

So that's going to be difficult at best and impossible at worst.

If, however, you want to watch the network traffic to and from her machine, see Jaap's comment; you might be able to limit the traffic by finding out the MAC address of her machine, so you would only see that traffic. As for encryption, you would probably be able to decrypt traffic that's encrypted at the Wi-Fi level, by supplying the password for the network, IF you happen to capture the initial connection of her machine to the network. Capturing that would be tricky, though, if you didn't have the ability to turn the machine on and off.

If the machine is portable, such as a smartphone, tablet, or laptop, the only way you're going to be able to completely monitor its use would be by installing a program on the machine and having it run continuously, capturing traffic while it's running. That won't be possible on an Apple iPhone or iPad or iPod touch (Wireshark doesn't work on them, for various technical and Apple policy reasons, and neither do other sniffer programs). It might be possible on a laptop, but, in any case, you're going to need some way to grab the capture files from the machine.

And, in both that case and the other "capture network traffic" case, that won't be enough to decrypt encrypted Web traffic; there will probably be a lot of that, and it's tricky, at best, to decrypt.

So this isn't necessarily going to be easy to do with Wireshark, if it's doable at all. A lot of networking technologies (such as SSL/TLS, as used for encrypted Web traffic) were deliberately designed to make it hard to do what you want to do....

answered 04 Jan '17, 02:20

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196
accept rate: 19%

1

Don't go there. Wireshark is a network analyser, not the monitor tool you seek. You'll be swamped in other network traffic and most, if not all, data you seek will be encrypted on the network anyway, out of your reach.

answered 04 Jan '17, 00:38

Jaap's gravatar image

Jaap ♦
11.7k16101
accept rate: 14%