Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

Hello tfeathers

and welcome to the world of Wireshark. Wireshark is a program to record and analyze network traffic. It is used by network professionals around the world to detect problems in their network.

Certainly Wireshark can detect information transmitted by malware or surveillance software. A successful capture operation might require some planning. Details vary depending on the feature set provided by the software

  • The installation of Wireshark requires administrator privileges.
  • Certain malware families (and probably also surveillance software) will stop communicating while a program like Wireshark is running.
  • Information could be collected by any surveillance software over time and transmitted at irregular intervals. These transmissions are harder to detect in the usual "noise" of routine traffic.
  • To detect the network behavior of surveillance software I would record traffic at a choke point. This is pretty easy if you use enterprise-grade network equipment. The network capture playbook from the web site describes the process in depth.
  • Today many software products transmit telemetry data to the publisher. These transmissions have to be separated from any spyware / malware / surveillance tech
  • I would expect that the communication is encrypted. If you can introduce a proxy server to the network you might be able to decrypt and re-encrypt the traffic in flight. This feature is called "TLS inspection".
  • It is possible that the surveillance software might offer some protection and check the reputation of a web site visited by the user. This functionality is part of virtually every reasonable anti-virus / anti-malware product. Of course, the vendor can gain a lot of insight into the users behavior.

It might be more practical to use a local monitoring function like Process Monitor from to examine the behavior of the program. Again, this requires administrative rights.

As a last resort, if you are not bound by some license agreement (willing to bend it) you could reverse engineer the software.

Good luck