1 | initial version |
There are so many ways in which a keylogger can exfiltrate data that it's impossible to give a specific answer. Any (meta-)data carrying protocol is a candidate, e.g., HTTP URL, HTTP header, IRC, SMTP, FTP, you name it. It would require detailed analysis of all communications to see if something cannot be identified as expected/valid traffic, something that may prove difficult in even normal networks.
On the other hand, it would be rather strange if a keylogger would cause keystrokes to be dropped, and thereby attracting attention to itself...