Ask Your Question
0

Can I use wireshark to track surveillance software

asked 2019-10-30 18:06:49 +0000

tfeathers gravatar image

Hey folks,

I'm a journalist working on a story about digital surveillance software that schools are installing on students' laptops and tablets. A lot of this software is free, and I'm curious to find out if it's gathering student data and sharing it with third-party data brokers or advertisers. I'm completely new to Wireshark, but somebody suggested it might allow me to identify what information the surveillance software (should i install it on my computer) is capturing and who its sharing the data with.

Is that possible, and does anybody have any suggestions about how to set up the filters to capture data on a specific program?

Thanks very much for any and all help!

edit retag flag offensive close merge delete
add a comment

1 Answer

Sort by ยป oldest newest most voted
1

answered 2019-11-02 19:26:02 +0000

Eddi gravatar image

Hello tfeathers

and welcome to the world of Wireshark. Wireshark is a program to record and analyze network traffic. It is used by network professionals around the world to detect problems in their network.

Certainly Wireshark can detect information transmitted by malware or surveillance software. A successful capture operation might require some planning. Details vary depending on the feature set provided by the software

  • The installation of Wireshark requires administrator privileges.
  • Certain malware families (and probably also surveillance software) will stop communicating while a program like Wireshark is running.
  • Information could be collected by any surveillance software over time and transmitted at irregular intervals. These transmissions are harder to detect in the usual "noise" of routine traffic.
  • To detect the network behavior of surveillance software I would record traffic at a choke point. This is pretty easy if you use enterprise-grade network equipment. The network capture playbookfrom the web site packet-foo.com describes the process in depth.
  • Today many software products transmit telemetry data to the publisher. These transmissions have to be separated from any spyware / malware / surveillance tech
  • I would expect that the communication is encrypted. If you can introduce a proxy server to the network you might be able to decrypt and re-encrypt the traffic in flight. This feature is called "TLS inspection".
  • It is possible that the surveillance software might offer some protection and check the reputation of a web site visited by the user. This functionality is part of virtually every reasonable anti-virus / anti-malware product. Of course, the vendor can gain a lot of insight into the users behavior.

It might be more practical to use a local monitoring function like Process Monitorfrom sysinternals.com to examine the behavior of the program. Again, this requires administrative rights.

As a last resort, if you are not bound by some license agreement (willing to bend it) you could reverse engineer the software.

Good luck

Eddi

edit flag offensive delete link more
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

subscribe to rss feed

Stats

Asked: 2019-10-30 18:06:49 +0000

Seen: 1,262 times

Last updated: Nov 02 '19

Copyright Wireshark Foundation, 2017-2023 Content on this site is licensed under a Creative Commons Attribution Share Alike 3.0 license.
about | faq | help | privacy policy | terms of service
Powered by Askbot version 0.10.2