Ask Your Question

How to find file upload?

asked 2020-10-17 12:08:32 +0000

Jason Long gravatar image

Hello, Can I use Wireshark or Tshark to find the files that uploading from my Linux system?

Thank you.

edit retag flag offensive close merge delete


How are the files being uploaded? If they're being uploaded over an encrypted connection (https, ftps, sftp etc.) you won't be able to see them unless you have the decryption keys.

grahamb gravatar imagegrahamb ( 2020-10-17 13:54:56 +0000 )edit

I don't know. I want to find anything that uploading from my Linux box. For example, a Keylogger.

Jason Long gravatar imageJason Long ( 2020-10-17 15:56:30 +0000 )edit

Wireshark isn't really the tool for this, it's a packet analysis "microscope". You need some more specific malware tools.

grahamb gravatar imagegrahamb ( 2020-10-17 16:09:51 +0000 )edit

I saw in some videos that Malware analysis using Wireshark. Why Wireshark can't detect files uploading?

Jason Long gravatar imageJason Long ( 2020-10-17 16:49:35 +0000 )edit

When you have a specific case, using Wireshark to examine the details of that case is a good use for a microscope. General surveillance of your entire environment with a microscope isn't that useful.

Wireshark doesn't have a built-in malware "detector", you would have to investigate every bit of every byte of all the traffic yourself.

grahamb gravatar imagegrahamb ( 2020-10-18 16:51:46 +0000 )edit

1 Answer

Sort by ยป oldest newest most voted

answered 2020-10-17 20:53:57 +0000

Jaap gravatar image

What Wireshark can do is look at network traffic, i.e., packets going into and out of your system. By analysing these packets it can try to reconstruct transport connections, using TCP and UDP, etc. In these transport connections it can try to look for protocols that are used for file transfer, e.g., (T)FTP, SMB or HTTP. In these transfer sessions it may be able to find the files being transferred.

Note the many tries and maybe's in this text. If all this was done in the clear everyone with access to the transport connection would be able to see these files too, something which is not desirable. Therefore encryption comes into play. The protocols for file transfer may be encapsulated in an encryption layer (TLS for instance), making analysis significantly harder.

In such cases other analysis, that of metadata, may become necessary. E.g., looking for connections to known C&C nodes. Or traffic unrelated to normal operating processes of the system. You see that we get far away from just trying to look at a file transfer. Sure, it may be the case it's in the clear, but as always, it depends on the specifics.

edit flag offensive delete link more


How can I do it?

Jason Long gravatar imageJason Long ( 2020-10-19 03:56:31 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower


Asked: 2020-10-17 12:08:32 +0000

Seen: 5,732 times

Last updated: Oct 17 '20