How to find file upload?
Hello, Can I use Wireshark or Tshark to find the files that uploading from my Linux system?
Thank you.
What Wireshark can do is look at network traffic, i.e., packets going into and out of your system. By analysing these packets it can try to reconstruct transport connections, using TCP and UDP, etc. In these transport connections it can try to look for protocols that are used for file transfer, e.g., (T)FTP, SMB or HTTP. In these transfer sessions it may be able to find the files being transferred.
Note the many tries and maybe's in this text. If all this was done in the clear everyone with access to the transport connection would be able to see these files too, something which is not desirable. Therefore encryption comes into play. The protocols for file transfer may be encapsulated in an encryption layer (TLS for instance), making analysis significantly harder.
In such cases other analysis, that of metadata, may become necessary. E.g., looking for connections to known C&C nodes. Or traffic unrelated to normal operating processes of the system. You see that we get far away from just trying to look at a file transfer. Sure, it may be the case it's in the clear, but as always, it depends on the specifics.
Asked: 2020-10-17 12:08:32 +0000
Seen: 6,471 times
Last updated: Oct 17 '20
How are the files being uploaded? If they're being uploaded over an encrypted connection (https, ftps, sftp etc.) you won't be able to see them unless you have the decryption keys.
I don't know. I want to find anything that uploading from my Linux box. For example, a Keylogger.
Wireshark isn't really the tool for this, it's a packet analysis "microscope". You need some more specific malware tools.
I saw in some videos that Malware analysis using Wireshark. Why Wireshark can't detect files uploading?
When you have a specific case, using Wireshark to examine the details of that case is a good use for a microscope. General surveillance of your entire environment with a microscope isn't that useful.
Wireshark doesn't have a built-in malware "detector", you would have to investigate every bit of every byte of all the traffic yourself.