Ask Your Question

Is there a tool to follow client key events in a VNC stream?

asked 2022-04-07 14:03:34 +0000

chiropteran gravatar image

For an assignment I am analyzing a packet capture with the help of VNC. The goal is to find out what the client typed on their notepad during a remote Desktop session. The packets that contained 'client key event' as info revealed the message that the person typed, but I wrote it out by hand, step for step, packet for packet. Is there a tool in Wireshark that does this for you, for larger texts? There must be, right?

I apologize if this is a beginner questions, I couldn't find the answer online.

edit retag flag offensive close merge delete

1 Answer

Sort by » oldest newest most voted

answered 2022-04-08 16:00:56 +0000

Chuckc gravatar image

updated 2022-04-08 16:07:50 +0000

tshark and CyberChef

(Since this is a homework assignment this is not a complete solution but should get you there.)
You already know the field you need. For future reference, a list of vnc fields is available on the Display Filter Reference, output of tshark -G fields or inside Wireshark - View->Internals->Supported Protocols.

tshark -r "capture filename" -T fields -e "the field you want" will print the key values.

But it will also print an empty line for every frame/packet that does not contain the field.
The tshark man page shows that a display filter can be added to the end of the command [ <filter> ].

tshark -r "capture filename" -T fields -e "the field you want" "the field you want"
will only print the key values for packets that contain the field.

It looks like vnc sends two packets for each key press. To trim the output, enhance the display filter by adding another field that indicates either the key being pressed or the key being released.

tshark -r "filename" -T fields -e "the field you want" '"the field you want" && "some other field"'
It helps to put ticks ' or quotes " around the display filter when it contains spaces.

The output will be a list of hex numbers. The tshark man page section -G [ <report type> ] (specifically Header Fields) shows the attributes for each field:

Field 6 base for display (for integer types); "parent bitfield width" for FT_BOOLEAN

~$ tshark -G fields | grep "the field you want"

F   Key  "fieldname"   FT_UINT32    vnc  BASE_HEX   0x0     "field description"

Reading hex for ASCII digits is pretty easy - 0x30-0x39 is digits 0-9. Adding in the alphabet and other keys gets a bit more complicated. It's easier to just copy the hex information to CyberChef and let it do the translation.

(For those that want to play along with the home game, a VNC sample capture is available in the wiki SampleCaptures or the wiki page for vnc)

edit flag offensive delete link more


Thank you very much Chuckc.

I technically already provided a sufficient answer for the assignment by doing it by hand (first year Computer Science student), but I'm going to give tshark a go at the pcap file, and if successful, use that method instead (as it is more efficient). I didn't know that there was a terminal-based Wireshark at all, until your answer.

Thank you for taking the time to answer my question.

chiropteran gravatar imagechiropteran ( 2022-04-09 11:03:53 +0000 )edit

I tried:

tshark -r wonka.pcapng -T fields -e vnc.key 'vnc.key && vnc.key_down'
(wonka.pcapng being the name of the file)

I thought those two fields were the most probable candidates from the vnc fields list that you linked.

It doesn't seem to filter out the false key down events (still showing all vnc packet contents). The second issue is that some hex values don't correspond to the letters actually being typed. Random 'ff' values are being prepended here and there for <enter> and <shift> keys, and other letters seem off too. The contents of the message are:

can you see me // <backspace><backspace>

_ <backspace>

<return x="" 40="">


but the hex translation from cyberchef using the output from the above command is :

...c...c...a...a...n...n... ... ...y...y...o...u...o... ...u... ...s...e...s...e...e...e... ... ...m...m ...(more)

chiropteran gravatar imagechiropteran ( 2022-04-09 12:01:17 +0000 )edit

It can help to build the display filter in the Wireshark Gui.
The “Analyze” Menu (and also right-clicking a field in the Packet Details) have a menu pick to Apply as Column. Add the two fields you are using in the filter as columns and apply the display filter. This will show the duplicate keys and that the value for vnc.key_down toggles between 1 and 0. So the tshark display needs an extra piece to filter on packets where a specific value is set for vnc.key_down. Add a == "some value" to the end of the filter.

The extra keys not typed are part of the client/server communication and more specific to how vnc operates.

Chuckc gravatar imageChuckc ( 2022-04-09 15:13:39 +0000 )edit

Thanks for spelling it out for me! I got the result I was looking for.

chiropteran gravatar imagechiropteran ( 2022-04-10 12:03:16 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools


Asked: 2022-04-07 14:03:34 +0000

Seen: 133 times

Last updated: Apr 08