How to use Wireshark to view Synergy keyboard network activity

Monday, September 5, 2022
(updated 
)
Nick Bolton
Nick Bolton
Founder CEO & Interim-CTO of Symless (Synergy team)

Ever wondered how key presses and clipboard data look on the network when you run Synergy unencrypted without TLS/SSL enabled? If so, you're not the only one!

Key press network traffic from Synergy

Sometimes, network professionals will do this just for fun, like at DEFCON 22...

"For round seven of our recent Network Forensics Puzzle Contest at DEFCON 22, we captured some Synergy network traffic with a clue hidden inside (so stop reading if you have yet to solve that round!) Now we will explore in-depth the revealing data contained in the Synergy protocol." (Source: Tracking Keyboard and Mouse Activity)

Ok, so want to do this yourself?

Here are the steps you need to follow...

Step 1) Install a packet sniffer

There are many packet sniffers, but we'll use Wireshark, probably the most well known packet sniffing tool (aka. 'packet analyzer') used by security professionals, network software engineers, and anyone else that needs to take a peek into what's happening with network traffic.

Download, install and run Wireshark, to capture the network packets so that you can read them later.

There are two approaches, and both have the same outcome. Knowing both ways will give you a bit more insight into how you can use Wireshark if you haven't used it before.

Step 2) Get to sniffin'

Approach #1 (RTFM)

  1. Configure and start Synergy (ensure that TLS/SSL is disabled).
  2. Start capturing packets in Wireshark on your chosen adapter.
  3. Use Synergy to move your mouse to the other computer, and start typing.
  4. Check the Synergy page in the Wireshark docs for the field name that you want to filter on, e.g. synergy.keyreleased
  5. Go ahead and type or copy/paste that field name into the filter bar.
  6. Press enter to apply the filter.
Wireshark filter: synergy.keyreleased

Yeah, I know, I'm revealing my LAN IPs to the Internet. They're pretty generic LAN IPs, not specific to me, so not really a big deal.

Pro tip: You can also filter on specific keys, e.g. synergy.keyreleased.keyid == 103

Approach #2 (read the code)

  1. Configure and start Synergy (ensure that TLS/SSL is disabled).
  2. Start capturing packets in Wireshark on your chosen adapter.
  3. Use Synergy to move your mouse to the other computer, and start typing.
  4. Look up the protocol message code in the protocol_types.cpp file; for example, it's DKUP (for key up).
  5. Type into the filter bar: synergy.packet_type == "DKUP"
  6. Press enter to apply the filter.
Wireshark filter: synergy.packet_type == "DKUP"

Step 3) Understand your filtered capture

Once you have found your key up packets and applied the filter, you can step through each packet to use the "Key Id" to find each key ID. Do these numbers look familiar to you?

Hint: They're all between 97 and 122. If you guessed "Hey, those look like ASCII key codes!" then you'd be right.

If you head over to any ASCII code map, you can look up those numbers and translate them into letters. You can also take a look at key_types.h for any strange keys that aren't letters, numbers, symbols, etc.

A secret series of Synergy key presses captured using Wireshark

Bonus challenge

Can you decode the mystery key presses? Here's the sequence of numbers...

116 104 101 32 113 117 105 99 107 32 98 114 111 119 110 32 102 111 120 32 106 117 109 112 101 100 32 111 118 101 114 32 116 104 101 32 108 97 122 121 32 100 111 103

Hackerman: He's the most powerful hacker of all time

How do I enable TLS/SSL encryption?

Synergy has support for TLS encryption when you purchase the Ultimate edition or Pro edition (Pro upgrade only available to customers who purchased before July 8th 2022).

After upgrading, go to Edit, and click Preferences to ensure that the Enable TLS encryption checkbox is ticked, then click Save.

Enable TLS encryption in Preferences

FAQ for TLS/SSL

Where's the upgrade promo code?

Q: I got an email with a promo code to upgrade to Pro, but the links on this page don't apply the promo code.

A: We sent out a promo code for 50% off the upgrade price for Synergy Pro (we don't have a code for the new Ultimate edition, yet). Please use the link in your email to apply the Pro edition upgrade promo code. Please contact us if you need help.

What happens without TLS/SSL?

Q: I don't have Synergy Ultimate or Synergy Pro edition. Does that mean my Synergy install is not secure? Will hackers be able to get my data?

A: Your level of security depends on your LAN (local area network) connection. If you're using home Ethernet only, then it's unlikely that a malicious person will have gained access to your network (unless you share access to your Ethernet switch with people you don't fully trust). However, if you're using Wi-Fi, then it's relatively straightforward for someone to packet sniff your wireless communication, given enough skill. If you're using Wi-Fi, we recommend you use TLS/SSL encryption. If you're a business user, then you'll be on Synergy Business which comes with TLS/SSL as standard.

Why is TLS/SSL an upgrade?

Q: Why don't you just release TLS/SSL in the standard edition?

A: Not all customers need TLS/SSL in Synergy. As a business, we owe it to our customers to produce the best product possible. To do that, we need to pay developer salaries to improve Synergy. Charging extra for TLS/SSL allows to make better software.

Posted 
September 5, 2022
 by 
Nick Bolton
 (revised on 
)

Get started with Synergy

Learn about Synergy

If you have any further questions, please contact us.