All of these devices are now on your home network. Connected to the internet. Calling home. Day and night.
Do you know what is going on in your home network?I certainly did not. I wanted to find out. I wanted to learn, to play, to experiment. I did not want to spend a lot of money.
Still with me? Then let’s go exploring the shadow world of the IoT — Internet of Things.
Introducing my Home NetworkNow let me introduce my home network. Fairly average, I guess you’ll find a pretty similar setup in your home as well. It is amazing how many devices end up online, even if your fridge and TV are not “smart” yet.
|My Initial Home Network — Fairly Similar To Yours?|
If you want to analyze all Internet traffic you need to do it somewhere between cable/DSL modem and your local network.
Learning to love Linux (and hate Wifi routers)
I wanted to log all Internet traffic. I had a Raspberry Pi available, so I set up a firewall/proxy on the Raspberry Pi, but performance simply sucked. Okay for isolated analysis, but certainly not good enough for everyday usage.
Next step was to install Linux/OpenWRT on a cheap 40€ WifiRouter (TP-Link 3600). Worked pretty well, even managed to sniff network traffic with tshark. Transparent Proxy was a bit tricky, which did not work for HTTPS and performance was not acceptable.
Then I remembered Domain Name Services (DNS) — the tiny service that translates internet addresses (www.domain.com) to its IP address (127.0.0.1). Pretty much all Internet transactions require name resolution via DNS — and logging these is quite simple, without impacting network performance (I’ll describe how, further down).
Just one tiny problem: Network Address Translation (NAT)
All consumer grade Wifi routers have NAT built in — which makes it impossible to identify which of your devices are talking, because they all show up with the same IP address.
Additionally, most Wifi devices route all DNS-requests to your customitzed destination and do not tell the devices to go directly to the DNS server. Again, your own DNS server cannot separate the clients as they all use the router IP.
Learning to love real Wifi Access Points (AP)
Finally, ARStechnica motivated me to ditch my Wifi router for a real Wifi Access Point. Cost was a bit steep at first (200€ for a dual-band Ubiquitiy AP), but the features and performance rocked. Wireless performance is much much better — all over our house. Opening a guest network with access code a breeze. And I did not miss all these other useless features( USB storage on a Wifi router? DECT telephones when I already have a base station?).
|Home Network — with added Raspberry PI and new WiFi AP|
Besides improving my WiFi reception throughout the house, the new AP is not messing with my network traffic, allowing me to track and analyze each individual device, wired or wireless.
Learning to love Linux (and DNSMASQ)
Now, let’s get back to Internet traffic logging. As mentioned earlier, I want to log every internet interaction for every client on my home network.
|dnsmasq.log detailing every DNS query|
With DNSMASQ DHCP options I can select which devices send their DNS requests directly to the Internet (labelled "GREEN" network) or to my Raspberry Pi logger (labelled "RED" network). There is no need to change the settings manually on every device!
|Green and Red network settings provided via DHCP options|
And the winners are…
Through this journey I have learned a lot, spent a few evenings not watching TV and spent some money (hey, it’s always fun to play with new toys!).
What did I learn throughout this journey?
- Consumer grade equipment is for consumers.
(if you want more, you need to spend more...time)
- Linux and the Internet are truly powerful. And complex.
(Always compare tutorials…some of them are not correct).
- Network protocols are actually quite easy.
(Have fun exploring DHCP options!)
- Goofing around with a Raspberry PI is like grown-up LEGO
(assembly instructions on the Internet)
…advertising and content networks.
Now, who did you expect your devices to talk to? How are Facebook and Google making money? Come on….don’t be surprised.
Here is aggregated data from my home network over the last couple of days (I manually categorized the domains):
|DNS Queries by category|
Where to go from here?
Now that I have spent plenty of time on understanding my home network, what shall I do next?
- Block Advertising/Tracking networks
(just add the domains to /etc/hosts)
- Sniff & manipulate network traffic
(what data is actually sent?
replace all advertising with corn flower blue pictures?)
- Publish detailed technical step-by-step tutorial
(cut & paste from the linked articles)
Your feedback, questions and ideas are appreciated!