I'd like to collect something at the router level to learn how my kids are using the Internet.
Like I'd like to know the sites being visited on different devices.
Is there any such thing possible?
pbhjpbhj 6 hours ago [-]
Pihole will show you devices and the domains they access, it's not particularly designed towards that end, but it can.
You can sit down with them and have a look at their history?
I use Pihole to block nefarious sites (malware etc.) but also I use the OpenDNS (now Cisco) family friendly DNS addresses as nameservers. I can add domains if needed through the Pihole interface, or through the OpenDNS interface (former is easier).
It's not watertight, but I figure if they can work out how to workaround it then they're at a level where I should give more generic guidance. They get exposed to porn and what not on social media (which I don't block) and through friends at school and through their friends devices, or connecting to other networks I don't have control over. Easiest workaround imo is to fire up a browser that uses TOR.
Mind you we're a computer/consoles only in family rooms household and they don't get phones until they go to highschool (11yo).
ElCapitanMarkla 5 hours ago [-]
It’s also handy for making a special rule which can be toggled to totally block YouTube on the kids iPad.
CommanderData 5 hours ago [-]
With DNS over HTTPS and others, this is becoming less possible. I think Chrome does this by default on some platforms.
hackerknew 6 hours ago [-]
Years ago, I set up https://mitmproxy.org on a Raspberry Pi and used it to get logs of every site that my kids would visit. I should be clear that monitoring/spying != parenting, but it definitely made me feel a little better to have some idea of what the kids are using the internet for.
From a technical perspective, it did exactly what you want. I had logs of full urls (not just domains). So, for example, I could view what they googled and when, if I wanted to anyway.
It did involve installing a certificate on the computer that they use, but there are how-to guides so setting everything up was simply a matter of following instructions.
The biggest drawback is that it noticeably slowed their internet. I imagine if I had run this on a more powerful computer it may have been better.
---
Note, for those suggesting PiHole, it is very good for getting logs of domains accessed, but not very informative. For example, you can tell that a computer accessed "youtube.com" at a certain time, but not what was actually viewed. That may be obvious to many of us, but just clarifying in case it is not obvious to the OP.
brianstrimp 5 hours ago [-]
> So, for example, I could view what they googled and when, if I wanted to anyway.
How old are your kids and do they know you are doing this? There surely is a difference between a 5- and a 15-year old. But if they are not at all aware they are constantly being watched like that, man that's some serious breach of trust. This full-on surveillance could damage your kids for life.
I'm so glad this kind of tech hardly existed when I was a kid 30 years ago.
chgs 5 hours ago [-]
The internet of 1995 is very different from the internet of today.
therein 5 hours ago [-]
This tech existed 30 years ago, just wasn't packaged up for easy deployment.
As late as 2012 you could MITM people in your network, even without being the person managing the router. ARP poisoning and mitmproxy or just some intelligent reverse proxy, you could pick up the cookies, URLs, and POST data for all the requests in the network.
brianstrimp 5 hours ago [-]
Sure, a computer nerd dad could have somehow surveilled me dialling into some BBS with my 28.8 kbps modem, but the number of people in the world that actually did this to their kids can probably be counted on one hand, and they were all psychos.
MITM-ing https google searches with a custom root cert today, man, you don't want to leave your kids any privacy? Do you also have hidden cameras in their bedroom? That's roughly on the same level.
chgs 5 hours ago [-]
Yet people are fine about their employers doing it
groby_b 4 hours ago [-]
Because that's with awareness and consent? That's a significant difference.
StimDeck 5 hours ago [-]
For MITM like this you need to install certificates into the devices and it won’t work for apps with pinned certificates.
petee 3 hours ago [-]
I use Unbound as my local dns resolver, and it has an option to live dump unique names to a file (but not the ips that requested it.) Its easy to parse and you get a general idea whats passing through; the individual clients don't matter to me unless something looks like its worth investigating, then use dnstop for specifics.
Edit: I forgot not all traffic will use the local resolver, so dnstop would be more accurate
INTPenis 7 hours ago [-]
OpenWRT has prometheus node exporter packages.
But in your case I think a PiHole would make sense, first of all you don't need to put it on the router, just point the router's default DNS to your pihole. But a pihole will give you a nice dashboard of all the DNS records resolved in your network. Which will give you a really good idea of what your kids are doing, since most of it is via DNS.
I've used NextDNS. Pretty handy. Just change DNS settings on devices with your NextDNS profile specific resolver address and you can see the logs of all websites accessed from each device.
tau255 6 hours ago [-]
You can do that with pihole, if you set it up to keep the logs. Just adjust dhcp settings so your devices get its address as DNS server.
majormjr 7 hours ago [-]
If you have a switch with port mirroring you can send the traffic to another device and monitor using something like Suricata.
garyfirestorm 6 hours ago [-]
Adguard is much better in my experience compared to pihole.
I'd love a tool like this built into my router. OpenWRT maybe.
Ubiquiti's routers have some monitoring tools like this but the reported data is completely wrong.
bazmattaz 6 hours ago [-]
I find it a shame that routers don’t have this information in their UIs already. They should be able to show all the IPs visited by each device on the network
mrnotcrazy 7 hours ago [-]
Can you expand on what’s wrong about it? I have some ubiquiti gear and I haven’t noticed anything wrong but I haven’t taken a close look.
petee 6 hours ago [-]
Ubiquity stuff has always been flaky with metric accuracy, its commonly mentioned on their forums, and I get the impression they never intended it to be super accurate, just a general overview.
My personal experience with a USG is that under real load it will deprioritize stats, so traffic speeds etc start getting dropped, though I guess thats better than losing network speed just to make a pretty graph
petersellers 2 hours ago [-]
The USG is pretty old at this point, so that's not too surprising. I wonder if their newer hardware suffers from the same issues.
petee 1 hours ago [-]
Its true its aging but still works well for a small network. From what I gather in the forums, it might be due to the controller software not so much the specific hardware; the complaints still seem fairly steady.
For example the past year someone reported their printer used less than 30KB but was recorded as 1.6GB; another with a Cloud Gateway (not too old) reporting 17GB of traffic daily for a Kindle consuming less than 1MB
NelsonMinar 6 hours ago [-]
here's an old post of mine about it. this was a year ago, maybe it's improved but given they were willing to ship this I am not optimistic.
What's the point of monitoring your Internet traffic at the domain and IP level? If you want to stop sensitive data exfiltration, it doesn't matter the domain (malicioussomething.com vs google.com) but the data in the packets, which apps like this rarely track.
How do people deal with this dichotomy?
distracted_boy 6 hours ago [-]
Well if you are uploading GBs upon Gbs, maybe even TBs to malicioussomething.com or google.com, you know something's up. That's the first indicator. Next is to track what processes are responsible for the connection and go from there.
echoangle 5 hours ago [-]
If you don’t care about the specific domain, you can just look at the upload bandwidth usage statistic.
wackget 8 hours ago [-]
I've always wondered: is there a tool which could selectively block internet traffic on a per-domain basis via a GUI interface like the uMatrix browser extension does for websites?
Obviously you can block hostnames quite easily via a hosts file, but it would be great if there was an easy-to-use GUI which could block stuff at the router level. If possible it could even inspect URIs to selectively block requests for certain file extensions etc.
bornfreddy 6 hours ago [-]
There is OpenSnitch [0] on Linux, but it us a bit clumsy to setup. I tried it once and didn't get far, but have it again on my todo list. Not aware of something else on Linux.
On Android there is NetGuard [1] which is awesome (not affiliated, just a happy customer).
My only gripe with Netguard is that it screws up roaming. With that enabled I couldn't access apps like my bank and various others when I was out of the country. Other than that, amazing piece of software.
Groxx 8 hours ago [-]
Somewhat, though various privacy enhancements have made / are making this harder and harder as time has gone on (which is generally good, because it also prevents your ISP / hotel from doing the same thing). Browsers are in a somewhat unique position, where they have detailed knowledge about every request they perform.
E.g. historically you could figure out IP <-> domain name pretty easily by simply watching DNS: cache the IP addresses for each domain as it's looked up, and do a reverse lookup when a request for that IP occurs. DNSSEC / DNS over HTTPS / etc hide that data, so it has to come from other sources (e.g. a remote lookup, bulk cached data, etc) or simply not be known at all.
You could also pull the data from the HTTPS handshake, which has Server Name Indication to support multiple domains behind a single IP address (e.g. hosted in a cloud), if that data exists (single-site static IPs may not have this). But Encrypted Client Hello hides this, so you're back to just IP addresses. (ECH is not very widespread yet AFAIK, but it's growing)
---
You can work around much of this if you have your router MITM your traffic, but that's kinda a pain to set up (as it should, it'd be very bad if someone else did it and you didn't notice), and essentially only works with "common" requests (e.g. https) which aren't using certificate pinning (a small number of mobile apps do this, outside that it's more rare AFAICT). You can just block all those of course, but it'll break some things.
fiddlerwoaroof 6 hours ago [-]
Is there a way to force SNI by blocking ECH requests?
Groxx 6 hours ago [-]
You'd be looking for a "TLS / ECH downgrade attack", and... while a brief googling isn't finding anything saying explicitly "yea" or "nah", it sounds like it should generally be prevented. E.g. https://wiki.mozilla.org/Security/Encrypted_Client_Hello mentions explicit bypasses are possible with enterprise proxies (which generally require client-side certificate authorities which are an explicit opt-in to allowing a third party to decrypt your traffic). And it's a TLS 1.3 extension, and TLS 1.3 -> 1.2 downgrades are intentionally prevented as part of 1.3's design...
... and even if it wasn't, ECH works by reading public keys from DNS, so the domain owner has claimed "you can send ECH" and it's pretty easy to know "therefore you shouldn't downgrade if you are capable, it's probably an attacker". Though unencrypted DNS renders this all a bit moot of course.
---
tl;dr, with the caveat that IANAWebSecuritySpecialist and I haven't found anything I'd call actually conclusive yet:
I believe "no". Unless you are setting up client-side CAs, at which point you can MITM everything so it hardly matters.
fiddlerwoaroof 2 hours ago [-]
Well, if you control DNS, couldn’t you just block the key records?
ignoramous 38 minutes ago [-]
Yes, ECH assumes a trusted & secure channel between the client and the resolver.
Tools like https://pi-hole.net does this for the whole house. It comes with a default set of blocked domains and you can easily add to it. It acts as your local DNS for the network.
pbhjpbhj 6 hours ago [-]
Pihole is at domain level though, you'd have to MitM to get URIs.
EvanAnderson 8 hours ago [-]
An SSL intercepting proxy like Squid will do what you're looking for, insofar as the HTTP(S) protocol. Doing that at a gateway level, instead of on the client itself, loses visibility into process IDs or other client-local state.
The old Microsoft Proxy (and later their ISA Server product) used a proprietary encapsulation between the client and the proxy server that exposed client-local state to the proxy server to let you do "magical" stuff like filtering by process name or username at a gateway level. I wish there was a free software solution that did that.
pcl 8 hours ago [-]
For client-side management, Little Snitch does approximately this on macOS.
For Windows, you can use SimpleWall, which uses Windows Filtering Platform underneath. The UI is nice, it's very efficient and works systemwide, deeply integrated with Windows' network stack. You can set domain/IP rules, but it's generally more oriented towards per-application basis blocking/allowing.
Posted in another comment here, but if you use Opnsense, then the Zenarmor module can provide that. You can give it a list of domains, or also preselect from a bunch of existing filters / app filters (eg block Advertising / Social Media)
spondylosaurus 8 hours ago [-]
Isn't that basically what a Firewalla does?
cvalka 7 hours ago [-]
https://safing.io/ does what you're asking. There's no need to use their SPN service.
ycuser2 9 hours ago [-]
Is it possible to select a pcap stream (named pipe or so) as input? With that I could monitor my routers interfaces.
Or are there other possibilities to monitor router interfaces with Stiffnet?
9 hours ago [-]
Gshaheen 10 hours ago [-]
Looks really cool with a lot of information. Can someone who knows more than I detail out what the practical use cases of something like this would be?
anyone have thoughts about this vs ntopng? any other alternatives?
bullfinch 8 hours ago [-]
is there a way to visualise networks (who talks to who) in a good way? i want source to be logs from my firewall.
xhkkffbf 9 hours ago [-]
I'm looking for something similar that will run on my router and track the entire house. Any suggestions?
yonatan8070 8 hours ago [-]
I think that's highly router dependent, but here's what I know.
Home Assistant can monitor some things via the UPnP/IGD integration [1]. If you're looking for something more advanced, you could look into SNMP Exporter [2] with a Prometheus + Grafana setup.
Another option is to set up a PiHole DNS server, which would both block ads for the local network, and give you DNS statistics on a per-device basis.
None of these can get to the level of granularity you can get with a pcap based tool like sniffnet, but they're a good start to network monitoring and should work with most home routers.
If you really want to go deep with your network monitoring, you could set up a more sophisticated using OPNSense/PFSense, but at that point I don't know what is and isn't possible as I have no experience with them.
I haven’t looked into Sniffnet much yet, but that probably depends what you run on your router.
I use OPNsense, and the Zenarmor module does provide a whole bunch of useful info together with blocking capabilities. If you pay for a home-use license (I haven’t done this), can also get few more features like MitM with your own ssl certificate.
buildbot 6 hours ago [-]
If your router supports port mirroring, you could offload this to another computer and mirror the WAN (or all the LAN) ports to that computer?
nepthar 8 hours ago [-]
I'm also hoping for something like this! Bonus points if it had a "little snitch" type of operation where I could manually approve a matrix of (device x domain)
VTimofeenko 8 hours ago [-]
Depending on the router, you could log traffic from nftables to ulogd2 to some logging monitoring/shipping solution.
pknerd 7 hours ago [-]
may be some DNS thing that you put in your router settings so all the traffic will go via proxy instead of direct ISP
8 hours ago [-]
abimbostrawman 8 hours ago [-]
[dead]
Rendered at 02:40:30 GMT+0000 (Coordinated Universal Time) with Vercel.
Like I'd like to know the sites being visited on different devices.
Is there any such thing possible?
You can sit down with them and have a look at their history?
I use Pihole to block nefarious sites (malware etc.) but also I use the OpenDNS (now Cisco) family friendly DNS addresses as nameservers. I can add domains if needed through the Pihole interface, or through the OpenDNS interface (former is easier).
It's not watertight, but I figure if they can work out how to workaround it then they're at a level where I should give more generic guidance. They get exposed to porn and what not on social media (which I don't block) and through friends at school and through their friends devices, or connecting to other networks I don't have control over. Easiest workaround imo is to fire up a browser that uses TOR.
Mind you we're a computer/consoles only in family rooms household and they don't get phones until they go to highschool (11yo).
From a technical perspective, it did exactly what you want. I had logs of full urls (not just domains). So, for example, I could view what they googled and when, if I wanted to anyway.
It did involve installing a certificate on the computer that they use, but there are how-to guides so setting everything up was simply a matter of following instructions.
The biggest drawback is that it noticeably slowed their internet. I imagine if I had run this on a more powerful computer it may have been better.
---
Note, for those suggesting PiHole, it is very good for getting logs of domains accessed, but not very informative. For example, you can tell that a computer accessed "youtube.com" at a certain time, but not what was actually viewed. That may be obvious to many of us, but just clarifying in case it is not obvious to the OP.
How old are your kids and do they know you are doing this? There surely is a difference between a 5- and a 15-year old. But if they are not at all aware they are constantly being watched like that, man that's some serious breach of trust. This full-on surveillance could damage your kids for life.
I'm so glad this kind of tech hardly existed when I was a kid 30 years ago.
MITM-ing https google searches with a custom root cert today, man, you don't want to leave your kids any privacy? Do you also have hidden cameras in their bedroom? That's roughly on the same level.
Edit: I forgot not all traffic will use the local resolver, so dnstop would be more accurate
But in your case I think a PiHole would make sense, first of all you don't need to put it on the router, just point the router's default DNS to your pihole. But a pihole will give you a nice dashboard of all the DNS records resolved in your network. Which will give you a really good idea of what your kids are doing, since most of it is via DNS.
[0]: https://www.ntop.org/products/traffic-analysis/ntop/
Sniffnet – Comfortably monitor your internet traffic (like Wireshark) - https://news.ycombinator.com/item?id=36728672 - July 2023 (60 comments)
Sniffnet: Open-source, cross platform application to monitor network traffic - https://news.ycombinator.com/item?id=35991811 - May 2023 (38 comments)
Comfortably monitor your network traffic in real-time with Sniffnet - https://news.ycombinator.com/item?id=33693185 - Nov 2022 (4 comments)
Sniffnet – A multithreaded, cross-platform network analyzer - https://news.ycombinator.com/item?id=33132169 - Oct 2022 (2 comments)
Ubiquiti's routers have some monitoring tools like this but the reported data is completely wrong.
My personal experience with a USG is that under real load it will deprioritize stats, so traffic speeds etc start getting dropped, though I guess thats better than losing network speed just to make a pretty graph
For example the past year someone reported their printer used less than 30KB but was recorded as 1.6GB; another with a Cloud Gateway (not too old) reporting 17GB of traffic daily for a Kindle consuming less than 1MB
https://nelsonslog.wordpress.com/2023/11/19/ubiquiti-routers...
How do people deal with this dichotomy?
https://i.imgur.com/Ae4npRh.png
Obviously you can block hostnames quite easily via a hosts file, but it would be great if there was an easy-to-use GUI which could block stuff at the router level. If possible it could even inspect URIs to selectively block requests for certain file extensions etc.
On Android there is NetGuard [1] which is awesome (not affiliated, just a happy customer).
[0] https://github.com/evilsocket/opensnitch
[1] https://netguard.me/
E.g. historically you could figure out IP <-> domain name pretty easily by simply watching DNS: cache the IP addresses for each domain as it's looked up, and do a reverse lookup when a request for that IP occurs. DNSSEC / DNS over HTTPS / etc hide that data, so it has to come from other sources (e.g. a remote lookup, bulk cached data, etc) or simply not be known at all.
You could also pull the data from the HTTPS handshake, which has Server Name Indication to support multiple domains behind a single IP address (e.g. hosted in a cloud), if that data exists (single-site static IPs may not have this). But Encrypted Client Hello hides this, so you're back to just IP addresses. (ECH is not very widespread yet AFAIK, but it's growing)
---
You can work around much of this if you have your router MITM your traffic, but that's kinda a pain to set up (as it should, it'd be very bad if someone else did it and you didn't notice), and essentially only works with "common" requests (e.g. https) which aren't using certificate pinning (a small number of mobile apps do this, outside that it's more rare AFAICT). You can just block all those of course, but it'll break some things.
... and even if it wasn't, ECH works by reading public keys from DNS, so the domain owner has claimed "you can send ECH" and it's pretty easy to know "therefore you shouldn't downgrade if you are capable, it's probably an attacker". Though unencrypted DNS renders this all a bit moot of course.
---
tl;dr, with the caveat that IANAWebSecuritySpecialist and I haven't found anything I'd call actually conclusive yet:
I believe "no". Unless you are setting up client-side CAs, at which point you can MITM everything so it hardly matters.
https://datatracker.ietf.org/doc/html/draft-ietf-tls-esni-22...
The old Microsoft Proxy (and later their ISA Server product) used a proprietary encapsulation between the client and the proxy server that exposed client-local state to the proxy server to let you do "magical" stuff like filtering by process name or username at a gateway level. I wish there was a free software solution that did that.
It melds Firewall and DNS to block.
Or are there other possibilities to monitor router interfaces with Stiffnet?
https://news.ycombinator.com/item?id=35991811
https://news.ycombinator.com/item?id=36728672
https://news.ycombinator.com/item?id=42909530
https://news.ycombinator.com/item?id=33693185
https://news.ycombinator.com/item?id=33132169
I have apple silicon
edit: i just used sudo ;p
https://etherape.sourceforge.io/
Also look for "use iced::" at the top of the source code file:
https://github.com/GyulyVGC/sniffnet/blob/main/src/gui/sniff...
https://github.com/evilsocket/opensnitch
Home Assistant can monitor some things via the UPnP/IGD integration [1]. If you're looking for something more advanced, you could look into SNMP Exporter [2] with a Prometheus + Grafana setup.
Another option is to set up a PiHole DNS server, which would both block ads for the local network, and give you DNS statistics on a per-device basis.
None of these can get to the level of granularity you can get with a pcap based tool like sniffnet, but they're a good start to network monitoring and should work with most home routers.
If you really want to go deep with your network monitoring, you could set up a more sophisticated using OPNSense/PFSense, but at that point I don't know what is and isn't possible as I have no experience with them.
[1] https://www.home-assistant.io/integrations/upnp/ [2] https://github.com/prometheus/snmp_exporter