I'd like to collect something at the router level to learn how my kids are using the Internet.
Like I'd like to know the sites being visited on different devices.
Is there any such thing possible?
pbhjpbhj 151 days ago [-]
Pihole will show you devices and the domains they access, it's not particularly designed towards that end, but it can.
You can sit down with them and have a look at their history?
I use Pihole to block nefarious sites (malware etc.) but also I use the OpenDNS (now Cisco) family friendly DNS addresses as nameservers. I can add domains if needed through the Pihole interface, or through the OpenDNS interface (former is easier).
It's not watertight, but I figure if they can work out how to workaround it then they're at a level where I should give more generic guidance. They get exposed to porn and what not on social media (which I don't block) and through friends at school and through their friends devices, or connecting to other networks I don't have control over. Easiest workaround imo is to fire up a browser that uses TOR.
Mind you we're a computer/consoles only in family rooms household and they don't get phones until they go to highschool (11yo).
ElCapitanMarkla 151 days ago [-]
It’s also handy for making a special rule which can be toggled to totally block YouTube on the kids iPad.
CommanderData 151 days ago [-]
With DNS over HTTPS and others, this is becoming less possible. I think Chrome does this by default on some platforms.
hackerknew 151 days ago [-]
Years ago, I set up https://mitmproxy.org on a Raspberry Pi and used it to get logs of every site that my kids would visit. I should be clear that monitoring/spying != parenting, but it definitely made me feel a little better to have some idea of what the kids are using the internet for.
From a technical perspective, it did exactly what you want. I had logs of full urls (not just domains). So, for example, I could view what they googled and when, if I wanted to anyway.
It did involve installing a certificate on the computer that they use, but there are how-to guides so setting everything up was simply a matter of following instructions.
The biggest drawback is that it noticeably slowed their internet. I imagine if I had run this on a more powerful computer it may have been better.
---
Note, for those suggesting PiHole, it is very good for getting logs of domains accessed, but not very informative. For example, you can tell that a computer accessed "youtube.com" at a certain time, but not what was actually viewed. That may be obvious to many of us, but just clarifying in case it is not obvious to the OP.
AStonesThrow 151 days ago [-]
I am thankful that you take an interest in your children's activities.
From a very early age, we invited virtual strangers and machines into our home. Before my First Communion, my best friends were the Little Engine That Could, Dr. Seuss, Atari 2600, Mr. Rogers, and cassettes from K-TEL.
Typically parents may discuss with children what they saw on TV or read in a book, or how their school day went. Have introductions to friends and peers, get to know who we're hanging out with. Our parents seemed actively disinterested in our interior lives, and intent on doing their adult duties while we were unneeded.
It became readily apparent that, more than anyone else, strangers and machines were more interested in my activities and interests. There were no supportive or encouraging friendships for me in class or in the neighborhood.
And with human connection and relationships that broken, it was inevitable that we escaped into cyberspace and fantasies. In fact, I attribute my paranoia and fear/hatred of other humans to this. "Beat Me, Bore Me, But Never Ignore Me" was my motto.
We'd been adopted, and our parents were just in the lineup of caretakers for pets. We grew up to be excellent pets.
brianstrimp 151 days ago [-]
> So, for example, I could view what they googled and when, if I wanted to anyway.
How old are your kids and do they know you are doing this? There surely is a difference between a 5- and a 15-year old. But if they are not at all aware they are constantly being watched like that, man that's some serious breach of trust. This full-on surveillance could damage your kids for life.
I'm so glad this kind of tech hardly existed when I was a kid 30 years ago.
therein 151 days ago [-]
This tech existed 30 years ago, just wasn't packaged up for easy deployment.
As late as 2012 you could MITM people in your network, even without being the person managing the router. ARP poisoning and mitmproxy or just some intelligent reverse proxy, you could pick up the cookies, URLs, and POST data for all the requests in the network.
brianstrimp 151 days ago [-]
Sure, a computer nerd dad could have somehow surveilled me dialling into some BBS with my 28.8 kbps modem, but the number of people in the world that actually did this to their kids can probably be counted on one hand, and they were all psychos.
MITM-ing https google searches with a custom root cert today, man, you don't want to leave your kids any privacy? Do you also have hidden cameras in their bedroom? That's roughly on the same level.
chgs 151 days ago [-]
Yet people are fine about their employers doing it
groby_b 151 days ago [-]
Because that's with awareness and consent? That's a significant difference.
hackeraccount 150 days ago [-]
This is 100% the difference.
That said I think the bar for telling people how to raise their kids is super super high.
chgs 151 days ago [-]
The internet of 1995 is very different from the internet of today.
hackeraccount 150 days ago [-]
I know where you're coming from but there's something that's a bit off for me.
The way I think about it is if I take my daughter to the park and let her run around. I have my eye on her of course and she knows that I have my eye on her.
I'd be less comfortable if I told her to go the park and have fun but then without her knowing went over to the park and watched over her.
If she was annoyed by this I couldn't blame her. I wouldn't really want to get in a situation where I'm worried she'll find out I'm surreptitiously spying on her.
If on the other hand it's the first scenario where everything is in the open and she's not happy with that - she's running away where I can't keep an eye her - then we can talk about it and as the parent if worse comes worse I can just say, OK no more going to the park because we can't come to a place where we're both happy.
At the end of the day though I don't want to be going to the park with my daughter. I want her to go by herself and not get up into shenanigans. The whole thing I'm doing is to raise her in a way that when she's on her own she's aware of what's bad/dangerous/stupid and doesn't do that.
Monitoring her (especially without her knowledge ) is only tangentially related to the goal. And if I'm doing it on the sly how do I let her know? Say, daughter, if you were in a park and if some guy offered you candy, you'd say no, right? Further wouldn't that give away the game that I'd been spying on her?
StimDeck 151 days ago [-]
For MITM like this you need to install certificates into the devices and it won’t work for apps with pinned certificates.
INTPenis 151 days ago [-]
OpenWRT has prometheus node exporter packages.
But in your case I think a PiHole would make sense, first of all you don't need to put it on the router, just point the router's default DNS to your pihole. But a pihole will give you a nice dashboard of all the DNS records resolved in your network. Which will give you a really good idea of what your kids are doing, since most of it is via DNS.
I've used NextDNS. Pretty handy. Just change DNS settings on devices with your NextDNS profile specific resolver address and you can see the logs of all websites accessed from each device.
petee 151 days ago [-]
I use Unbound as my local dns resolver, and it has an option to live dump unique names to a file (but not the ips that requested it.) Its easy to parse and you get a general idea whats passing through; the individual clients don't matter to me unless something looks like its worth investigating, then use dnstop for specifics.
Edit: I forgot not all traffic will use the local resolver, so dnstop would be more accurate
twst23r 150 days ago [-]
maybe try to talk to them instead of trying to spy on them
pknerd 150 days ago [-]
Agreed and that's what I do. The purpose is not the content but the time they spend online
lormayna 151 days ago [-]
If you have a decent router, you can configure Netflow and send flows to a collector and then you can ingest in an ELK or similar platforms for further analysis.
It requires a bit of work, but combined with DNS logs it's the best way to monitor the traffic
tau255 151 days ago [-]
You can do that with pihole, if you set it up to keep the logs. Just adjust dhcp settings so your devices get its address as DNS server.
majormjr 151 days ago [-]
If you have a switch with port mirroring you can send the traffic to another device and monitor using something like Suricata.
ranger_danger 151 days ago [-]
I just turn on netflow on my router and have it send the flows to another machine on the LAN that's running ntopng.
garyfirestorm 151 days ago [-]
Adguard is much better in my experience compared to pihole.
firecall 151 days ago [-]
Deleted
throawayonthe 151 days ago [-]
[dead]
NelsonMinar 151 days ago [-]
I'd love a tool like this built into my router. OpenWRT maybe.
Ubiquiti's routers have some monitoring tools like this but the reported data is completely wrong.
bazmattaz 151 days ago [-]
I find it a shame that routers don’t have this information in their UIs already. They should be able to show all the IPs visited by each device on the network
mrnotcrazy 151 days ago [-]
Can you expand on what’s wrong about it? I have some ubiquiti gear and I haven’t noticed anything wrong but I haven’t taken a close look.
petee 151 days ago [-]
Ubiquity stuff has always been flaky with metric accuracy, its commonly mentioned on their forums, and I get the impression they never intended it to be super accurate, just a general overview.
My personal experience with a USG is that under real load it will deprioritize stats, so traffic speeds etc start getting dropped, though I guess thats better than losing network speed just to make a pretty graph
petersellers 151 days ago [-]
The USG is pretty old at this point, so that's not too surprising. I wonder if their newer hardware suffers from the same issues.
petee 151 days ago [-]
Its true its aging but still works well for a small network. From what I gather in the forums, it might be due to the controller software not so much the specific hardware; the complaints still seem fairly steady.
For example the past year someone reported their printer used less than 30KB but was recorded as 1.6GB; another with a Cloud Gateway (not too old) reporting 17GB of traffic daily for a Kindle consuming less than 1MB
petee 142 days ago [-]
Edit: apparently Ubiquiti quietly EOL'd the USG, so no more security updates. Just bought a UCG Ultra, so far seems a decent replacement, I like that the little screen rotates when mounted upside down
NelsonMinar 150 days ago [-]
it's hard for me to understand how "pretty old" could excuse something as simple as not incrementing some 64 bit counters correctly.
NelsonMinar 151 days ago [-]
here's an old post of mine about it. this was a year ago, maybe it's improved but given they were willing to ship this I am not optimistic.
What's the point of monitoring your Internet traffic at the domain and IP level? If you want to stop sensitive data exfiltration, it doesn't matter the domain (malicioussomething.com vs google.com) but the data in the packets, which apps like this rarely track.
How do people deal with this dichotomy?
distracted_boy 151 days ago [-]
Well if you are uploading GBs upon Gbs, maybe even TBs to malicioussomething.com or google.com, you know something's up. That's the first indicator. Next is to track what processes are responsible for the connection and go from there.
cobertos 150 days ago [-]
I tried an app like this on my phone to see what sort of data I was leaking. I open Facebook and 5 vaguely Facebook domains and a few IPs are getting small amounts of data. Other apps phone home in ways I expect. Sometimes it'll go to a third party. There's not a lot of low hanging fruit sending GB or TB. If they're sending juicy stuff, they're not blatent about it.
But maybe I need to monitor at the network level and not device level. I just haven't found utility in these yet
distracted_boy 150 days ago [-]
I mean it depends on what you are looking for. If you are afraid that someone is exfiltrating large amounts of data to unknown destinations, then looking at amount of data being transferred is a good idea. But if someone hacks your phone or computer and the attacker is only looking for a PDF document, then the total size of the transfer will probably not help you. In this case, you want to monitor all destinations to make sure they are not malicious. But if you are really paranoid you need to be able to view all HTTPS traffic so you can verify that certain documents are not being exfiltrated.
In addition to the above, there are lot's tricks for identifying certain traffic based on the attributes and metadata of the connection.
echoangle 151 days ago [-]
If you don’t care about the specific domain, you can just look at the upload bandwidth usage statistic.
hosteur 151 days ago [-]
What makes this better than tcpdump/wireshark?
bdavbdav 151 days ago [-]
Not quite so intense looking.
weystrom 151 days ago [-]
Nice UI
wackget 151 days ago [-]
I've always wondered: is there a tool which could selectively block internet traffic on a per-domain basis via a GUI interface like the uMatrix browser extension does for websites?
Obviously you can block hostnames quite easily via a hosts file, but it would be great if there was an easy-to-use GUI which could block stuff at the router level. If possible it could even inspect URIs to selectively block requests for certain file extensions etc.
bornfreddy 151 days ago [-]
There is OpenSnitch [0] on Linux, but it us a bit clumsy to setup. I tried it once and didn't get far, but have it again on my todo list. Not aware of something else on Linux.
On Android there is NetGuard [1] which is awesome (not affiliated, just a happy customer).
My only gripe with Netguard is that it screws up roaming. With that enabled I couldn't access apps like my bank and various others when I was out of the country. Other than that, amazing piece of software.
g_p 151 days ago [-]
There's a couple of options in settings worth checking, as Netguard works for me when roaming just fine.
Under Settings > Defaults, make sure you don't have "block roaming" turned on.
Expand the rules for the apps giving you issues, and check "Block roaming" isn't ticked for them.
axxto 151 days ago [-]
For Windows, you can use SimpleWall, which uses Windows Filtering Platform underneath. The UI is nice, it's very efficient and works systemwide, deeply integrated with Windows' network stack. You can set domain/IP rules, but it's generally more oriented towards per-application basis blocking/allowing.
t0bia_s 151 days ago [-]
It also monitor traffic and show established/blocked/waiting connections.
EvanAnderson 151 days ago [-]
An SSL intercepting proxy like Squid will do what you're looking for, insofar as the HTTP(S) protocol. Doing that at a gateway level, instead of on the client itself, loses visibility into process IDs or other client-local state.
The old Microsoft Proxy (and later their ISA Server product) used a proprietary encapsulation between the client and the proxy server that exposed client-local state to the proxy server to let you do "magical" stuff like filtering by process name or username at a gateway level. I wish there was a free software solution that did that.
Groxx 151 days ago [-]
Somewhat, though various privacy enhancements have made / are making this harder and harder as time has gone on (which is generally good, because it also prevents your ISP / hotel from doing the same thing). Browsers are in a somewhat unique position, where they have detailed knowledge about every request they perform.
E.g. historically you could figure out IP <-> domain name pretty easily by simply watching DNS: cache the IP addresses for each domain as it's looked up, and do a reverse lookup when a request for that IP occurs. DNSSEC / DNS over HTTPS / etc hide that data, so it has to come from other sources (e.g. a remote lookup, bulk cached data, etc) or simply not be known at all.
You could also pull the data from the HTTPS handshake, which has Server Name Indication to support multiple domains behind a single IP address (e.g. hosted in a cloud), if that data exists (single-site static IPs may not have this). But Encrypted Client Hello hides this, so you're back to just IP addresses. (ECH is not very widespread yet AFAIK, but it's growing)
---
You can work around much of this if you have your router MITM your traffic, but that's kinda a pain to set up (as it should, it'd be very bad if someone else did it and you didn't notice), and essentially only works with "common" requests (e.g. https) which aren't using certificate pinning (a small number of mobile apps do this, outside that it's more rare AFAICT). You can just block all those of course, but it'll break some things.
tptacek 151 days ago [-]
DNSSEC doesn't hide anything. It's a signing protocol, not an encrypting protocol. DNS over HTTPS does; it is unrelated to DNSSEC.
Groxx 150 days ago [-]
Yea, that would make it useless for this purpose. TIL / I probably forgot that it was just signing, thank you!
fiddlerwoaroof 151 days ago [-]
Is there a way to force SNI by blocking ECH requests?
Groxx 151 days ago [-]
You'd be looking for a "TLS / ECH downgrade attack", and... while a brief googling isn't finding anything saying explicitly "yea" or "nah", it sounds like it should generally be prevented. E.g. https://wiki.mozilla.org/Security/Encrypted_Client_Hello mentions explicit bypasses are possible with enterprise proxies (which generally require client-side certificate authorities which are an explicit opt-in to allowing a third party to decrypt your traffic). And it's a TLS 1.3 extension, and TLS 1.3 -> 1.2 downgrades are intentionally prevented as part of 1.3's design...
... and even if it wasn't, ECH works by reading public keys from DNS, so the domain owner has claimed "you can send ECH" and it's pretty easy to know "therefore you shouldn't downgrade if you are capable, it's probably an attacker". Though unencrypted DNS renders this all a bit moot of course.
---
tl;dr, with the caveat that IANAWebSecuritySpecialist and I haven't found anything I'd call actually conclusive yet:
I believe "no". Unless you are setting up client-side CAs, at which point you can MITM everything so it hardly matters.
fiddlerwoaroof 151 days ago [-]
Well, if you control DNS, couldn’t you just block the key records?
ignoramous 151 days ago [-]
Yes, ECH assumes a trusted & secure channel between the client and the resolver.
Tools like https://pi-hole.net does this for the whole house. It comes with a default set of blocked domains and you can easily add to it. It acts as your local DNS for the network.
pbhjpbhj 151 days ago [-]
Pihole is at domain level though, you'd have to MitM to get URIs.
pcl 151 days ago [-]
For client-side management, Little Snitch does approximately this on macOS.
Glasswire does both monitoring and filtering IIRC, but I haven't used it for quite a long time now.
radicality 151 days ago [-]
Posted in another comment here, but if you use Opnsense, then the Zenarmor module can provide that. You can give it a list of domains, or also preselect from a bunch of existing filters / app filters (eg block Advertising / Social Media)
spondylosaurus 151 days ago [-]
Isn't that basically what a Firewalla does?
ycuser2 151 days ago [-]
Is it possible to select a pcap stream (named pipe or so) as input? With that I could monitor my routers interfaces.
Or are there other possibilities to monitor router interfaces with Stiffnet?
xhkkffbf 151 days ago [-]
I'm looking for something similar that will run on my router and track the entire house. Any suggestions?
yonatan8070 151 days ago [-]
I think that's highly router dependent, but here's what I know.
Home Assistant can monitor some things via the UPnP/IGD integration [1]. If you're looking for something more advanced, you could look into SNMP Exporter [2] with a Prometheus + Grafana setup.
Another option is to set up a PiHole DNS server, which would both block ads for the local network, and give you DNS statistics on a per-device basis.
None of these can get to the level of granularity you can get with a pcap based tool like sniffnet, but they're a good start to network monitoring and should work with most home routers.
If you really want to go deep with your network monitoring, you could set up a more sophisticated using OPNSense/PFSense, but at that point I don't know what is and isn't possible as I have no experience with them.
I haven’t looked into Sniffnet much yet, but that probably depends what you run on your router.
I use OPNsense, and the Zenarmor module does provide a whole bunch of useful info together with blocking capabilities. If you pay for a home-use license (I haven’t done this), can also get few more features like MitM with your own ssl certificate.
nepthar 151 days ago [-]
I'm also hoping for something like this! Bonus points if it had a "little snitch" type of operation where I could manually approve a matrix of (device x domain)
buildbot 151 days ago [-]
If your router supports port mirroring, you could offload this to another computer and mirror the WAN (or all the LAN) ports to that computer?
VTimofeenko 151 days ago [-]
Depending on the router, you could log traffic from nftables to ulogd2 to some logging monitoring/shipping solution.
pknerd 151 days ago [-]
may be some DNS thing that you put in your router settings so all the traffic will go via proxy instead of direct ISP
151 days ago [-]
151 days ago [-]
Gshaheen 151 days ago [-]
Looks really cool with a lot of information. Can someone who knows more than I detail out what the practical use cases of something like this would be?
Sniffnet – Comfortably monitor your internet traffic (like Wireshark) - https://news.ycombinator.com/item?id=36728672 - July 2023 (60 comments)
Sniffnet: Open-source, cross platform application to monitor network traffic - https://news.ycombinator.com/item?id=35991811 - May 2023 (38 comments)
Comfortably monitor your network traffic in real-time with Sniffnet - https://news.ycombinator.com/item?id=33693185 - Nov 2022 (4 comments)
Sniffnet – A multithreaded, cross-platform network analyzer - https://news.ycombinator.com/item?id=33132169 - Oct 2022 (2 comments)
Like I'd like to know the sites being visited on different devices.
Is there any such thing possible?
You can sit down with them and have a look at their history?
I use Pihole to block nefarious sites (malware etc.) but also I use the OpenDNS (now Cisco) family friendly DNS addresses as nameservers. I can add domains if needed through the Pihole interface, or through the OpenDNS interface (former is easier).
It's not watertight, but I figure if they can work out how to workaround it then they're at a level where I should give more generic guidance. They get exposed to porn and what not on social media (which I don't block) and through friends at school and through their friends devices, or connecting to other networks I don't have control over. Easiest workaround imo is to fire up a browser that uses TOR.
Mind you we're a computer/consoles only in family rooms household and they don't get phones until they go to highschool (11yo).
From a technical perspective, it did exactly what you want. I had logs of full urls (not just domains). So, for example, I could view what they googled and when, if I wanted to anyway.
It did involve installing a certificate on the computer that they use, but there are how-to guides so setting everything up was simply a matter of following instructions.
The biggest drawback is that it noticeably slowed their internet. I imagine if I had run this on a more powerful computer it may have been better.
---
Note, for those suggesting PiHole, it is very good for getting logs of domains accessed, but not very informative. For example, you can tell that a computer accessed "youtube.com" at a certain time, but not what was actually viewed. That may be obvious to many of us, but just clarifying in case it is not obvious to the OP.
From a very early age, we invited virtual strangers and machines into our home. Before my First Communion, my best friends were the Little Engine That Could, Dr. Seuss, Atari 2600, Mr. Rogers, and cassettes from K-TEL.
Typically parents may discuss with children what they saw on TV or read in a book, or how their school day went. Have introductions to friends and peers, get to know who we're hanging out with. Our parents seemed actively disinterested in our interior lives, and intent on doing their adult duties while we were unneeded.
It became readily apparent that, more than anyone else, strangers and machines were more interested in my activities and interests. There were no supportive or encouraging friendships for me in class or in the neighborhood.
And with human connection and relationships that broken, it was inevitable that we escaped into cyberspace and fantasies. In fact, I attribute my paranoia and fear/hatred of other humans to this. "Beat Me, Bore Me, But Never Ignore Me" was my motto.
We'd been adopted, and our parents were just in the lineup of caretakers for pets. We grew up to be excellent pets.
How old are your kids and do they know you are doing this? There surely is a difference between a 5- and a 15-year old. But if they are not at all aware they are constantly being watched like that, man that's some serious breach of trust. This full-on surveillance could damage your kids for life.
I'm so glad this kind of tech hardly existed when I was a kid 30 years ago.
MITM-ing https google searches with a custom root cert today, man, you don't want to leave your kids any privacy? Do you also have hidden cameras in their bedroom? That's roughly on the same level.
That said I think the bar for telling people how to raise their kids is super super high.
The way I think about it is if I take my daughter to the park and let her run around. I have my eye on her of course and she knows that I have my eye on her.
I'd be less comfortable if I told her to go the park and have fun but then without her knowing went over to the park and watched over her.
If she was annoyed by this I couldn't blame her. I wouldn't really want to get in a situation where I'm worried she'll find out I'm surreptitiously spying on her.
If on the other hand it's the first scenario where everything is in the open and she's not happy with that - she's running away where I can't keep an eye her - then we can talk about it and as the parent if worse comes worse I can just say, OK no more going to the park because we can't come to a place where we're both happy.
At the end of the day though I don't want to be going to the park with my daughter. I want her to go by herself and not get up into shenanigans. The whole thing I'm doing is to raise her in a way that when she's on her own she's aware of what's bad/dangerous/stupid and doesn't do that.
Monitoring her (especially without her knowledge ) is only tangentially related to the goal. And if I'm doing it on the sly how do I let her know? Say, daughter, if you were in a park and if some guy offered you candy, you'd say no, right? Further wouldn't that give away the game that I'd been spying on her?
But in your case I think a PiHole would make sense, first of all you don't need to put it on the router, just point the router's default DNS to your pihole. But a pihole will give you a nice dashboard of all the DNS records resolved in your network. Which will give you a really good idea of what your kids are doing, since most of it is via DNS.
[0]: https://www.ntop.org/products/traffic-analysis/ntop/
Edit: I forgot not all traffic will use the local resolver, so dnstop would be more accurate
Ubiquiti's routers have some monitoring tools like this but the reported data is completely wrong.
My personal experience with a USG is that under real load it will deprioritize stats, so traffic speeds etc start getting dropped, though I guess thats better than losing network speed just to make a pretty graph
For example the past year someone reported their printer used less than 30KB but was recorded as 1.6GB; another with a Cloud Gateway (not too old) reporting 17GB of traffic daily for a Kindle consuming less than 1MB
https://nelsonslog.wordpress.com/2023/11/19/ubiquiti-routers...
https://etherape.sourceforge.io/
How do people deal with this dichotomy?
But maybe I need to monitor at the network level and not device level. I just haven't found utility in these yet
In addition to the above, there are lot's tricks for identifying certain traffic based on the attributes and metadata of the connection.
https://i.imgur.com/Ae4npRh.png
Obviously you can block hostnames quite easily via a hosts file, but it would be great if there was an easy-to-use GUI which could block stuff at the router level. If possible it could even inspect URIs to selectively block requests for certain file extensions etc.
On Android there is NetGuard [1] which is awesome (not affiliated, just a happy customer).
[0] https://github.com/evilsocket/opensnitch
[1] https://netguard.me/
Under Settings > Defaults, make sure you don't have "block roaming" turned on.
Expand the rules for the apps giving you issues, and check "Block roaming" isn't ticked for them.
The old Microsoft Proxy (and later their ISA Server product) used a proprietary encapsulation between the client and the proxy server that exposed client-local state to the proxy server to let you do "magical" stuff like filtering by process name or username at a gateway level. I wish there was a free software solution that did that.
E.g. historically you could figure out IP <-> domain name pretty easily by simply watching DNS: cache the IP addresses for each domain as it's looked up, and do a reverse lookup when a request for that IP occurs. DNSSEC / DNS over HTTPS / etc hide that data, so it has to come from other sources (e.g. a remote lookup, bulk cached data, etc) or simply not be known at all.
You could also pull the data from the HTTPS handshake, which has Server Name Indication to support multiple domains behind a single IP address (e.g. hosted in a cloud), if that data exists (single-site static IPs may not have this). But Encrypted Client Hello hides this, so you're back to just IP addresses. (ECH is not very widespread yet AFAIK, but it's growing)
---
You can work around much of this if you have your router MITM your traffic, but that's kinda a pain to set up (as it should, it'd be very bad if someone else did it and you didn't notice), and essentially only works with "common" requests (e.g. https) which aren't using certificate pinning (a small number of mobile apps do this, outside that it's more rare AFAICT). You can just block all those of course, but it'll break some things.
... and even if it wasn't, ECH works by reading public keys from DNS, so the domain owner has claimed "you can send ECH" and it's pretty easy to know "therefore you shouldn't downgrade if you are capable, it's probably an attacker". Though unencrypted DNS renders this all a bit moot of course.
---
tl;dr, with the caveat that IANAWebSecuritySpecialist and I haven't found anything I'd call actually conclusive yet:
I believe "no". Unless you are setting up client-side CAs, at which point you can MITM everything so it hardly matters.
https://datatracker.ietf.org/doc/html/draft-ietf-tls-esni-22...
It melds Firewall and DNS to block.
Or are there other possibilities to monitor router interfaces with Stiffnet?
Home Assistant can monitor some things via the UPnP/IGD integration [1]. If you're looking for something more advanced, you could look into SNMP Exporter [2] with a Prometheus + Grafana setup.
Another option is to set up a PiHole DNS server, which would both block ads for the local network, and give you DNS statistics on a per-device basis.
None of these can get to the level of granularity you can get with a pcap based tool like sniffnet, but they're a good start to network monitoring and should work with most home routers.
If you really want to go deep with your network monitoring, you could set up a more sophisticated using OPNSense/PFSense, but at that point I don't know what is and isn't possible as I have no experience with them.
[1] https://www.home-assistant.io/integrations/upnp/ [2] https://github.com/prometheus/snmp_exporter
https://news.ycombinator.com/item?id=35991811
https://news.ycombinator.com/item?id=36728672
https://news.ycombinator.com/item?id=42909530
https://news.ycombinator.com/item?id=33693185
https://news.ycombinator.com/item?id=33132169
I have apple silicon
edit: i just used sudo ;p
Also look for "use iced::" at the top of the source code file:
https://github.com/GyulyVGC/sniffnet/blob/main/src/gui/sniff...
https://github.com/evilsocket/opensnitch