Sniffnet – monitor your Internet traffic
98 comments
·February 2, 2025pknerd
I'd like to collect something at the router level to learn how my kids are using the Internet.
Like I'd like to know the sites being visited on different devices.
Is there any such thing possible?
pbhjpbhj
Pihole will show you devices and the domains they access, it's not particularly designed towards that end, but it can.
You can sit down with them and have a look at their history?
I use Pihole to block nefarious sites (malware etc.) but also I use the OpenDNS (now Cisco) family friendly DNS addresses as nameservers. I can add domains if needed through the Pihole interface, or through the OpenDNS interface (former is easier).
It's not watertight, but I figure if they can work out how to workaround it then they're at a level where I should give more generic guidance. They get exposed to porn and what not on social media (which I don't block) and through friends at school and through their friends devices, or connecting to other networks I don't have control over. Easiest workaround imo is to fire up a browser that uses TOR.
Mind you we're a computer/consoles only in family rooms household and they don't get phones until they go to highschool (11yo).
ElCapitanMarkla
It’s also handy for making a special rule which can be toggled to totally block YouTube on the kids iPad.
CommanderData
With DNS over HTTPS and others, this is becoming less possible. I think Chrome does this by default on some platforms.
hackerknew
Years ago, I set up https://mitmproxy.org on a Raspberry Pi and used it to get logs of every site that my kids would visit. I should be clear that monitoring/spying != parenting, but it definitely made me feel a little better to have some idea of what the kids are using the internet for.
From a technical perspective, it did exactly what you want. I had logs of full urls (not just domains). So, for example, I could view what they googled and when, if I wanted to anyway.
It did involve installing a certificate on the computer that they use, but there are how-to guides so setting everything up was simply a matter of following instructions.
The biggest drawback is that it noticeably slowed their internet. I imagine if I had run this on a more powerful computer it may have been better.
---
Note, for those suggesting PiHole, it is very good for getting logs of domains accessed, but not very informative. For example, you can tell that a computer accessed "youtube.com" at a certain time, but not what was actually viewed. That may be obvious to many of us, but just clarifying in case it is not obvious to the OP.
AStonesThrow
I am thankful that you take an interest in your children's activities.
From a very early age, we invited virtual strangers and machines into our home. Before my First Communion, my best friends were the Little Engine That Could, Dr. Seuss, Atari 2600, Mr. Rogers, and cassettes from K-TEL.
Typically parents may discuss with children what they saw on TV or read in a book, or how their school day went. Have introductions to friends and peers, get to know who we're hanging out with. Our parents seemed actively disinterested in our interior lives, and intent on doing their adult duties while we were unneeded.
It became readily apparent that, more than anyone else, strangers and machines were more interested in my activities and interests. There were no supportive or encouraging friendships for me in class or in the neighborhood.
And with human connection and relationships that broken, it was inevitable that we escaped into cyberspace and fantasies. In fact, I attribute my paranoia and fear/hatred of other humans to this. "Beat Me, Bore Me, But Never Ignore Me" was my motto.
We'd been adopted, and our parents were just in the lineup of caretakers for pets. We grew up to be excellent pets.
brianstrimp
> So, for example, I could view what they googled and when, if I wanted to anyway.
How old are your kids and do they know you are doing this? There surely is a difference between a 5- and a 15-year old. But if they are not at all aware they are constantly being watched like that, man that's some serious breach of trust. This full-on surveillance could damage your kids for life.
I'm so glad this kind of tech hardly existed when I was a kid 30 years ago.
therein
This tech existed 30 years ago, just wasn't packaged up for easy deployment. As late as 2012 you could MITM people in your network, even without being the person managing the router. ARP poisoning and mitmproxy or just some intelligent reverse proxy, you could pick up the cookies, URLs, and POST data for all the requests in the network.
chgs
The internet of 1995 is very different from the internet of today.
hackeraccount
I know where you're coming from but there's something that's a bit off for me.
The way I think about it is if I take my daughter to the park and let her run around. I have my eye on her of course and she knows that I have my eye on her.
I'd be less comfortable if I told her to go the park and have fun but then without her knowing went over to the park and watched over her.
If she was annoyed by this I couldn't blame her. I wouldn't really want to get in a situation where I'm worried she'll find out I'm surreptitiously spying on her.
If on the other hand it's the first scenario where everything is in the open and she's not happy with that - she's running away where I can't keep an eye her - then we can talk about it and as the parent if worse comes worse I can just say, OK no more going to the park because we can't come to a place where we're both happy.
At the end of the day though I don't want to be going to the park with my daughter. I want her to go by herself and not get up into shenanigans. The whole thing I'm doing is to raise her in a way that when she's on her own she's aware of what's bad/dangerous/stupid and doesn't do that.
Monitoring her (especially without her knowledge ) is only tangentially related to the goal. And if I'm doing it on the sly how do I let her know? Say, daughter, if you were in a park and if some guy offered you candy, you'd say no, right? Further wouldn't that give away the game that I'd been spying on her?
StimDeck
For MITM like this you need to install certificates into the devices and it won’t work for apps with pinned certificates.
INTPenis
OpenWRT has prometheus node exporter packages.
But in your case I think a PiHole would make sense, first of all you don't need to put it on the router, just point the router's default DNS to your pihole. But a pihole will give you a nice dashboard of all the DNS records resolved in your network. Which will give you a really good idea of what your kids are doing, since most of it is via DNS.
whilenot-dev
Can you install netopng[0] on the router?
uncharted9
I've used NextDNS. Pretty handy. Just change DNS settings on devices with your NextDNS profile specific resolver address and you can see the logs of all websites accessed from each device.
petee
I use Unbound as my local dns resolver, and it has an option to live dump unique names to a file (but not the ips that requested it.) Its easy to parse and you get a general idea whats passing through; the individual clients don't matter to me unless something looks like its worth investigating, then use dnstop for specifics.
Edit: I forgot not all traffic will use the local resolver, so dnstop would be more accurate
twst23r
maybe try to talk to them instead of trying to spy on them
pknerd
Agreed and that's what I do. The purpose is not the content but the time they spend online
lormayna
If you have a decent router, you can configure Netflow and send flows to a collector and then you can ingest in an ELK or similar platforms for further analysis. It requires a bit of work, but combined with DNS logs it's the best way to monitor the traffic
NelsonMinar
I'd love a tool like this built into my router. OpenWRT maybe.
Ubiquiti's routers have some monitoring tools like this but the reported data is completely wrong.
bazmattaz
I find it a shame that routers don’t have this information in their UIs already. They should be able to show all the IPs visited by each device on the network
mrnotcrazy
Can you expand on what’s wrong about it? I have some ubiquiti gear and I haven’t noticed anything wrong but I haven’t taken a close look.
petee
Ubiquity stuff has always been flaky with metric accuracy, its commonly mentioned on their forums, and I get the impression they never intended it to be super accurate, just a general overview.
My personal experience with a USG is that under real load it will deprioritize stats, so traffic speeds etc start getting dropped, though I guess thats better than losing network speed just to make a pretty graph
petersellers
The USG is pretty old at this point, so that's not too surprising. I wonder if their newer hardware suffers from the same issues.
NelsonMinar
here's an old post of mine about it. this was a year ago, maybe it's improved but given they were willing to ship this I am not optimistic.
https://nelsonslog.wordpress.com/2023/11/19/ubiquiti-routers...
29athrowaway
You may also want to look at the venerable EtherApe, that has been around for a while and is packaged for most distros
cobertos
What's the point of monitoring your Internet traffic at the domain and IP level? If you want to stop sensitive data exfiltration, it doesn't matter the domain (malicioussomething.com vs google.com) but the data in the packets, which apps like this rarely track.
How do people deal with this dichotomy?
distracted_boy
Well if you are uploading GBs upon Gbs, maybe even TBs to malicioussomething.com or google.com, you know something's up. That's the first indicator. Next is to track what processes are responsible for the connection and go from there.
cobertos
I tried an app like this on my phone to see what sort of data I was leaking. I open Facebook and 5 vaguely Facebook domains and a few IPs are getting small amounts of data. Other apps phone home in ways I expect. Sometimes it'll go to a third party. There's not a lot of low hanging fruit sending GB or TB. If they're sending juicy stuff, they're not blatent about it.
But maybe I need to monitor at the network level and not device level. I just haven't found utility in these yet
distracted_boy
I mean it depends on what you are looking for. If you are afraid that someone is exfiltrating large amounts of data to unknown destinations, then looking at amount of data being transferred is a good idea. But if someone hacks your phone or computer and the attacker is only looking for a PDF document, then the total size of the transfer will probably not help you. In this case, you want to monitor all destinations to make sure they are not malicious. But if you are really paranoid you need to be able to view all HTTPS traffic so you can verify that certain documents are not being exfiltrated.
In addition to the above, there are lot's tricks for identifying certain traffic based on the attributes and metadata of the connection.
echoangle
If you don’t care about the specific domain, you can just look at the upload bandwidth usage statistic.
hosteur
What makes this better than tcpdump/wireshark?
bdavbdav
Not quite so intense looking.
weystrom
Nice UI
wackget
I've always wondered: is there a tool which could selectively block internet traffic on a per-domain basis via a GUI interface like the uMatrix browser extension does for websites?
https://i.imgur.com/Ae4npRh.png
Obviously you can block hostnames quite easily via a hosts file, but it would be great if there was an easy-to-use GUI which could block stuff at the router level. If possible it could even inspect URIs to selectively block requests for certain file extensions etc.
bornfreddy
There is OpenSnitch [0] on Linux, but it us a bit clumsy to setup. I tried it once and didn't get far, but have it again on my todo list. Not aware of something else on Linux.
On Android there is NetGuard [1] which is awesome (not affiliated, just a happy customer).
RMPR
My only gripe with Netguard is that it screws up roaming. With that enabled I couldn't access apps like my bank and various others when I was out of the country. Other than that, amazing piece of software.
g_p
There's a couple of options in settings worth checking, as Netguard works for me when roaming just fine.
Under Settings > Defaults, make sure you don't have "block roaming" turned on.
Expand the rules for the apps giving you issues, and check "Block roaming" isn't ticked for them.
axxto
For Windows, you can use SimpleWall, which uses Windows Filtering Platform underneath. The UI is nice, it's very efficient and works systemwide, deeply integrated with Windows' network stack. You can set domain/IP rules, but it's generally more oriented towards per-application basis blocking/allowing.
t0bia_s
It also monitor traffic and show established/blocked/waiting connections.
EvanAnderson
An SSL intercepting proxy like Squid will do what you're looking for, insofar as the HTTP(S) protocol. Doing that at a gateway level, instead of on the client itself, loses visibility into process IDs or other client-local state.
The old Microsoft Proxy (and later their ISA Server product) used a proprietary encapsulation between the client and the proxy server that exposed client-local state to the proxy server to let you do "magical" stuff like filtering by process name or username at a gateway level. I wish there was a free software solution that did that.
Groxx
Somewhat, though various privacy enhancements have made / are making this harder and harder as time has gone on (which is generally good, because it also prevents your ISP / hotel from doing the same thing). Browsers are in a somewhat unique position, where they have detailed knowledge about every request they perform.
E.g. historically you could figure out IP <-> domain name pretty easily by simply watching DNS: cache the IP addresses for each domain as it's looked up, and do a reverse lookup when a request for that IP occurs. DNSSEC / DNS over HTTPS / etc hide that data, so it has to come from other sources (e.g. a remote lookup, bulk cached data, etc) or simply not be known at all.
You could also pull the data from the HTTPS handshake, which has Server Name Indication to support multiple domains behind a single IP address (e.g. hosted in a cloud), if that data exists (single-site static IPs may not have this). But Encrypted Client Hello hides this, so you're back to just IP addresses. (ECH is not very widespread yet AFAIK, but it's growing)
---
You can work around much of this if you have your router MITM your traffic, but that's kinda a pain to set up (as it should, it'd be very bad if someone else did it and you didn't notice), and essentially only works with "common" requests (e.g. https) which aren't using certificate pinning (a small number of mobile apps do this, outside that it's more rare AFAICT). You can just block all those of course, but it'll break some things.
tptacek
DNSSEC doesn't hide anything. It's a signing protocol, not an encrypting protocol. DNS over HTTPS does; it is unrelated to DNSSEC.
Groxx
Yea, that would make it useless for this purpose. TIL / I probably forgot that it was just signing, thank you!
fiddlerwoaroof
Is there a way to force SNI by blocking ECH requests?
Groxx
You'd be looking for a "TLS / ECH downgrade attack", and... while a brief googling isn't finding anything saying explicitly "yea" or "nah", it sounds like it should generally be prevented. E.g. https://wiki.mozilla.org/Security/Encrypted_Client_Hello mentions explicit bypasses are possible with enterprise proxies (which generally require client-side certificate authorities which are an explicit opt-in to allowing a third party to decrypt your traffic). And it's a TLS 1.3 extension, and TLS 1.3 -> 1.2 downgrades are intentionally prevented as part of 1.3's design...
... and even if it wasn't, ECH works by reading public keys from DNS, so the domain owner has claimed "you can send ECH" and it's pretty easy to know "therefore you shouldn't downgrade if you are capable, it's probably an attacker". Though unencrypted DNS renders this all a bit moot of course.
---
tl;dr, with the caveat that IANAWebSecuritySpecialist and I haven't found anything I'd call actually conclusive yet:
I believe "no". Unless you are setting up client-side CAs, at which point you can MITM everything so it hardly matters.
georgeck
Tools like https://pi-hole.net does this for the whole house. It comes with a default set of blocked domains and you can easily add to it. It acts as your local DNS for the network.
pbhjpbhj
Pihole is at domain level though, you'd have to MitM to get URIs.
pcl
For client-side management, Little Snitch does approximately this on macOS.
ck45
There’s also LuLu from Objective-See (https://objective-see.org/products/lulu.html), and for Linux, there’s OpenSnitch (https://github.com/evilsocket/opensnitch)
gclawes
Objective-See has great apps
cvalka
https://safing.io/ does what you're asking. There's no need to use their SPN service.
TheRizzler
If Windows, there is ZTDNS worth checking out: https://techcommunity.microsoft.com/blog/networkingblog/anno...
It melds Firewall and DNS to block.
ycuser2
Is it possible to select a pcap stream (named pipe or so) as input? With that I could monitor my routers interfaces.
Or are there other possibilities to monitor router interfaces with Stiffnet?
xhkkffbf
I'm looking for something similar that will run on my router and track the entire house. Any suggestions?
yonatan8070
I think that's highly router dependent, but here's what I know.
Home Assistant can monitor some things via the UPnP/IGD integration [1]. If you're looking for something more advanced, you could look into SNMP Exporter [2] with a Prometheus + Grafana setup.
Another option is to set up a PiHole DNS server, which would both block ads for the local network, and give you DNS statistics on a per-device basis.
None of these can get to the level of granularity you can get with a pcap based tool like sniffnet, but they're a good start to network monitoring and should work with most home routers.
If you really want to go deep with your network monitoring, you could set up a more sophisticated using OPNSense/PFSense, but at that point I don't know what is and isn't possible as I have no experience with them.
[1] https://www.home-assistant.io/integrations/upnp/ [2] https://github.com/prometheus/snmp_exporter
radicality
I haven’t looked into Sniffnet much yet, but that probably depends what you run on your router. I use OPNsense, and the Zenarmor module does provide a whole bunch of useful info together with blocking capabilities. If you pay for a home-use license (I haven’t done this), can also get few more features like MitM with your own ssl certificate.
nepthar
I'm also hoping for something like this! Bonus points if it had a "little snitch" type of operation where I could manually approve a matrix of (device x domain)
buildbot
If your router supports port mirroring, you could offload this to another computer and mirror the WAN (or all the LAN) ports to that computer?
VTimofeenko
Depending on the router, you could log traffic from nftables to ulogd2 to some logging monitoring/shipping solution.
pknerd
may be some DNS thing that you put in your router settings so all the traffic will go via proxy instead of direct ISP
null
null
Gshaheen
Looks really cool with a lot of information. Can someone who knows more than I detail out what the practical use cases of something like this would be?
Exuma
I used brew install... which of these do I choose? I chose en0 and i get permission error (Libcap error, cannot open BPF device)
I have apple silicon
edit: i just used sudo ;p
collinvandyck76
That's interesting. I used `cargo install` and I don't have to use `sudo` to capture any of the interfaces I tried.
Related:
Sniffnet – Comfortably monitor your internet traffic (like Wireshark) - https://news.ycombinator.com/item?id=36728672 - July 2023 (60 comments)
Sniffnet: Open-source, cross platform application to monitor network traffic - https://news.ycombinator.com/item?id=35991811 - May 2023 (38 comments)
Comfortably monitor your network traffic in real-time with Sniffnet - https://news.ycombinator.com/item?id=33693185 - Nov 2022 (4 comments)
Sniffnet – A multithreaded, cross-platform network analyzer - https://news.ycombinator.com/item?id=33132169 - Oct 2022 (2 comments)