Packet Sniffing

October 28, 2019Understanding Networks

Prompt

Capture and analyze traffic on your home network while going about your usual network activities.

Present your results in summary form, using graphical analysis where appropriate.

  • How much of your network traffic is inbound? How much is outbound?
  • What portion of it is HTTP traffic?
  • How many devices are active on your network? What are their relative levels of activities?
  • What sites are the most common sources and destinations for your traffic?

Write a summary of your work and findings on your blog. We’ll compare notes in class.

My Methods

For this project, I used Wireshark to inspect the packets that were going across my home network that I share with my roommate.

I captured two sessions: the first session was a long session, over the span of about a day - from an evening to the afternoon of the next day. The second session was a few hours, during the evening of that next day. I captured a second session because my roommate was absent for most of the first, and I wanted to be able to explore the volume of our relative network usages in terms of packets.

For the purpose of this article, I will refer to these two different sessions as Session 1 and Session 2.

To analyze these sessions, I used Wireshark to export them as csv files (the first session's file was 2.42 GB! It took like forever to save it, I was worried Wireshark would crash and I would lose the session). I then wrote a script in Python to parse these, and analyze the most common sources, destinations, protocols, and network devices seen in every packet.

Link to Python Code

Inbound vs. Outbound traffic

On both sessions, I found it pretty surprising how roughly 50:50 incoming and outgoing packets were to my device.

The way I defined "inbound" traffic in my program was any packet where the source was not on my local network, and the destination was a device on my network.

Consequently, "outbound" traffic was any packet where the source was a device on my local network, and the destination is a device NOT on my network.

I think if I had defined these just in terms of traffic to/from just my computer, the ratios wouldn't change too drastically, as my device is dramatically the most common source/destination as seen later in this analysis.

Inbound vs. Outbound traffic on Session 1

Inbound vs. Outbound traffic on Session 2

Traffic by protocol

I also kept track of what protocols each packet corresponded to. Here, I've listed every protocol ever seen by the program in the given sessions. By far, TCP is the most frequent, and then followed by TLSv1.2, TLSv1.3 and UDP for both sessions (Though in Session 2, UDP is the second highest).

Traffic by Protocol on Session 1

Traffic by Protocol on Session 2

Traffic by devices on my network

I also analyzed the number of times devices on my network were seen. My device is the highest, followed by several other devices. Further inspection with a tool called Herbivore led me to discover that the Private IP addresses, 192.168.1.1 and 192.168.1.2 were both NETGEAR devices (aka the type of router I have), and 192.168.1.4 and 192.168.1.7 were other devices on my network. I didn't feel like bothering my roommate about what IP they were using, so I checked my phone's wifi settings and confirmed my phone's private IP was the one ending in "4".

The volume of packets that have to do with my machine doesn't surprise me, since Wireshark's job is to keep track of packets it sees through the Wifi card on my computer.

Traffic by Devices on Session 1

Traffic by Devices on Session 2

I was confused to see Herbivore tell me about two NETGEAR devices, but I understand them to be related to the fact that I have an Orbi, a NETGEAR device that lets us extend Wifi signal in our house. I don't actually know too much about how this works but I believe it's called "mesh routing".

I was also a little confused about why I see traffic that has to do with these other devices on the network, like my phone or my roommate's computer, if I am indeed looking at traffic that is picked up by my computer's wifi card.

A quick search brought me to this: https://superuser.com/questions/1276176/why-am-i-seeing-other-computers-traffic-on-wireshark. These pieces of traffic I'm seeing for these other devices are likely multicast packets, packets that are broadcasted to every device from my router. These don't actually have to do with their traffic from browsing, for example.

Sources and Destinations

Looking at the actual sources and destinations for these two session was not to surprising.

In Session 1, I spent a lot of time listening to music so I could DJ for the first time. This resulted in super long spotify binges. I think this makes sense for the breakdown of the sources:

20 Most Commmon Sources in Session 1

I think it also makes sense that we see fewer outside destinations relative to my computer's in Session 1. I mostly left my computer on in the background while I streamed music, occasionally navigating to new songs in Spotify - so I was in general receiving more packets than I was sending out.

One question I have is: what is the difference between protocols for streaming music versus video? I noticed that a lot of these Spotify related packets were TCP or TLS (Transport Layer Security) - but in class we said UDP was more common for video streaming services because the integrity of packets isn't as high of a priority. On the other hand, I saw that the packets related to Youtube were in UDP.

20 Most Common Destinations in Session 1

In Session 2, I casually browsed Facebook (see all the Facebook related URLS) while working on programming for this assignment (see img.realpython.net and www.afternerd.com later down).

20 Most Common Sources in Session 2

For Session 2, we see that my computer doesn't as drastically outnumber the other destinations in terms of frequency. I see that www.googleapis.com is pretty close in frequency -- but I'm not clear what exactly that means. I searched through the records to see some packets the googleapis has to do with:

My guess is that because I'm using Chrome, theres are some extra Google services Chrome bakes in to the background. For example, safebrowsing.googleapis.com has to do with the Safebrowsing Google API which gives us a warning if sites we visit are risky. My hypothesis is that I'm seeing a lot of this in the sources and destinations because the fact that I'm using Chrome.

20 Most Common Destinations in Session 2