From f4c8fb5577a473baa4da98daae71e7c248bd9b53 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Steffen=20M=C3=B6ller?= Date: Fri, 2 Jan 2015 21:50:46 +0100 Subject: [PATCH] Create inspect-network-traffic.rst A general description on how to approach the network from gateways/routers/clients shall transport some understanding on why end-to-end cryptography is so important. General network security may improve, too, with individuals learning to see/understand pathologic states of the network earlier. --- docs/features/inspect-network-traffic.rst | 164 ++++++++++++++++++++++ 1 file changed, 164 insertions(+) create mode 100644 docs/features/inspect-network-traffic.rst diff --git a/docs/features/inspect-network-traffic.rst b/docs/features/inspect-network-traffic.rst new file mode 100644 index 00000000..007b4f8c --- /dev/null +++ b/docs/features/inspect-network-traffic.rst @@ -0,0 +1,164 @@ +Network Traffic +=============== + +In general, Freifunk does not filter network traffic. Users are not monitored. +But - Freifunk admins and those placing a router on +their premises have complete access to the hardware and all data passing +it. For the sake of transparency it should be explained how available the +users' data are to our volunteers. +Regular Internet Service Providers have the very same or better tools at their +disposal and many bored and/or curious staff at their disposal. End-to-end +cryptography sends only unreadable data packages. + + +Gateways - ours, those of our anonymisers, or of ISPs +----------------------------------------------------- + +There are typically two or more gateways in a Freifunk network that collect traffic +from the WLAN routers and forward it to anonymisers, the gateway of other Freifunk communities, or +grant direct access to the Internet. A gateway is typically accessed via a regular +UNIX shell, and with so many different sites accessed by many individuals in +a network, any graphical separation of activities is difficult in the first place. + +*bandwith monitoring* + +A tool with decent tabular and ASCII presentations is bmon. It ships as a cognate Debian +package: + + # Interface RX Rate RX # TX Rate TX # + ─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── + gw2 (source: local) + 0 bat0 36.83KiB 556 1.02MiB 762 + 1 lo 0.00B 0 0.00B 0 + 2 dummy 0.00B 0 493.00B 7 + 3 ffoh-mesh-vpn 63.36KiB 797 1.07MiB 1516 + 4 eth1 0.00B 0 0.00B 0 + 5 dummy0 0.00B 0 0.00B 0 + 6 eth0 1.15MiB 1563 1.26MiB 2434 + 7 mullvad 288.52KiB 219 10.46KiB 152 + + ─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── + RX KiB + 374.80 ...................................................*........ + 312.33 .**................................................**....... + 249.87 ***................................................**....... + 187.40 ****...............................................**....... + 124.93 ****...*..........................................***....... + 62.47 ****:****::::::::::::::::::::::::::::::::::::::*::***::::::. [-0.01%] + 1 5 10 15 20 25 30 35 40 45 50 55 60 s + TX KiB + 30.64 ........*................................................... + 25.53 ........*..........................................*........ + 20.43 .......**.......................................*..**....... + 15.32 .*.....**.................*....................**..**....... + 10.21 .*.*.****..........*......*....................******....... + 5.11 *************:.::::**:*****:****:**:***:*:::***********:*::. [-0.01%] + 1 5 10 15 20 25 30 35 40 45 50 55 60 s + ────────────────────────────────────────┬────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── + RX TX │ RX TX + Bytes: 57.0 GiB 9.4 GiB│ Packets: 55655040 41097702 + Errors 0 0 │ Dropped 0 0 + FIFO Err 0 0 │ Frame Err 0 0 + Compressed 0 0 │ Multicast 0 0 + + +In the above setup, about 90% of the traffic directly go to the Internet while a +remaining 10% of non-whitelisted traffic is routed through an anonymising service. +One gets a graphical impression of the fluctuations in the internet traffic. If +there is a hickup in the network for some router, starting bmon on the respective +gateway usually is informative. + +*Forwarded connections* + +The tool netstat characterises the traffic to and from the server. But it gives no +further insight in what triggered a particular a particular forwarded connection. +The tool netstat-nat provides a respective resolution down to the IP address of the +client: + + # netstat-nat -Nx|head -10 + Proto NATed Address NAT-host Address Destination Address State + icmp 10.135.21.25 10.8.0.66 s2.linuxsolutions.at + tcp 10.135.11.209:35533 gw2.ostholstein.freifunk.net:35533 217.118.169.213:http ESTABLISHED + tcp 10.135.16.145:49413 10.8.0.66:49413 dub402-m.hotmail.com:https ESTABLISHED + tcp 10.135.16.145:49412 10.8.0.66:49412 bay405-m.hotmail.com:https ESTABLISHED + tcp 10.135.16.145:49153 10.8.0.66:49153 157.55.236.25:https ESTABLISHED + tcp 10.135.16.146:61529 gw2.ostholstein.freifunk.net:61529 17.130.16.4:https ESTABLISHED + tcp 10.135.16.17:55309 10.8.0.66:55309 kundenserver.de:http ESTABLISHED + tcp 10.135.16.177:53344 gw2.ostholstein.freifunk.net:53344 yts10.yql.vip.bf1.yahoo.com:http ESTABLISHED + tcp 10.135.16.199:61262 gw2.ostholstein.freifunk.net:61262 17.130.254.14:5223 ESTABLISHED + +The middle column identifies the gateway through which the connection is routed. The 10.8.0.66 is the anonymiser. +The IP address 217.118.169.213 looks dubious at a first sight. The tool 'whois' identifies it as RTL, a TV station. Netstat-nat +is available as a Debian package. + +*See packages* + +Every package passing the hardware can be inspected. There is a batctl feature *tcpdump* to quickly +investigate the headers of packages. + + # batctl tcpdump -n bat0|head -n 10 + 16:47:17.368968 IP 10.135.17.193.46028 > 158.85.58.105.443: TCP, flags [....A.], length 0 + 16:47:17.380180 IP 198.136.45.174.38513 > 10.135.19.51.51061: TCP, flags [....A.], length 0 + 16:47:17.386435 IP 54.230.130.71.80 > 10.135.21.14.33642: TCP, flags [...PA.], length 701 + 16:47:17.406464 IP 10.135.19.51.51061 > 198.136.45.174.38513: TCP, flags [...PA.], length 86 + 16:47:17.421005 ARP, Request who-has 10.135.22.111 tell 10.135.0.16 (ee:88:71:fa:40:cc), length 28 + 16:47:17.421103 ARP, Reply 10.135.22.111 is-at 40:f3:08:74:0d:69, length 28 + 16:47:17.430465 IP 212.11.63.254.80 > 10.135.21.14.56605: TCP, flags [....A.], length 416 + 16:47:17.430531 IP 212.11.63.254.80 > 10.135.21.14.56605: TCP, flags [...PA.], length 1145 + 16:47:17.430548 IP 212.11.63.254.80 > 10.135.21.14.56605: TCP, flags [....A.], length 1356 + 16:47:17.430561 IP 212.11.63.254.80 > 10.135.21.14.56605: TCP, flags [...PA.], length 104 + +The original tool provides about the same kind of output and is particularly prepared for the +use of filters, i.e. a logical expression to indicate the packages that should be selected for +display / the writing to a file. + +The tcpdump can be combined with a grep to learn about the activity of an individual +client (or a trojan on that client). + + # tcpdump -i bat0 + tcpdump: verbose output suppressed, use -v or -vv for full protocol decode + listening on bat0, link-type EN10MB (Ethernet), capture size 65535 bytes + 16:50:59.604815 IP 10.135.20.80.52196 > 17.173.66.104.https: Flags [P.], seq 3365924598:3365925147, ack 1754814341, win 8192, length 549 + 16:50:59.608324 IP 10.135.20.211.57280 > ec2-50-16-207-102.compute-1.amazonaws.com.https: Flags [.], ack 1426811095, win 1234, options [nop,nop,TS val 18402430 ecr 36686067], length 0 + 16:50:59.608448 IP 10.135.20.80.52198 > 62.146.20.212.https: Flags [P.], seq 1451618102:1451618177, ack 2182802755, win 4096, options [nop,nop,TS val 537078044 ecr 523476758], length 75 + 16:50:59.610983 IP 10.135.20.80.52198 > 62.146.20.212.https: Flags [P.], seq 75:81, ack 1, win 4096, options [nop,nop,TS val 537078044 ecr 523476758], length 6 + 16:50:59.613335 IP 10.135.19.58.50816 > asa-glx-gsg004.gameloft.com.38513: Flags [.], ack 243153572, win 1455, options [nop,nop,TS val 8404145 ecr 71236049], length 0 + 16:50:59.614951 IP 10.135.20.80.52198 > 62.146.20.212.https: Flags [P.], seq 81:166, ack 1, win 4096, options [nop,nop,TS val 537078044 ecr 523476758], length 85 + 16:50:59.616287 IP 10.135.20.211.57280 > ec2-50-16-207-102.compute-1.amazonaws.com.https: Flags [.], ack 1357, win 1234, options [nop,nop,TS val 18402431 ecr 36686069], length 0 + 16:50:59.617139 IP ec2-50-16-207-102.compute-1.amazonaws.com.https > 10.135.20.211.57280: Flags [.], seq 1357:2713, ack 0, win 70, options [nop,nop,TS val 36686076 ecr 18402414], length 1356 + 16:50:59.617219 IP ec2-50-16-207-102.compute-1.amazonaws.com.https > 10.135.20.211.57280: Flags [.], seq 2713:4069, ack 0, win 70, options [nop,nop,TS val 36686076 ecr 18402414], length 1356 + +The 'port 80' below is an example for a filter - which is the non-encrypted web page transfer. +The data is read from a file that was created with tcpdump -w somefile before. The -X shows +the data transported with the page, i.e. the web page itself. + + # tcpdump -r somefile -X port 80 + 17:25:55.411142 IP lhr08s05-in-f3.1e100.net.http > 10.135.20.207.45588: Flags [P.], seq 1:1140, ack 168, win 341, options [nop,nop,TS val 1928209820 ecr 30724122], length 1139 + ... + 0x0380: 436f 6e6e 6563 7469 6f6e 3a20 636c 6f73 Connection:.clos + 0x0390: 650d 0a0d 0a3c 4854 4d4c 3e3c 4845 4144 e.....302.M + 0x03f0: 6f76 6564 3c2f 5449 544c 453e 3c2f 4845 oved.

30 + 0x0410: 3220 4d6f 7665 643c 2f48 313e 0a54 6865 2.Moved

.The + 0x0420: 2064 6f63 756d 656e 7420 6861 7320 6d6f .document.has.mo + ... + 0x0490: 3c2f 413e 2e0d 0a3c 2f42 4f44 593e 3c2f ..... + + +WLAN Routers +------------ + +to be written + +Clients +------- + +*WLAN sniffers* + +to be written