User Tools

Site Tools


PaKon - Network monitoring (Parental Control)

PaKon is a tool for monitoring the activity of devices inside a local network. It collects and stores information about network activity and allows you to view and filter records.

Background

PaKon utilizes Suricata - an open-source Intrusion Detection System. Suricata does the hard work of analyzing raw network traffic and provides processed information (about flows, DNS requests and responses, HTTP, TLS details and etc.).

PaKon collects this data from Suricata, puts different pieces of information together and stores them in an SQLite database. The primary data contains information about each individual network flow including human-readable names of destination addresses. This hostname should correspond to the actual perceived name of that host. The name is obtained by monitoring DNS queries/responses before starting that flow, or some other application-level name (TLS SNI, TLS certificate CN or HTTP hostname).

Big service providers (e.g. Google, Youtube, Facebook and Twitter) use a number of different hosts and hostnames to serve their content, so PaKon has a list of domains to merge these: /usr/share/pakon-light/domains_replace/. For example, instead of storing the hostname “scontent.fprg2-1.fna.fbcdn.net” PaKon simply stores “facebook.com”. This means that some detail is lost. On the other hand this dramatically improves readability of output and reduces the amount of stored data, which is essential for a clear representation of network traffic.

The data is further reduced in order to store it longer. Most importantly, individual flows are aggregated. Aggregation simply means that instead of storing many flows of the same host, the flows are merged together for a given time frame. The total number of received and sent bytes is preserved, but some detail about duration and start times of individual flows is lost. The records are kept for 4 weeks, but we have plans to adjust this in the future.

Usage

Installation in Foris

Go to the Foris configuration interface, which can be found by default on https://192.168.1.1 In the Updater tab, you need to choose Pakon and press Save changes. After a while reload the page and in the left menu, you'll see Pakon.

You need to install it only once and after each accessing the Foris you'll see it.

You can see how it interacts in the demo of our administration interface Foris.

Installation in CLI

Connect to your router via SSH and run the following commands:

$ opkg update
$ opkg install pakon

This should perform all necessary steps needed to start collecting data - installing the package, starting Suricata (on local and guest network) and monitoring daemons. It may take a while before data is complete enough to be displayed.

Usage of CLI

The command for displaying PaKon data is called pakon-show. When you run the command,

$ pakon-show

it will produce an output similar to the following:

$ pakon-show
|datetime            | dur   | src MAC           | hostname        | dst port | proto | sent   | recvd |
|                    |       |                   |                 |          |       |        |       |
|2017-11-23 14:00:46 | 240s  | 00:01:02:03:04:05 | google.com      | http     | http  |   445B |   785B|
|2017-11-23 14:00:47 | 10s   | 00:01:02:03:04:05 | facebook.com    | https    | tls   |   2KiB |   5KiB|
|2017-11-23 14:00:47 | 155s  | 00:01:02:03:04:05 | whatsapp.com    | https    | tls   |   1KiB |   5KiB|
|2017-11-23 14:04:37 | 66s   | 00:01:02:03:04:05 | facebook.com    | https    | tls   |   6KiB |   3KiB|

The output gives the user an idea about the visited hosts with the times of visit and size of the sent or received files in bytes.

Individual indicators:

  • datetime = date and time the hostname was accessed
  • dur = duration for which the given hostname was accessed
  • src MAC = source MAC address or the MAC address of the device, which was used to access the hostname
  • dst port = destination port (for well-known services this is shown as service name)
  • proto = application level protocol as detected by Suricata
  • sent = size of data sent
  • recvd = size of data received

There are some options how to filter the output. To see them, use the -h option:

$ pakon-show -h

You can filter the data by time, by MAC address and by hostname. You can also display results aggregated by domain instead of displaying timeline data.

Some domains are hidden in output by default - for example, advertisements, tracking, CDNs, OCSPs, browser service domains, which makes the output hard to read. You can show all records using the option –no-filter. The lists of filtered domains is in /usr/share/pakon-light/domains_ignore/.

A few sidenotes

  • In some cases, application level protocol is unknown - ? This can happen in case of failed connection or unrecognized protocol. In those cases, you can still get some idea about it from the destination port.
  • Web pages commonly include content from multiple domains, which means that visiting one web page results in many flows to different domains.
  • Web pages often include content from Google, Facebook, and other such sites. If you see Facebook in the PaKon output, it doesn't necessarily mean that you visited Facebook, you might have just visited a page that includes Facebook content.
  • Duration of flows might be misleading, this is the duration of the connection (time between opening the connection and closing it). That doesn't mean that the connection was active the whole time. We observed that browsers typically keeps the connection open for few minutes, even though we just made one HTTP request in the first few seconds.

FAQ

  • What is the difference between Majordomo and PaKon?

PaKon is better at recognizing actual hostnames of the flows, which should correspond to actual name perceived by a user. Majordomo just does reverse lookup, whereas PaKon uses names from DNS/app-layer. Additionally, Majordomo aggregates data much more drastically and it doesn't preserve time, so it's not possible to see the timeline of activity.

  • Where is the data stored?

The most recent data is stored in the RAM and backed up in compressed form to persistent storage before restart or every few hours. Data older than 24 hours is aggregated and moved to a persistent archive database.

  • Where does PaKon get the hostname?

PaKon monitors DNS answers and pairs names with IP addresses. When it later sees a flow to a paired IP address, it uses the name that the IP address was paired with.

Even if the DNS query was not performed (eg. when name/IP mapping is hardcoded in the hosts file), Suricata is often able to determine the name from application protocol - in case of HTTP and TLS. HTTP sends hostname as its header. TLS is encrypted, but when the connection is opened (during TLS handshake), client sends the name of server (TLS SNI) and server sends it's certificate. These are both sent unencrypted, so Suricata can read it even though the data flow is later encrypted.

In case of other protocols, the detection relies just on DNS names. Also note that tunneling protocols (VPNs, SSH, proxies, Tor) can hide the activity entirely - you will only see the flow to the proxy/gateway and not the actual traffic underneath. There is nothing that can be done about that.

  • Is it possible to have client names instead of their MAC addresses?

Yes, but (for now) you need to do it in LuCI, which is the advanced administration interface for the router. If you didn't change the router IP you can find it here: http://192.168.1.1/cgi-bin/luci/

Go to the Network → DHCP and DNS, scroll a little bit down and you should see DHCP Static Leases.

You don't have to set a proper static lease to see names in Pakon - just fill in the name and select MAC address. If you fill in also the IP address, you create a static lease - meaning that the device will always get the same IP address.

  • Can I configure the list of monitor networks for PaKon?

Yes, you can change the list of monitor networks in configuration file /etc/config/pakon. By default, the list includes two interfaces br-lan and the guest wifi br-guest_turris. Add or edit the interfaces, which you want to monitor and then restart these two services by using following commands:

/etc/init.d/suricata-pakon restart
/etc/init.d/pakon-monitor restart