PaKon is a tool for monitoring the activity of devices inside a local network. It collects and stores information about network activity and allows you to view and filter records.
For now (as of Turris OS version 3.9), PaKon is only a command line interface, but a web interface is in production.
PaKon utilizes Suricata - an open-source Intrusion Detection System. Suricata does the hard work of analyzing raw network traffic and provides processed information (about flows, DNS requests and responses, HTTP, TLS details and etc.).
PaKon collects this data from Suricata, puts different pieces of information together and stores them in an SQLite database. The primary data contains information about each individual network flow including human-readable names of destination addresses. This hostname should correspond to the actual perceived name of that host. The name is obtained by monitoring DNS queries/responses before starting that flow, or some other application-level name (TLS SNI, TLS certificate CN or HTTP hostname).
Big service providers (e.g. Google, Youtube, Facebook and Twitter ) use a number of different hosts and hostnames to serve their content, so PaKon has a list of domains to merge these:
/usr/share/pakon-light/domains_replace/. For example, instead of storing the hostname “scontent.fprg2-1.fna.fbcdn.net” PaKon simply stores “facebook.com”. This means that some detail is lost. On the other hand this dramatically improves readability of output and reduces the amount of stored data, which is essential for a clear representation of network traffic.
The data is further reduced in order to store it longer. Most importantly, individual flows are aggregated. Aggregation simply means that instead of storing many flows of the same host, the flows are merged together for a given time frame. The total number of received and sent bytes is preserved, but some detail about duration and start times of individual flows is lost. As released in 3.9, the records are kept for 4 weeks, but we have plans to adjust this in the future.
Connect to your router via SSH and run the following commands:
$ opkg update $ opkg install pakon
This should perform all necessary steps needed to start collecting data - installing the package, starting Suricata (on local and guest network) and monitoring daemons. It may take a while before data is complete enough to be displayed.
The command for displaying PaKon data is called
pakon-show. When you run the command,
it will produce an output similar to the following:
$ pakon-show |datetime | dur | src MAC | hostname | dst port | proto | sent | recvd | | | | | | | | | | |2017-11-23 14:00:46 | 240s | 00:01:02:03:04:05 | google.com | http | http | 445B | 785B| |2017-11-23 14:00:47 | 10s | 00:01:02:03:04:05 | facebook.com | https | tls | 2KiB | 5KiB| |2017-11-23 14:00:47 | 155s | 00:01:02:03:04:05 | whatsapp.com | https | tls | 1KiB | 5KiB| |2017-11-23 14:04:37 | 66s | 00:01:02:03:04:05 | facebook.com | https | tls | 6KiB | 3KiB|
The output gives the user an idea about the visited hosts with the times of visit and size of the sent or received files in bytes.
There are some options how to filter the output. To see them, use the
$ pakon-show -h
You can filter the data by time, by MAC address and by hostname. You can also display results aggregated by domain instead of displaying timeline data.
Some domains are hidden in output by default - for example advertisements, tracking, CDNs, OCSPs, browser service domains, which makes the output hard to read. You can show all records using the option –no-filter. The lists of filtered domains is in
?This can happen in case of failed connection or unrecognized protocol. In those cases you can still get some idea about it from the destination port.
PaKon is better at recognizing actual hostnames of the flows, which should correspond to actual name perceived by user. Majordomo just does reverse lookup, whereas PaKon uses names from DNS/app-layer. Additionally, Majordomo aggregates data much more drastically and it doesn't preserve time, so it's not possible to see the time-line of activity.
The most recent data is stored in the RAM and backed up in compressed form to persistent storage before restart or every few hours. Data older than 24 hours is aggregated and moved to a persistent archive database.
PaKon monitors DNS answers and pairs names with IP addresses. When it later sees a flow to a paired IP address, it uses the name that the IP address was paired with.
Even if the DNS query was not performed (eg. when name/IP mapping is hardcoded in the hosts file), Suricata is often able to determine the name from application protocol - in case of HTTP and TLS. HTTP sends hostname as its header. TLS is encrypted, but when the connection is opened (during TLS handshake), client sends the name of server (TLS SNI) and server sends it's certificate. These are both sent unencrypted, so Suricata can read it even though the data flow is later encrypted.
In case of other protocols, the detection relies just on DNS names. Also note that tunneling protocols (VPNs, SSH, proxies, Tor) can hide the activity entirely - you will only see the flow to the proxy/gateway and not the actual traffic underneath. There is nothing that can be done about that.
Yes, we're working on it. The CLI is meant to be a preview of web interface.