This is a placeholder for the "iotsnoop.html" page. Progress points.


iotsnoop manual -
IOT gadgets are a major security source of concern. These are innocuous gadgets increasingly occupying the network in our houses
-light bulbs, thermostats, pool monitors, etc, etc. ALL of which are using
outdated code, which is rarely updatable. People tend to just add these gadgets to their home networks with no thot to security/privacy! Big Mistake!
You should at the very least! put these gadgets -largely wifi- on a separate "guest network" which
most home routers offer these days. This prevents compromised IOT gadgets from seeing/reaching your main network.

I have spawned a project off of imonitorg [referenced below]. I use a raspberry pi4 with its wifi run in APN mode which is intended for IOT gadget "guest" network.
Log your gadgets into this network. I then run scripting on the pi4 watching the IOT network. All the data is obtainable via a web server running on the pi4 on your local network,
plus an optional email you can receive using your own gmail account as a relay. This is NOT a cloud solution like most services these days. It is completely
self contained on the pi4 and your home network. I have no connection to the pi4, nor does anybody else -only you!
The scripts and info gathering is an ongoing project early 2024. This prokect will
probably extend years, like imonitorg as I learn the best techniques.

4-15-2024: Version 1.1 pulled. Version 1.2 coming EOM.
Per IOT host dns query form to allow deep dive into IOT queries
Setting of IOT dns server via dnsmasq. 9.9.9.9 is preferred/default
2GB packet capture limit works for 5-6 Mb/s average over the hour. Will work for single streaming svc OK.
4K streaming will overrun 2GB buffer in about 30min and terminate the capture/investigation. Amazon prime will do this. Need to test MIN, MED tshark environments.
3-26-2024: Version 1.1 image posted at sourceforge. There should be a version 1.2 by the end of April 2024. Always changes/improvements.
SDcard image is used for evaluation. The app is write intensive, and I will eventually have instructions/images for migration to USB/SSD devices
since the SDcards may not survive long term in this situation. A Quality SDcard like Sandisk ExtremePro is needed.
Successful testing for up to 2GB packet capture and analysis, representing about 6Mb/s [rcv+tmt] streams.
The capture is done hourly, by starting, stopping and examing packet captures and plotting and listing statistics.
Works successfully single streaming, youtube, foxnews etc streams, tho it should not be used in general for multiple streaming devices. Only the more
quiescent IOT devices.
I Will be evaluating capture filters to restrict to pkt headers, more data, higher rates, etc. Lots of things to investigate/improve.
Note this page for IOT stats collected [there is additional]. Zoom in to see!
]

3-9-2024: Lots of cleanup, iitialization work. Got iotsnoop running on mmcblkp0 [SD card], USB stick, and USB hard drive
Ready to create first img for download. This will not be a "beautiful" release, but it should function. I am using it on a 4GB pi4 with maybe 12 IOT
devices -no streaming TV!- up to 500,000 pkts/hr have been handled representing up to 2Mb/s rcv-tmt of IOT data.
I have an 8GB pi4 which I will be testing for increased IOT bandwidth.
But WHY would you want/let your IOT hog your bandwidth. The wifi APN is spec'd only for 802.11g -50Mbs.
The image is running on a 64GB SDcard, so the image will be created from that. Some funky booting, USB is enabled, but it traverses that.
You should consider transitioning a USB SSD drive. You can use "rpi-clone sda" e.g. to clone. More info coming.
Hope to have an iotsnoop image for testing in a week or so.!

3-2-2024: Lots of detail/initialization/anomaly work. Using 1GB/4GB pi4. Occasional oom-reaper events. Culling some memory hog services like pulseaudio.
Disabled display manager "lightdm" Renable via "systemctl start lightdm" followed by "startx" But beware, display manager gobbles resources.
BEWARE::!! The web page/plots will show NO info for hours/a day until stats are accumulated.
The "imonitorg" function is the same as the previous "imonitorg," the iotsnoop function runs hourly and analyzes collected packets and then plots/lists stats.
I will have updated screenshots/plots below in a few days -3/10 or 3/11
Really Neat! you can see all the IOT activity summarized! plots, hosts, dns requests. It even flags for 5X traffic events, etc. You can see the DNS
of the individual IOT devices. Now if I could do an API to check for malicious websites being accessed.
BEWARE::!! Most of the DNS requests are for CDN sites. amazon s3 servers, etc. etc. Much of this will not make sense.
I list DHCP leases, "off-network" attempts, non leased addresses, and error conditions, if e.g. tshark is having trouble running.
"Alerts" are inserted into the mail1 file, which you receive if you setup mail via gmail relay.
I have converted to the ring buffer "-b" instead of the "absolute" buffer "-B" option in tshark. "-B" causes oom events. Will need to investigate
but ring buffer works for much less memory used! 2GB max buffer is specified, which represents maybe 3 Mbs/ avg BW use over an hour.
2-17-2024: The main scripts are finished and undergoing review. Basic web page done. Four pages show the intent
Main page, showing the imonitorg header and the link to the performance plot. The iotsnoop plot is below.
The iotsnoop plot shows the six main stats. Tshark [wireshark] is run for one hour, and stats collected. Repeat:
1. Bits tmt+rcv on the IOT wlan0 interface, plotted hourly
2. Packets tmt+rcv on the IOT wlan0 interface, plotted hourly. Compare bits to packets to detect heavy activity
3. IP hostpairs encountered, plotted hourly
4. UDP packets tmt+rcv, LESS DNS,DHCP,NTP, plotted hourly
5. TCP sessions SYN-ACK packets counted, plotted hourly.
6. DNS query and respnses, plotted hourly
I am trying to create a plot outpkts/inpkts which would give a good indication of normal/abuse.....
Early results show I can easily ID IOT devices and their activity by watching the plot, and then going into the iotsnoop details,
which show the individual hosts and their activity over the past hour.
Comparing the six plots gives me some idea of what is going on. Total bits >> packet count indicates downloads.
Excessive UDP or DNS peaks would show questionable flooding/bot activity.
I will add a tcpdump script to monitor for TCP SYNs from the IOT to the main LAN, which would indicate malicious probing by an IOT.
Currently I do not distinguish tmt from rcv, but hope to delineate where appropriate.
Suggestions for other monitoring is welcome. I have all the packets recorded each hour [except for the stop/start of tshark] appearing on the wifi interface!

Main webpage page below, showing imonitorg main realtime plot link and the main iotsnoop plot, described above in the six points.


Main page below fold, showing imonitorg stats "host" activity, plus persistent hosts. See imonitorg for info

Main page below below fold showing Info and Links for configuration, mgmt, additional detailss


Details page [# on page] for iotsnoop, showing iotsnoop config/alerts/details, dns query archive, host and packet counts last hour, plus archive



"Iotsnoop" is a project based on "imonitorg" which you can see here:

Imonitorg/iotsnoop web reference -
"Imonitorg" is a performance monitoring application based on raspberry pi3B/3B+. An Oracle VirtualBox "ova" was also developed -running on Ubuntu. .
"Imonitorg is a set of bash scripts running on the pi3B/3B+/OracleVM which monitor Internet perf, providing stats and graphs.
It also collects a broad range of detail on the main [ethernet in the case of iotsnoop] network, including host/service detection.
See the imonitorg.com source for more information.
"Imonitorg" raspberry pi sits behind your network router as another LAN device in your home. You can use it either as ethernet [primary] or wifi connected.
Raspbperry pi 3B/3B+/Oracle VM images are provided at sourceforge.net.

Imonitorg/iotsnoop images
"Iotsnoop" is a second project which uses a raspberry pi4 32bit. It uses the base network performance monitor scripts from imonitorg.

Imonitorg generates a range of "ping" tests to test network performance toward the WAN. It can be connected wifi or ethernet to the home router.
However, "iotsnoop" expects to be connected via ethernet to your home router [not wifi]. It is NOT to be used as your main router connected to your cable modem, e.g.
It expects to operate like a LAN device behind your home router, but in this instance to serve as wifi APN for IOT gadgets.
It actually captures all the wifi APN traffic using tshark, and then inspects them for stats and packet details, plotting them and listing them as appropriate.
Currently iotsnoop operates in NAT mode like all routers/APNs. It simply routes APN IOT packets to your main router.
It is not recommended to put streaming devices like TVs on this APN, at least until further performance msmts are done. The wifi APN is purposly
limited to [does not advertise HT capabilities] 802.11g at 50 Mb/s. This is acceptable because no IOT gadget should be running that fast
stealing bandwidth from you, and it gives tshark and the pi4 the possibility of capturing all traffic on the APN.
Iotsnoop is specifically targeted to monitor all the "hidden" less obvious IOT gadgets in your home.
The wifi of the pi4 is put into APN mode with the SSID "iotsnoopg," which is meant to be used as a special "guest" IOT network, tho
you may still want a still separate guest networks for real GUESTs and their laptops/phones/etc.
"tshark ["terminal" wireshark]" is run on the wifi APN and packets are collected on an hourly basis from IOT devices.
Each hour, the tshark pcap file is interrogated for important statistics of the IOT network. These are then displayed/plotted on the main "iotsnoop" web page.
Like the imonitorg project, the pi4 runs a web server where all of this info is presented. The ability to send email via your gmail account [relaying]
is also provided, just like imonitorg.
As of this early date, six main statistics are collected for the plot as listed above. More will certainly be plotted as I discover different stats.

Here is a [very!] early plot, showing only a few entries. This plot will grow to 250 entries [10+ days] and roll.
The current "IOT" network here consists of a fedora, a windows laptop, a couple imonitorg oracle VMs [running on Ubuntu], a samsung phone, a kindle, a samsung tablet.
Various devices are added while monitoring the iotsnoop performance, trying to gauge/scale the collection and display of data.
IOT plot
This plot is meant to indicate gross "performance" of the IOT guest network. Deviations from average performance, shown by spikes can indicate abnormal activity.

Here is a logarithmic plot on Y. This might be better
Log IOT plot
It is planned to ID and alert! IOT devices exhibiting abnormal activity. This is yet to be quantified/identified/scripted.
This project is in the early stages in Mar 2024 and will be an evolving project. Early pi4 imagess are available at the previously referenced sourceforge page.
Bandwidth calculations wifi 802.11g configured on iface - 50Mb/s max, say 10Mb/s average rate
10Mb/s average rate gives 1MB/sec or 1000pkt/sec [1000 byte pkt]; 1MB/sec x 4000sec/hr is 4GB/hr
So at 25% capacity on wifi inface, 4GB memory would be needed to buffer packet for 1 hr.
So 1GB,2GB,4GB could not support avg rate on iface of 10Mb/s 8GB pi4 could support 10Mb/s; 1GB pi4 could support 1Mb/s rate
So memory buffer should be 1GB for tshark at 1Mb/s wifi avg rate..
pi4 has 1,2,4,8 GB memory spec'd
Ver 1.x of iotsnoop uses "-b" ringbuffer on tshark, with filesize set to 2GB [max for tshark]. Collection for 1 hour.
Update 4-10-2024: I am using a 4GB raspberry pi for most evaluation. This even includes a streaming service for stress.
Even a 1GB pi4 seems to function as long as you keep streaming devices off the APN.

iotsnoot pi4 is a good candidate to move the microSD card to a USB and boot usb. The "disk" activity in iotsnoop is probably 2x what the imonitorg performs.
Instructions for this is hoped to be added at a later date.