.png)
1 month ago
5
This application monitors network traffic to identify programs that are "phoning home" to check for updates etc. It aims to be very lightweight by using a BPF program in the kernel to track the network traffic, and then analysing it in a Java userspace program.
The base installation looks for traffic originating from the local machine. It is also possible to use the Phone Home Detector in hotspot mode where it will identify traffic originating from other machines and devices in your home. For this you need to run on a machine with a Wi-Fi NIC and a separate internet connection (probably wired ethernet).
The idea is to create a Wi-Fi hotspot sharing the internet connection from the other NIC. Then connect any machines or devices that you want to monitor to the hotspot. Phone Home Detector running in hotspot mode will monitor the traffic to identify patterns.
Currently, the Phone Home Detector is only packaged for Ubuntu 24.04. To install first add the PPA and ensure it is updated:
Then install:
Note this can take a while as it has to install dependencies, notably Java and Clang. The Phone Home Detector will start running in the background as a systemd service. To query the results simply run:
To see more options run:
There is also a simple web interface available at http://localhost:9080/
Note that this requires Ubuntu Server 24.04 with the GUI installed using:
You can also use Ubuntu Workstation 24.04. However, on more than one occasion I have found that bpftool (which this project is dependent on) fails to work after an upgrade. Ubuntu Server is not setup with HWE so the kernel version is fixed.
Standard OS mechanisms are used to set up a hotspot:
- Settings -> Wi-Fi -> Turn On Wi-Fi Hotspot...
- Enter Network Name and Password
- Click Turn On
Then any machines or devices to be monitored need to be connected the hotspot network. One method that can be used is to turn off the existing Wi-Fi network and set up the hotspot with the SSID and password of the existing network allowing devices to connect to it without re-configuration.
At this point Phone Home Detector needs to be reconfigured run in hotspot mode. This is done by running the following command and following the instructions. Note that you will need to know the name of the Wi-Fi device that is being used for the hotspot if there is more than one.
The command line application or web interface can be used to view the results as before. Here is an example of the output.
The application works by looking at the data sent to each IP address in one minute blocks. It then looks for patterns in the interval or size of data sent.
The data is captured by a BPF program in the kernel and analysed by a Java program in userspace. In workstation mode it captures outgoing traffic and in hotspot mode it captures incoming traffic on the specified NIC. In workstation mode it also runs an additional BPF program to attempt to identify the process responsible for the data.
- The main Phone Home Detector application runs as a systemd service.
- There is a command line application and a simple web application (also a systemd service) available to query the results.
- The interface between these and the service is via a Unix Domain Socket.
- When the service stops it saves the results in XML format which are reloaded when it starts.
The following distributions and kernel versions have been tested:
- Ubuntu 24.04
- No IPv6 support
Please see here
If you find this useful please * this repo
