IoT in the Home: Part 1 - Traffic Analysis Hardware & Tools

posted Oct 15, 2015, 2:58 PM by Tom Pedersen   [ updated Sep 7, 2017, 4:56 AM ]
Part 1 of a series [hopefully] of notes relating to managing traffic on modern home networks, a project inspired by the Internet of Things (IoT) and a growing number of Smart Devices in our home.   Many of these devices converse on our internal network, others communicate with Cloud services - few offer details of their net-chatter. Simply curious to see Who's talking to Who while learning a few network management tools and techniques. 


The number of devices on our home network has grown significantly in the past year or so as we continue to add network connected lights, switches, appliances and other smart devices to our world.  This Internet of Things (IoT) tends to blend private and public networks as smart devices are dropped inside of our firewalls - right next to the PCs and storage we chose to protect from the 'outside world'. Furthermore, we have little/no control of smart device communications and may even be asked to open ports/connections with external (public internet) services to facilitate their interactions with the cloud.

This initial article is focused on home network reconfiguration and tweaks performed to simplify network traffic analysis and security as our pile of smart device grows.  Hardware and software tools listed here will initially be used to add traffic monitoring capabilities but are also expected to play role establishing a network architecture that will safely [securely] accommodate many more future smart devices.   


Many home networks are now cobbled together behind equipment provided by Internet Service Providers (ISP), generally your cable television or phone company.  Internet 'Gateways' supplied by ISP's are typically consumer-grade Switch/Routers that simply provide internet connectivity for wired and wireless devices.  It is a little tricky to monitor traffic on these switched networks because packets are specifically forwarded only to sending and receiving ports.  Furthermore, consumer-grade switches rarely provide network management or monitoring features that would allow us to 'tap-in' to peek at network traffic or isolate traffic to prevent untrusted smart devices from intermingling with devices on our private LAN.

Commercial networks and data centers routinely deploy Managed Switches as part of their network design.  This class of switch provides a variety of configurable features to control/monitor traffic and tune network performance.  Managed switch features of particular interest for this project include port mirroring and network virtualization (VLAN).

Port Mirroring is a feature that allows you to configure a redirect or 'Mirror' port to facilitate network monitoring. Traffic analyzers connected to these ports will see all packets sent/received on the mirrored port.   Virtual LAN  capabilities allow you to configure logical sub-networks to improve performance or security by separating untrusted devices/traffic from existing devices on our home network.


I searched for economical network hardware that would satisfy my initial IoT network requirements and settled on the following (I'm sure there are MANY other alternatives):

Smart Switch:  TP-LINK TL-SG108E 8-Port Gigabit Easy Smart Switch with 8 10/100/1000 Mbps RJ45 Ports, MTU/Port/Tag-Based VLAN, QoS and IGMP* - around $35 when I bought on  Not a full-blown managed switch, but does support port mirroring and VLANs.  Seems to work fine, but you may need a windoze machine to configure/manage.
Wired/Wireless Switch/Router:  DD-WRT is alternative OpenSource firmware suitable for a wide variety of consumer grade routers.  DD-WRT firmware includes many features found in commercial switches.  I am repurposing an old Linksys WRT320N running dd-wrt to isolate/secure wired and wireless IoT devices to learn about more about this traffic.

Network Analyzer: My trusty old Acer Aspire One netbook, running Kali Linux (see below). Kali contains several hundred tools aimed at various information security tasks including loads of traffic analysis tools.   Kali also runs great on the AAO.


My initial list of network analysis tools include the following (likely to change as I learn):
Kali Linux is a Debian-based Linux distribution aimed at advanced Penetration Testing and Security Auditing. The Kali distribution contains MANY interesting open source tools and will save a lot of installation/configuration time.  Also runs fine via "live" USB drive.  Well documented.
Wireshark is a very popular network protocol analyzer (sniffer). It lets you see what's happening on your network at the packet or conversation level and is widely used and well documented.  Wireshark is preinstalled on Kali Linux, but can also be downloaded here.
ntop is an OpenSource network traffic probe that shows the network usage, similar to what the popular top Unix command does. Users navigate/interface via web browser to monitor realtime network conversations and traffic.   My now be included with Kali, but also downloadable here.
EtherApe is an OpenSource graphical network monitor for Unix modeled after etherman.  It displays network activity graphically. Hosts and links change in size with traffic. Color coded protocols display.  Doesn't appear to be included with Kali - but looks interesting.  Download via this page

That's it for now - hope it is useful to others.  Will try to document/post more as I learn  


* T. Pedersen Ventures is a participant in the Amazon Services LLC Associates Program, an affiliate advertising program designed to provide a means for sites to earn advertising fees by advertising and linking to