How to Connect to Your Network and See Everything That Happens on It

Your home network – and everything connected to it – is like a storage facility. Behind your username is a wealth of valuable information, from unencrypted files containing personal data to devices that can be captured and used for any purpose. In this post, we’ll show you how to map your network, peek beneath the covers to see who is talking to what, and how to detect devices or processes that can slow down your bandwidth (or are unexpected guests on your network). …

In short: you will be able to recognize the signs that something on your network has been compromised. Let’s say you are familiar with some networking basics, such as how to find the list of devices on your router and what a MAC address is. If not, head over to our Know Your Net Night School first to freshen up.

However, before we go any further, we must issue a warning: use these capabilities forever, and only run these tools and commands on hardware or networks that you own or control. The IT department in your neighborhood wouldn’t want you to scan ports or sniff packets on the corporate network, like everyone else at your local coffee shop.

Step one: map the network

Before you even enter your computer, write down what you think you know about your network. Start with a piece of paper and write down all your connected devices. This includes things like smart TVs, smart speakers, laptops and computers, tablets and phones, or any other device that might be connected to your network. If that helps, draw a map of your house by room. Then write down each device and its location. You might be surprised at how many devices you have connected to the Internet at the same time.

Network administrators and engineers will learn this step – the first step in learning about any network that you are not familiar with. Take an inventory of the devices on it, identify them, and then see if the reality matches what you expect. If (or when) it doesn’t, you can quickly separate what you know from what you don’t.

You might be tempted to just log into your router and look at its status page to see what’s connected, but don’t do that yet. If you can’t identify everyone on your network by its IP and MAC address, you just end up with a big list of things – one that includes all attackers or freeloaders. Take inventory first and then go digital.

Step 2. Check your network to see who is on it.

Once you have a physical map of your network and a list of all your trusted devices, it’s time to dig. Log into your router and check the list of connected devices. This will give you a basic list of names, IP addresses, and MAC addresses. Remember that the list of devices on your router may or may not show you everything. It should, but some routers only show you devices that use the router as their IP address. Anyway, leave this list aside – that’s fine, but we need more information.

Download and Install Nmap

Next, we turn to our old friend Nmap . For those unfamiliar, Nmap is an open source, cross-platform network scanning tool that can detect devices on your network along with many details about those devices. You can see the operating system they are using, IP and MAC addresses, and even open ports and services. Download Nmap here , check out these installation guides to set it up, and follow these instructions to discover hosts on your home network.

One option is to install and run Nmap from the command line (if you need a graphical interface, Zenmap usually comes with an installer). Scan the IP range you are using for your home network. This detected most of the active devices on my home network, with the exception of a few that I have increased security on (although they too could be detected using some of the Nmap commands you can find in the link above).

Compare nmap list with your router list

You should see the same thing on both lists, unless something you wrote down earlier is disabled. If you see something on your router that Nmap has failed to work, try using Nmap directly against that IP address.

Then look at the device information that Nmap finds. If it claims to be an Apple TV, it probably shouldn’t have services like running http. If it looks weird, check it out specifically for more information.

Nmap is extremely powerful, but not the easiest to use. If you’re a little shy, you have other options. Angry IP Scanner is another cross-platform utility with a beautiful and easy-to-use interface that will give you a lot of the same information. Wireless Network Watcher is a Windows utility that scans the wireless networks you are connected to. Glasswire is another great option that will notify you when devices connect to or disconnect from your network.

Step three: sniff and see who everyone is talking to

By now, you should have a list of devices you know and trust, as well as a list of devices connected to your network. If you’re lucky, you’re done here, and everything either matches or speaks for itself (for example, the TV, which is currently off).

However, if you see any actors that you don’t recognize, services running that don’t match the device (why is my Roku starting postgresql?), Or something else that seems to be wrong, it’s time to sniff a little. That is, sniffing packages.

When two computers communicate on your network or over the Internet, they send each other bits of information called “packets.” Together, these packages create the complex streams of data that make up the videos we watch or the documents we upload. Packet sniffing is the process of collecting and examining these bits of information to see where they are going and what they contain.

Install Wireshark

For this we need Wireshark . It’s a cross-platform network monitoring tool that we used for a little packet analysis in our guide to detecting passwords and cookies . In this case, we will use it in a similar way, but our goal is not to capture anything specific, but only to track what types of traffic are passing through the network.

To do this, you need to run Wireshark over Wi-Fi in ” promiscuous mode “. This means that it doesn’t just look for packets going to or from your computer, it picks up any packets it might see on your network.

Follow these steps to set up:

  • Download and Install Wireshark
  • Select your Wi-Fi adapter.
  • Click Capture> Options – and as you can see in the video above (courtesy of the folks at Hak5 ), you can select Capture All in Messy Mode for this adapter.

Now you can start capturing packets. When you start capturing, you will get a lot of information. Fortunately, Wireshark anticipates this and makes filtering easier.

Since we just want to see what the suspicious actors are doing on your network, make sure the system in question is online. Go ahead and grab a few minutes of traffic. You can then filter this traffic based on the IP address of that device using Wireshark’s built-in filters.

This gives you a quick idea of ​​who this IP is talking to and what information they are sending back and forth. You can right-click any of these packets to inspect it, trace the conversation between both parties, and filter all capture by IP address or conversation. Check out Wireshark’s detailed filtering instructions for more information.

You may not know what you are looking at (yet), but there is a bit of work to be done.

Analyze fragmentary activities

If you see this suspicious computer accessing a strange IP address, use the nslookup command (from the command line on Windows, or from the terminal on OS X or Linux) to get its hostname. This can tell you a lot about the location or the type of network your computer connects to. Wireshark also tells you the ports in use, so google the port number and see which apps are using it.

If, for example, you have a computer connecting to a weirdly named host through ports commonly used for IRC or file transfers, you might have an attacker. Of course, if you find that your device connects to authoritative services through commonly used ports for things like email or HTTP / HTTPS, you may have just stumbled upon a tablet that your roommate never told you was belongs to, or someone from the neighbors steals your Wi-Fi. In any case, you will have the data you need to figure it out on your own.

Step four: play the long game and register your captures.

Of course, not all bad actors on your network will be online and kidnapped while you search for them. Up to this point, we’ve taught you to check for connected devices, scan them to determine who they really are, and then analyze a little of their traffic to make sure it’s all open. However, what if a suspicious computer is doing its dirty work at night while you sleep, or someone steals your Wi-Fi when you are at work all day and cannot check?

Use network monitoring software

There are several ways to solve this problem. One option is to use a program like Glasswire , which we mentioned earlier. This software will alert you when someone connects to your network. When you wake up in the morning or come home from work, you can see what happened while you weren’t looking.

Check your router log

Your next option is to use your router’s logging capabilities. Your router’s troubleshooting or security options usually have a tab dedicated to logging. How much you can log and what information depends on the router, but the parameters can include incoming IP, destination port number, outgoing IP or URL filtered by a device on your network, internal IP and their MAC address as well as what devices are on your network. the network checked the router via DHCP for its IP address (and, via a proxy, which didn’t). It’s pretty reliable, and the longer you leave the logs running, the more information you can capture.

Custom firmwares like DD-WRT and Tomato (both of which we showed you how to install ) let you track and log your bandwidth and connected devices as much as you want, and you can even dump this information into a text file that you can sift later. Depending on how you set up your router, it might even regularly email you this file or save it to an external hard drive or NAS.

Either way, using your router’s often overlooked logging feature is a great way to see if, for example, after midnight and everyone’s gone to bed, your gaming PC suddenly starts crunching and sending out a lot of data, or you have a regular leech who likes to connect to your Wi-Fi and start downloading torrents outside of regular hours.

Keep Wireshark Running

Your last option, and a kind of nuclear option as well, is to simply let Wireshark do the capture for hours or days. This is not uncommon, and many network administrators do it when they are actually analyzing strange network behavior. This is a great way to spot bad actors or chatty devices. However, to do this, you need to leave the computer turned on for many years, constantly intercept packets on the network, record everything that passes through it, and these logs can take up a lot of space. You can cut things down by filtering the captures by IP address or traffic type, but if you’re not sure what you’re looking for, you will have a lot of data to analyze when you watch the capture, even for several hours. However, it will definitely tell you everything you need to know.

In all these cases, when you have enough data recorded, you will be able to find out who is using your network, when and if their device matches the network card you created earlier.

Step 5. Block your network

If you’ve followed here, you’ve identified the devices that should be able to connect to your home network, the ones that do connect, identified the differences, and hopefully figured out if there are any intruders, unexpected devices, or leeches hanging around. Now all you have to do is deal with them and, surprisingly, this is the easiest part.

Wi-Fi leeches will load as soon as you block your router . Before doing anything else, change the router password and turn off WPS if it is on. If someone managed to log in directly to your router, you don’t want to change other things just for them to log in and regain access. Make sure you use a good, strong password that is difficult to guess.

Next, check for firmware updates. If your leech used an exploit or vulnerability in your router’s firmware, this will prevent them from accessing – provided the exploit has been patched, of course. Finally, make sure your wireless security mode is set to WPA2 (because WPA and WEP are very easy to crack ), and change your Wi-Fi password to another good long password that can’t be brute-force cracked. Then the only devices that should be able to reconnect are the ones you give a new password to.

This should take care of those using your Wi-Fi and uploading them to your network, not theirs. It will also help with the security of the wired network. If you can, you should also take a few additional steps to secure your wireless network , such as disabling remote administration or disabling UPnP.

For the bad actors on your wired computers, you have a lot to do. If it is actually a physical device, it should have a direct connection to your router. Start tracking cables and talking to your roommates or family to see what’s going on. In the worst case, you can always log into your router again and block that suspicious IP address completely. The owner of a set-top box or a computer connected to the network will come running pretty quickly when it stops working.

More worrisome, however, is the compromised computers. A desktop computer that has been jailbroken and attached to a nightly bitcoin mining botnet, for example, or a machine infected with malware that calls home and sends your personal information to an unknown destination, could be bad.

Once you’ve narrowed your search down to specific computers, it’s time to root the problem on each machine. If you’re really worried, take the safety engineer’s approach to the problem: when your cars become property, they are no longer trustworthy. Uninstall them, reinstall and restore from backups. ( You have backups of your data, don’t you ?) Just make sure you keep an eye on your PC – you don’t want to restore from an infected backup and start over.

If you’re ready to roll up your sleeves, you can grab yourself a reliable antivirus utility and an on-demand anti-malware scanner ( yes, you need both ) and try to clean up your computer. If you notice traffic for a particular type of application, see if it is malicious or just something installed by someone that is behaving badly. Keep scanning until everything is clean and keep checking traffic from this computer to make sure everything is ok.

When it comes to network monitoring and security, we’ve only scratched the surface here. There are many dedicated tools and techniques that experts use to secure their networks, but these steps will work for you if you are the network administrator for your home and family.

Rooting out suspicious devices or leeches from your network can be a lengthy process that requires careful scrutiny and vigilance. However, we are not trying to stir up paranoia. Chances are you won’t find anything out of the ordinary, and those slow downloads or awful Wi-Fi speeds are something else entirely. However, it is good to know how to explore the web and what to do if you find something unfamiliar. Just remember to use your powers for good.

This story was originally published in October 2014 and updated with updated information and resources in October 2019.

More…

Leave a Reply