How to view layer 7 application running on Network

Hi,
i want to view what application are running on my network with client info. is their any build in package available for this?

thanks in advance :slight_smile:

Deep packed inspection? nDPI?

2 Likes

may be yes...
i just want to check which application is in use by which client connected to my router

The best you can do is guess by ports in use or Deep Packet Inspection as noted by @eduperez.

Actually yes - full stop. A DPI device knowing a lot of patterns could see/copy/download all unencrypted traffic and it's contents/payload (i.e. normal DNS requests, HTTP, SMTP, etc. This is already resource intensive. It may even be able tell you what encrypted application is in use (i.e. VPN).

If it's encrypted or unknown, then it's unknown, I assume you'd want to simply block it.†


†- So unless you're "State Actor" and know of a more advanced method, that's it. Most other technologies require a man-in-the-middle device and a [recognized public certificate] company that will issue you a certificate for a wildcard in The DNS Root Zone - depicted as:

*.

The dot not being used in our normal use, for example:

www.example.com. :point_left:

observe the dot - the dot following the m is the root zone, having no name. The root zone is owned by ICANN and operated by the DNS Root Server System Advisory Committee.
(That is a valid cert - but in most countries, it would likely be a crime to issue it - or open such company to serious legal liability.)
(An example of an organization recording public serial numbers to observe differences is linked below.)
Therefore, I believe there is a plugin to mitigate such an attack while web browsing - by checking the SSL Observatory for a serial number match.

:warning: If you don't have explicit permission of users, please be advised that doing any of this can be illegal in some circumstances - in some nations. Lastly, if the certificate is not based on PKI, it cannot be decrypted anyways.


See:

2 Likes

Maybe nlbwmon?

If you are just looking to see what Layer 7 applications your clients are using, you could use the nlbwmon client utility (nlbw) to query the daemon for current statistics.

Summary

~# nlbw -c show -g host,layer7 -o host,conn
         < Host (    MAC )      Layer7    < Conn.     Downld. (   Pkts. )      Upload (   Pkts. )
    10.10.1.115 (6e:dd:74)         SSH        12          0 B (       0 )        64 B (       1 )
    10.10.1.115 (6e:dd:74)  Google Cloud Messaging        45      9.50 KB (      51 )     3.20 KB (      54 )
    10.10.1.115 (6e:dd:74)        ICMP       310    351.35 KB (     263 )   533.03 KB (     399 )
    10.10.1.115 (6e:dd:74)       IMAPS     1.27 K   727.65 KB (   1.63 K)   114.41 KB (   1.39 K)
    10.10.1.115 (6e:dd:74)        HTTP     4.54 K     4.06 MB (   4.26 K)   755.97 KB (   5.39 K)
    10.10.1.115 (6e:dd:74)        QUIC     9.95 K    35.65 MB (  43.23 K)     3.80 MB (  20.41 K)
    10.10.1.115 (6e:dd:74)  Apple Push Service    22.11 K     1.96 MB (   6.60 K)     2.27 MB (   7.66 K)
    10.10.1.115 (6e:dd:74)       other    24.44 K    85.56 KB (     933 )   164.40 KB (   1.88 K)
    10.10.1.115 (6e:dd:74)       HTTPS    46.33 K   727.09 MB ( 300.50 K)    27.61 MB ( 194.18 K)

4 Likes

If you lower the requirements, softflowd may do the job. However, you will need a powerful device if there is no flow-sampling. From the collected metadata is likely to be possible to reconstruct the purpose of most flows.

The other option is to install a captive portal which will warn the users that their traffic will be collected and inspected, in order to reduce the chance of GDPR infringement procedure and/or criminal prosecution and then to capture/monitor a bigger portion of the traffic like some API communications. Some companies are doing the proxy configuration with a certificate for all their devices - guess why...

:warning: It's advisable to check the local privacy/data collection regulations, before doing any of these.

2 Likes

nlbwmon does not show application like what my client using i.e whatsapp facebook

You need DPI for that.

A packet header only contains protocol and source/destination address/port. You can detect that computer A is connecting (presumably) through HTTPS with server B, but not much more (not even which browser or which page).

To obtain the information that you need, you have to look into the (encrypted) packets. And that is called DPI.

Edit: Also, bear in mind that DPI is based on heuristics; even after inspecting the contents of a package, there is no fail-proof method to interpret the information.

3 Likes

is their any built-in luci-application avaliable?

and one more think i want to execute lua code as save button press using javascript api .
can you guid me how? i tried using fs.exec but i gives permission error

This is relatively easy task and can be easily identified by via the IPs, for example with NetFlow. The IPs for Facebook are mostly under AS32934 and AS63293. Most NetFlow analyzers should already have a rule for this.

However if you are trying to identify or block this way a specific Google service or something cloud-based - it could be more difficult and you may need to violate the privacy further.

3 Likes

As far as I know, no.

2 Likes

No - see post above regarding encrypted traffic.

If you have questions why you cannot see encrypted traffic or why most routers cannot run the DPI you're seking, feel free to ask more questions or review the post above.

Please use one thread per issue - it's quite confusing - you noted the LUA issue here: “Access to command denied by ACL” error when trying to add ModemManager network interface on Raspberry Pi 4B - #6 by laiba

It's unclear if your question is relate to seeing Layer 7 traffic - or you're describing another issue.

3 Likes

these 2 are different questions

@lleachii i know about deep packet inspection tools like wireshark . but i dont know how to link it with luci (display applications (i.e facebook is used by clients ) on Luci ).
do you know how to achieve this?

What?! :open_mouth:

Wireshark is not a DPI tool. (But I have seen it used as one package in a whole "DPI suite" of tools. In the demonstration, the presenter showed/located a VoIP call in Wireshark, used modules to pull the data, and played the audio from the recorded call - as I recall in VLC. At the time I saw this, the technology was new, expensive and not widely available to consumers. It was an entire system, not a router and it used a lot of CPUs.)

LuCI?

I honestly think you failed to review my post. Again:

You will not be able to "install a DPI tool into LuCI".

EDIT: Without DPI, it should already be possible to see that clients are connecting to a FB server - so I assume you mean decrypt the traffic and see the data. Such decryption is not possible under normal circumstances (:warning: and may be illegal).

3 Likes

Try this DPI agent:

opkg update
opkg install netifyd