National / World-Wide "Wireshark Day"

Addition: My idea would be that (and this doesn’t seem likely to ever happen) every computer on the planet would be equiped with Wireshark on Earth Day. It would be forcibly installed if possible and set to a small section of the screen, always visible, for the first half hour of networl activity. My idea here is to make it clear to every computer user world-wide, what exactly their computers are doing.

I think it would also be useful to then generate a capture file that displays 53, 80, 443 connections to make it more readable. Then it would resolve and list out all the websites thst those connections represent in a massive list.

Just imagine how much people would begin to appreciate their internet connection and what is really going pn after such a scenario. Of course this idea is just basically impossible, but I think it would be a great learning tool for everyone.

There is just way too much shit loading on anyone’s computer, at any given second of the day. It’s maddening. Knowing how much crap is going on, before you ever start a program manually. Pi-hole does get a SMALL LARGE amount of it (my network is PRISTINE at boot at least on my system), but even with that, you open up wireshark and do a few “whois” commands on these IPs and see what’s it’s missing, and wow is it eye opening. I don’t think it quite gets it all.

EDIT: I turned off wireshark’s promiscuous mode, and pi-hole does seem to block absolutely E V E R Y T H I N G on my side of the network.

So if I REALLY wanted to, I would go to every single one of thees IP addresses (and yes wireshark has ip resolution, but I don’t know much about it) and figure out exactly what my tablet is doing. Pi-Hole misses so much, I’m a bit disappointed.

Also, I have TWO virtual machines running now. Maybe user error, the first one is for pi-hole on top of Windows. I then made a second one, because I have no Earthly idea on how the hell to use iptables, that’s another language for robots, not humans. So I have a VM of IPFire, just to redirect 8.8.8.8 and 8.8.4.4 but I don’t think it’s working, – but I know it was earlier today, I saw it turn black and red on those.

But then I see all these other IP addresses, what are they, where do they go? Many of them are Amazon, and NONE OF THEM are listed in pi-hole. This is just ridiculous, and every human on this Planet should have easy, understandable tools, to immediately, and permanently block any and ALL unwanted connection for any reason under the sun.

So with this setup, my tablet will now receive no internet at all, and wireshark just shows some name related to the company that sells it. But it’s not going anywhere at all. I don’t have any firewall running on the tablet at the moment, so I know this is currently user-error.

I want to also make a thread of how to bypass an additional DNS server that it adds (8.8.8.8) against the user’s settings, and the only way to bypass is DNS-over-HTTP cloud services, as for some reason, local DNS in my firewall program, on the device itself, just fails. Stuff like this leads to electronic waste when it cannot be repurposed easily when a company no longer supports a product and couldn’t care less what a user does with it, but still won’t release any patch or update to allow user modification. This is greedy, lazy, and a waste of valuable tools to share information, and I hope things improve soon.

Hmm, pihole is not for blocking hostile IPs. All it does is filters dns queries against the blocked domains list. It has no effect whatsoever on making connections to a specific IP. It does not block you from communicating with specific IP addresses. This is nothing but dns filtration, not firewall.

Well… how you plan your network and infrastructure is entirely up to you.
Personally, I can only say that you may be complicating your life a bit.

If the text-based firewall format is bothering you, you can install Gufw (+ufw) and it will give you a graphical interface which is rather simple and doesn’t include too many options so to start learning is ok.

There is also nothing wrong with virtual machines, but sometimes it would be nice to have something dedicated to this purpose. It especially simplifies the beginning of network learning and software where vm’s on the same pc can sometimes complicate things for novice users.

If you don’t like ipfire, you can always try pfsense and opnsense… or Openwrt with LuCI, here you will also find a firewall and the ability to watch active network connections.

Since you also use Windows, I can suggest using a firewall, I use Comodo Firewall (free). Imho is a decent firewall and shouldn’t be too complicated for less experienced users.

Network traffic will almost always occur. Much depends on the device and the software that is on it. Many devices communicate with the external server for different purposes.

Operating systems, updates, various applications… The fact that you see some network traffic does not mean immediately that it is something wrong.
If you are using an Android tablet then I can recommend NoRoot Firewall. Thanks to this, you will gain application-level control for the network traffic that the tablet has. For non-root devices only, the firewall only works with TCP, udp will still remain uncontrolled.

Amazon and many other suppliers offer various services including servers, cdn…

You’ve probably blocked something … try to get back to the point from which you started.

I understand that it is about an older wifi router?
Check if Openwrt can be installed on it.

What really shocked me was how much UDP traffic was being spammed from all my computers, in the end I found it was some stupid Logitech or Corsair software that would integrate with Discord, and for whatever reason it was sending out near constant broadcast traffic

It really is interesting to see where stuff is calling back to. I had an old Foscam IP Camera which was trying to constantly hit an IP that is now the host of some random Chinese forum. God only knows what I was trying to send back

On most of my VLAN’s I have a NAT rule to redirect all traffic on port 53 back to the firewall, so at least I can control the DNS that isn’t encrypted

The old principle of the network administrator, always start the existence of the ecosystem with a complete blockade and only gradually grant access permits.
Another problem for some users is the disregard of the firewall, both central at the lan-wan and on each OS for full control on the application layer. A particularly disregard is growing among Linux users.

I heard a million times “I have linux on my desktop, I don’t need a firewall”.
Well… Imo you rather need it and sadly how non-popular is an application-level firewall in the linux world.

I say this to anyone who wants to listen. Control network traffic per application on each operating system (device)!

Some device may have multiple applications that will use TCP 443 for https traffic but that doesn’t mean all applications need to have it, and one rule that just allows tcp / 443 is not enough here in 2022.

First, filtering at the application level per device and only (optionally) global filtering on a dedicated firewall.

My devices fail to establish external communication if I did not anticipate it.
Nothing is allowed to run out into the world without my consent.If I can’t control something per device then I lock it centrally.

It is especially important in the case of iot and other unusual devices, including cameras … especially cameras!

Same principle on a device that can be managed. For example Windows, just because the browser may be allowed tcp 443 traffic doesn’t mean that I allow it to udp or any other strange tcp ports.

Allow one thing and block everything, this is my principle.

At the same time, the fact that FF can use tcp443 does not mean that every other application has the right to do so, my applications do not have such a right.

But what do I know…

Sounds like you might appreciate one of those application based firewalls like zonealarm, netlimiter, glasswire, or little snitch or lulu on the mac.

… or would maybe prefer the umatrix browser extension to just not load third party stuff except a couple of things of a particular type on sites you trust.

That must surely lower your WAF

I tend to agree with your sentiment, but it’s not really practical for me to analyze internet traffic for every new app that my family wants to try.

Yes, in the wifi tablet settings, I can set one, or two dns entries. It adds 8.8.8.8 and on my firewall / dns filter program that got my post deleted so I can’t mention it because apparently that’s promotion, the “dns” program on android (I mean the default android system dns) tries to go there but it’s blocked.

The software I use just doesn’t seem to be able to bypass that setting, even though the dns/firewall program seems designed to do exactly that.

So I allowed thst IP, but redirected it, and it didn’t like that either.

It’s gotten to the point that I cannot download certain podcasts on the tablet anymore, I checked my cloud firewall and I don’t see the rss urls in the block list, but other podcasts download, not sure what’s going on there.

I decided to just download the podcast episode to my phone, and then bluetooth it to my tablet, it’s that locked down.

If I could use adb without a data cable (don’t have one, believe it or not) I could probably have a chance at overriding that setting.

Family is family…

In such cases, you can separate this part of the network and let them test what they want and let them control their network traffic on the device with the help of a firewall.

For example, Android and system applications as well as those installed. Imho, they don’t need to be online all the time. I block everything and only allow the selected app that must have access at the moment.

The next step is applications that can be online all the time, but for example to a limited extent.
For example, let’s say we want VLC to have access to the NAS but to nothing else. Having a firewall for android, we quickly create rules applications in the environment we want. Of course there are several other ways to do this, but this one is the least inconvenient.

Perhaps we have an application that is used to watch youtube and allow tcp443 to google cloud and block everything else.

Many infections and data leaks could be reduced to some extent if people would pay attention to network traffic and even basic rules hygiene and control. Of course, the firewall will not protect the device from nifection or leakage, but it will limit the vector a little.

As a colleague here wrote above… suddenly he found traffic generated by the software.

Why did this software have access to the network in the first place? If there was a per OS per application control, the fact that the software was trying to establish a connection would be immediately noticed and you can act immediately what to do next, and what follows, such network traffic would never be initiated… fewer surprises.

The same applies to malware that has poor masking or uses unusual ports to communicate with CC.

An ordinary person does not have time to analyze all network traffic 24/7 for this, the more we close the door, the easier it is to control the situation.

imho

I can just use the Windows firewall to block any programs.