Check device network usage

Set up a system to monitor device network activity.

created: 2020-05-23 | topic: computer | tag: privacy,network | author: Jason Lenz


I enjoy electronic devices and all the capabilities and connectivity that come with them, however whenever I obtain a new network enabled device I usually have the following types of questions in the back of my mind:

For general users it’s almost impossible to know the answers to these questions. Most devices connect constantly to servers owned by large internet companies and many of these companies don’t exactly have the best track record for respecting privacy and being trustworthy with user data…

This page describes how to set up a customized router that can detect and record all wireless connections from a device. With this setup it’s possible to answer the first two questions above. The third one is frequently not possible since connections are often encrypted. With that said, addressing the first two questions goes a long way in determining how trustworthy a device is.

What’s needed

The remainder of these instructions are based on my experience with the following hardware, but these should be easily adapted to other combinations:

Prerequisite skills

For others interested in analyzing network traffic for a device you own, it’s helpful to have the following knowledge/background:

At some point maybe someone will create an easy way for general users to do a similar analysis, but for now it’s not trivial to set up. A router appliance with all the software pre-installed, and a web based user interface to view the analysis would be useful for general users, but for now it doesn’t exist (at least that I’ve found).

Router setup

This assumes you already have Openwrt (or LibreCMC) installed on your router of choice.

Record network activity

  1. Connect your test device to the access point you just created. In this case I connected my Kindle Paperwhite to the “check” access point and entered the password for access. Ensure that it is the only device connected to that access point. This will make your life easier when analyzing traffic later.

  2. Confirm that your test device is connected to the internet by using it to access a web page or browse a book store, etc.

  3. ssh into your router from your computer.

  4. Use tcpdump to start recording network activity on the interface identified earlier. Name the file as desired.

     # tcpdump -lnni wlan1-1 -w my-network-activity.bin
  5. After the desired period of time has elapsed hit Ctrl-C to stop tcpdump.

  6. Exit the ssh terminal on from your router and then copy the file over to your main computer.

     $ scp my-router-address:my-network-activity.bin .

Analyze network activty

Make sure wireshark is installed on your main computer if it isn’t already. Start it up and open up your network activity file (File -> Open). You will most likely have an overwhelming amount of network activty to sift through.

In my case analyzing the Kindle Paperwhite over a period of 114 seconds there were 280 unique network events (rows) displayed in wireshark.

The addresses will all be displayed in raw IP format, so one of my first steps was to turn on the option to resolve network addresses (View -> Name Resolution -> Resolve Network Addresses). Click on the Source or Destination columns at the top to sort on those and make note of all of the server addresses that were accessed. In my case, I found that the Kindle Paperwhite was accessing the following servers (sending and receiving):

This in itself is useful information and not unexpected. All of the servers are Amazon owned. It’s also interesting to note that I was not using the Kindle at all. I just booted it up and left it on the table during the 114 second capture period.

You can further try and inspect the raw data in the network packets to see if anything intelligible resides there. Click on a row or cycle through them using the up/down arrow keys and look at the bottom window. In my case it was mostly unreadable either due to being encrypted or stored in a proprietary format.

Another useful option within wireshark to consider includes the (Statistics -> Capture File Properties) menu option which will display high level information such as below:

Measurement Captured
Packets 280
Time span, s 114.836
Average pps 2.4
Average packet size, B 303
Bytes 84918
Average bytes/s 739
Average bits/s 5,915

Also the (Statistics -> I/O Graph) menu option is interesting to see as well. In my case most of the communication happened at boot up with a few sporadic network events happening later on.

This barely scratches the surface of what wireshark is capable of in terms of analysis. The user manual in the reference links below provides details on all the capabilities if you are interested in digging further.


This method proves very useful in answering the first two questions mentioned at the beginning (who is the device communicating with and how often). As expected it’s almost impossible to determine exactly what information is being sent, but regardless this is still a valuable method to have in the toolkit.



Other links