I was wondering if there is any way or install package to monitor all outgoing connections? I could use ufw, but wondering if there are any other options.
The reason for this is that I like to at times connect a new device and monitor for 24 hr, where such a device is trying to connect. I could use external ways to monitor, but it would be great if there was some way to log into a file. Doing ssh to the device to enable and disable is fine. But maybe there is a UI option to toggle?
Are you looking to track all outgoing traffic or just DNS connection requests? The latter is easier to set up long term via logging with dnscrypt-proxy but if you’re looking for the whole kit & caboodle, you’re looking for tcpdump & a storage device so you can save the resulting .pcap file for offline analysis in Wireshark if you didn’t want the ‘realtime’ dumping to your PC running Wireshark.
And in that case, you won’t be able to get the data of the connection, so it’s not really necessary to use tcpdump here. Most connections are encrypted. If you really need to catch all data you are looking for an proxy with man-in-the-middle tls-interception.
I am thinking about recording all IP addresses. I do not care about whether data is encrypted or not since that is not of interest. As I initially tried to indicate in my original post. Here is my use case.
As we all buy various gadgets on the internet, some might be shady. So what I like to do is connect new devices in the equation to my router which has internet access. For simplicity of my point, No other devices are connected to my router. Some new devices need to be configured first and some do not. For the device that needs configuration first.
Now, I leave everything alone for some duration of time (1 hour, 1d, 1 week, etc) and while everything is “idle” I like to see all the outgoing connections that new device will attempt to do. Checking for updates is fine, but maybe it is homing to send some data. The device might use IP vs URL which would not hit DNS.
Capturing to a file all src and dest IP addresses (UDP and TCP, not just TCP)and the time when it was attempted is what I am looking for.
I can use tcpdump with the proper filer, but maybe there are other options easily accessible from UI. Maybe write a “special” script that will show on the UI and you can just start it vs ssh to the unit.
While I can’t help you w/ a GUI, I can tell you dnscrypt-proxy2 has the ability to log IPs & DNS in separate files. There’s also the option to set custom whitelists & blacklists accordingly, too… though my blacklists look longer than my white, of course.
Look for a mentions of tsv (tab separated values, like csv) in the .toml conf file.
tmux & tail would be advisable if you wanted to watch the connections realtime but still be able to shut down your ssh session to keep the screen output active.
A question of understanding on my part: How does a list of contacted IPs and URLs tell you whether a device is “shady”? Especially in times of the big cloud providers, an IP is completely meaningless if you don’t also read the traffic.