Monitoring my phone's internet activity with DD-WRT and Perl

I’ve had a cracked phone screen for years, but recently as the glass started falling out, I decided it was time to upgrade. I bought a Samsung Galaxy S8, and was surprised to see “Unusual traffic from your computer network” messages when searching via Google. This peaked my curiosity, so I decided to monitor the phone’s Internet traffic to see who it was communicating with.

Router Setup

I run DD-WRT Linux on my home WiFi router. DD-WRT can run an Rflow service where it posts NetFlow traffic data to another computer on the network via UDP. I enabled the service, and configured it to post to my laptop’s IP address and the default port, 2055.

Monitoring

I installed ntop and setup a virtual interface pointing at the UDP socket, and lo! it quickly started displaying the NetFlow data. The problem was I couldn’t figure out how to filter out data that wasn’t from my phone (the various pcap filter expressions I tried did not work). Also it irked me to rely on a software program to do something as simple as parsing data from a UDP socket.

Luckily I speak chainsaw, and whipped up this script to do the job:

#!/usr/bin/env perl use IO::Socket::INET; use Data::Netflow; my $sock = IO::Socket::INET->new( LocalPort => 2055, Proto => 'udp' ); open my $logfile, '>>', 'galaxy-s8.log' or die $!; my ($sender, $datagram); while ($sender = $sock->recv($datagram, 0xFFFF)) { my ($sender_port, $sender_addr) = unpack_sockaddr_in($sender); $sender_addr = inet_ntoa($sender_addr); my ($headers, $records) = Data::Netflow::decode($datagram, 1) ; for my $r (@$records) { if ($r->{SrcAddr} eq '192.168.1.139' && $r->{DstAddr} ne '192.168.1.1') { printf $logfile "%s,%d,%d,%d,%d

", $r->{DstAddr}, $r->{DstPort}, $r->{Packets}, $r->{Octets}, time; } } }

The script opens a UDP socket on port 2055 and reads datagrams from it. It uses Data::Netflow to parse the datagrams from the socket. The decode function accepts a datagram and returns a hashref of header data, and an arrayref of NetFlow records. Each record is a hashref and strangely by default its keys are stringified numbers (“1” through “20”).

However if the second argument passed to decode is true, then the record hashrefs use field names instead of numbers. Each record contains data like the source and destination IP addresses and ports, the number of packets sent, total number of bytes in the packets and so on. If the record’s source IP address match my phone’s network address, the script prints the pertinent information to a logfile.

I disabled mobile data on my phone, and ran this script for 24 hours.

Results

I used Net::Whois::IP to lookup the organization for each IP address. Here’s the top ten Organizations by the number of packets sent:

Fastly (SKYCA-3) => 1243 OPENX TECHNOLOGIES, INC. (OPENX) => 989 Saferoute Incorporated (SAFER-1) => 553 Servers.com, Inc. (SERVE-105) => 13 Integral Ad Science, Inc. (ASML-5) => 36 Facebook => 724 Google LLC (GOOGL-2) => 794 Amazon.com, Inc. (AMAZO-4) => 2000 Search Guide Inc (SG-63) => 140 Chaos Computer Club e.V => 224

And by the number of bytes sent:

Amazon Technologies Inc. (AT-88-Z) => 1218193 Amazon.com, Inc. (AMAZO-48) => 9230 Google LLC (GOGL) => 40239218 VLAN927 => 2005 ADFORM-NET => 3041 ANS Communications, Inc (ANS) => 1880 Wal-Mart Stores, Inc. (WALMAR) => 1573 INAP-NYM-QUANTCAST-26423 => 4822 Web.com, Inc. (WEBCO-24) => 4232 CERFnet (CERF) => 361

It seems to me to be mostly web browsing / marketing data. The Chaos Computer Club entry is from using Orfox (a Tor browser). Although honestly, if something malicious was using AWS, I’m not sure how I could tell. Perhaps looking at the distribution and frequency of packets sent and correlating it with a journal of my phone activity might be a way to identify suspicious traffic.

In the meantime, Google has stopped warning me about unusual activity, and I haven’t cracked the screen yet, so I suppose I’ll keep using this phone for now.

References