I have been wondering what sort of traffic my house sends to the internet. I fancied building a little sniffer.

Hardware

I used a NUC with three ethernet ports. One provides the normal connection, the other two are bridged together and plugged into the UDM and the starlink bridge adaptor. You can then sniff the bridge.

Nixos snippet.

networking.networkmanager.unmanaged = ["enp2s0" "enp3s0"];
  networking.interfaces."enp2s0".useDHCP = false;
  networking.interfaces."enp3s0".useDHCP = false;

  networking.bridges = {
    "br0" = {
      interfaces = [ "enp2s0" "enp3s0" ];
    };
  };

Software

I wrote a program using gopacket. It

  • sniffs traffic over the bridge
  • aggregates by five tuple (TCP/UDP, source & dst IPs, source & dst ports)
  • provides a little HTML page with stats.

Observations

  • The starlinkmon I set up a few months ago is pretty chatty, the top talker when the network is idle.
  • Lots more things than I expected use UDP.