User Tools

Site Tools


Majordomo

Majordomo is a tool which was developed to find out some smart devices (e.g. TVs) are sending data they shouldn't be.

The aim of Majordomo is to provide a tool which is capable to display a simple overview regarding the events in your local network.

Possible Use Cases

Majordomo logs all communication going through the router. So apart from monitoring device to server connections it can also have some other uses. It can serve as a simple parental monitoring or you can use it to fairly distribute the expenses when you share your Internet connection with other users.

When you deploy this tool keep in mind that it might be considered as a privacy violation. So be sure that all users are aware majordomo running on your router.

Data Collection

Majordomo gathers information regarding which device connected to which Internet server and how many data were transferred. The data resemble the standard netflow but there are some significant differences:

The data are aggregated within the monitored period of time. When a device communicates with particular a server on regular basis the data will be represented as a single record in the monthly view.

Majordomo monitors only the communication between LAN and WAN. It doesn't collect any information regarding the traffic which takes place within your LAN, nor does it include the traffic generated directly by the router.

The MAC address is used to identify the device in your network. IP address can't be used for this purpose because we assume that it is assigned dynamically.

Important Settings

The configuration of Majordomo can be found in Statistics / Majordomo / Settings tab.

It has several basic options which are quite important.

The most important options are describing the database setup. All the data are stored in a directory marked as majordomo_db. The majordomo_db describes the location of the database within the router's file system. Because the DB is expected to be accessed quite frequently it is stored in the /tmp directory. The directory is mapped into the router's RAM and it is not persistent. This means that you'll lose the Majordomo's data when the router is rebooted. If you'd like to keep your data it is recommended to attach an external drive and store the DB there. Or you might use an existing network storage if it's present in your network.

There are limit options where you can set how many daily reports you want to keep before the data are aggregated to a monthly view. Note that when you set it to a higher value you might run out of free space quite easily.

Majordomo can also translate IP addresses to a domain names (according to reverse DNS records) and MACs to the manufacturer names. IP translation is turned on by default and it uses the DNS server which is running on the router. The MAC address translation uses a local database.

DNS and MAC translations are cached to optimize the page loading time.

How to Read the Data

The connection is identified by:

  • source MAC address (can be translated to manufacturer's name)
  • target IP address (can be translated to a hostname)
  • target port
  • protocol

From a brief glance you can see which device communicated with which server and which service was probably used. The common services are:

  • 80/TCP (http)
  • 443/TCP (https)
  • 993/TCP (imaps - email client)
  • 123/UDP (ntp - time synchronization)

You can find a list of common ports and services e.g. on wikipedia (http://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers).

Data which can be observer in the overview are:

  • number of packets
  • total size of transmitted data
  • size of transmitted data

The same data are available for download and upload.

Be sure to consider the type of device during the data analysis. E.g. a high download would be acceptable when your TV is displaying some video from the Internet. On the other hand it is suspicious when your TV has a high upload to the servers of its manufacturer.

Note that TCP protocol (and some UDP services) works in a way that incoming packets are acknowledged by the sender. For example:

Downloading 2GB file using http (80/TCP) can generate following traffic:

  • packet count (download): 888878
  • total size (download): 2.06 GB
  • data size (download): 2.00 GB
  • packet count (upload): 746777
  • total size (upload): 53.15 MB
  • data size (upload): 1.42 MB

From this report it is obvious that transfered payload was 2 GB but the total size was 2.06 GB. The extra 0.06 GB are generated by packet headers (e.g. headers used for routing). It also shows the total upload size was 53 MB upload caused by the packet acknowledgments. Note that in TCP acknowledgments are stored withing the TCP headers. So the actual data size (without headers) is significantly lower.

Note that we downloaded a relatively small amount of data. When we download a larger amount of data the upload sizes would be naturally larger too. So a higher upload doesn't mean that there is a problem when it matches even higher download.

How to Deal with a Suspicious Device

Majordomo only detects a problem. To fix it you need to perform some action. It might be more practical to introduce a firewall rule on the router than completely disconnecting the TV.