I just spoke with a phone company in Denmark, that offer "Free 3G/4G", on the phone, but they have a limitation if you create a hotspot and share the connection, this limitation is on 50GB.
How do they detect if your mobile device is sharing the connection? Do they intercept some special headers that the computer/other phones send over the connection?
MAC addresses are used at a lower layer than IP and relate to each hop or leg of an end to end communication so they don't really help with this issue.
Detecting tethered devices is quite a complicated task and there are special solutions to do exactly this. They tend to look at multiple things to try to determine if other devices are using the mobiles connection, even if the devices are spoofing or manipulating headers etc.
Examples of things a solution will look at:
number of simultaneous sessions
HTTP user-agent headers
device type
device screen size
TCP Timestamp
TCP Source Port
TCP Sequence Number
Application-based correlation to TCP flows
Node-pair correlation to TCP flows
See here for an example solution and more details of the above (this is just one example solution):
https://www.sandvine.com/downloads/general/sandvine-technology-showcases/policy-control-for-connected-and-tethered-devices.pdf
We put the question to Three, which not too surprisingly declined to
answer. However, if you think about it logically, it should be fairly
simple to detect tethering. Every device with a network connection
(including Wi-Fi) has a unique hardware identifier called a MAC
address. Assuming that the operator can trace the final destination of
the data packets, it should be able to determine that the final MAC
doesn't match your phone's.
source
Although the post is about UK operators, it should apply in Denmark.
Related
I have to control a modem Cinterion ELS61 with a host application. Can anyone tell me in simple words which is the real difference among at+creg?, at+cgreg? and at+cereg? commands?
I know that cgreg is related to 2G and 3G radio access technology and cereg with 4G/LTE one, but the actual differences are not so clear and neither the relation with the creg command results.
It follows an example from a real case:
AT+CREG?
+CREG: 2,5,"38AD","02531900",7
OK
AT+CGREG?
+CGREG: 2,4
OK
AT+CEREG?
+CEREG: 2,5,"2AF2","02531900",7
OK
What is the difference among the answers to +creg and +cereg? Aren't they quite the same? And by the way, what does it mean that the same cell (02531900) has 2 difference location area codes (i.e. 38AD and 2AF2)?
Thanks for the attention
All the +C*REG commands, as you probably know, query the status of the registration to some network.
The first step is the following categorization:
+CREG, that queries the registration to the circuit switched network.
It is basically the GSM "classic" network, on which voice/data calls and SMSs are based
+C*REG commands, that query the registration to the packet networks.
They are the networks on which the packed data traffic is based. The network allowing the access to internet, to be clear.
+C*REG commands are technology specific commands:
+CGREG queries the registration to GPRS network
+CEREG queries the registration to LTE data packet network, and in some cases is mandatory also to perform tasks that were usually based on GSM: voice calls (if VoLTE, Voice Over LTE, is supported) or to sent SMSs (IMS protocol).
LTE technology, basically, moves almost everithing on packet traffic
The reason why different commands are available (even in the same cellular module) is that different registration processes are required for each sub-network.
I'm trying to come up with a way to sync a sqlite database between two computers.
If this were on a machine with a public IP this would not be difficult but I'm trying to find a way to make this work for ANY two devices, and most computers don't have a static IP.
What are some of the ways I can tackle this problem?
Assuming you just need to find the peers IP address...
Broadcast a Udp packet onto Lan, if machines are same lan segment. You can also try using admin scoped multicast, but mileage will vary according to the network setup and gear in use.
If trying to find two machines across the internet (assuming you can solve the NAT address translation issue), you need to bounce off a node that will hold info for you. Eg write a packet to dweet.io or sparkfun or other website that will hold store and forward data. You can also read twitter feeds etc, basically you need a known reference point to both talk too. Look into how malware create command and control networks for some ideas. Or search for rendezvous servers and protocols.
If the address range is small, probe all possible addresses. But be careful as you might trigger anti virus or ISP action
If wanting more browser based, look at webrtc, not quite what you are after but some of the techniques for discovery might be interesting.
If you have access, you can play with your DNS records. Essentially this is a variation of (2).
There are more options too, but that get more special purpose or become a bit too stelthy for general use. Also see how mesh networks are formed.
There's something that bothers me: I'd like to distinguish between a packet coming from Youtube and a packet coming from Wikipedia: they both travel on HTTPS and they both come from the port 443.
Since they travel on HTTPS, their payload is not understandable and I can't do a full Deep Packet Inspection: I can only look at Ethernet, IP and TCP struct headers. I may look at the IP address source of both packets and see where they actually come from, but to know if they are from Youtube or Wikipedia I should already know the IP addresses of these two sites.
What I'm trying to figure out is a way to tell from a streaming over HTTP (like Youtube does) and a simple HTML transport (Wikipedia) without investigating the payload.
Edit 1: in a Wireshark session started during a reproducing video I got tons of packets. Maybe I should start looking at the timeout between packets coming from the same address.
If you are just interested in following the data stream in Wireshark you can use the TCP stream index, filter would be something like tcp.stream == 12
The stream index starts at zero with the first stream that wireshark encounters and increments for each new stream (persistent connection).
So two different streams between the same IPs would have two different numbers. For example a video stream might be 12 and an audio stream, between the same IP addresses, might be 13.
If you started the capture before the stream was initiated you'll be able to see the original traffic setting up the SSL connection (much of this is in clear text)
You may consider looking at the server certificate. It will tell you whether it's youtube (google) or facebook.
That would give you an idea whether SSL connection is to youtube, which one is to facebook.
You can try looking at the TCP header options, but generally the traffic is encrypted for a reason... so that it wouldn't be seen by man-in-the-middle. If it were possible, it would be, by definition, a poor encryption standard. Since you have the capture and all the information known to the user agent, you are not "in-the-middle". But you will need to use the user agent info to do the decryption before you can really see inside the stream.
this link: Reverse ip, find domain names on ip address
indicates several methods.
Suggest running nslookup on the IP from within a C program.
And remembering that address/ip values can be nested within the data of the packet, it may (probably will) take some investigation of the packet data to get to the originator of the packet
Well, you have encountered a dilema. How to get the info users are interchanging with their servers when they have explicitly encrypted the information to get anonymity. The quick response is you can't. But only if you can penetrate on the SSL connection you'll get more information.
Even the SSL certificate interchanged between server and client will be of not help, as it only identifies the server (and not the virtual host you'll try behind this connecton), and more than one SSL server (with the feature known as HTTP virtual host) several servers can be listening for connections on the same port of the same address.
SSL parameters are negotiated just after connection, and virtual server is normally selected with the Host http header field of the request (see RFC-2616) but these ocurr after the SSL negotiation has been finished, so you don't have access to them.
The only thing you can do for sure is to try to identify connections for youtube by the amounts and connection patterns this kind of traffic exhibit.
TL;DR available at the bottom
I've been trying to figure out a way to get two laptops (both running Ubuntu) to be able to pass basic messages back and forth without the need for them to be connected via a wireless network,either by an AP or ad-hoc. I want to reiterate here that ad-hoc networking is not what I'm looking for, I've seen many similar questions here with that as the answer.
I guess what I'm asking is: how do I achieve this? All I really need is for one computer to be able to send a packet, and then for another to pick it up via a packet sniffer of some kind.
Currently: I have both laptops in monitor mode (via a mon0 interface created from aircrack-ng's airmon-ng)so that they can sniff nearby traffic (with Wireshark, tcpdump,tcpcump.org's sample libpcap code, and opening a raw socket and just printing out all the packets. I tried each just because I thought one could be doing something differently/leaving something out). I also have a very basic program that consists of opening a raw socket to send crafted ethernet frames out to the air, but I can't get my two machines to see the other's packets. The sniffer running on each machine can only see the packets going out of that machine (in addition to nearby beacons/control traffic from wifi in the area).
Some things to note that might be important are:
-the packets I'm sending out appear in Wireshark (only on the sending machine) as malformed 802.11 packets (probably because I'm just filling them with junk data for now). I was under the impression that my other laptop would also see them as malformed packets, but it gets nothing
-the sockets I'm using are from a call to socket(PF_PACKET,SOCK_RAW,ETH_P_ALL). Raw sockets are something I just recently was aware of, so I could be misunderstanding how they work, but my impression is that I can craft a layer 2 packet by hand and ship out straight out to the wire/air.
If you're curious as to why I want to do something like this, it's part curiosity, part research for a project I'm working on. I want to streamline / automate the process of setting up an ad-hoc network, and what I'm trying to do here is for the laptops to do a small exchange to figure out the specifics of the adhoc network they are about to create and then make/join that network automatically, instead of either one person explicitly setting up the network OR having both people pre-decide the name, etc of the network and have both computers constantly trying to connect to that specific one.
I'm more interested if I'm going about this process in the right way rather than if my code works or not, if someone thinks me posting my (very basic, taken from another post on Stack Overflow) raw socket code will help, I can.
Edit: I am more than happy to post a complete set of code with instructions if I can get this working. I couldn't find much helpful info on this topic on the internet, and I'd love to put it up for future people trying to do the same thing.
TL;DR I want to send out a packet from one laptop and pick it up on another via a packent sniffer of some sort. No wifi network or ad-hoc network involved. Something akin to spoofing an AP's beacon frame (or similar) for the purpose of sending small amounts of data.
Edit 2:After some thought, perhaps what I'm looking for is some kind of raw 802.11 use? Having direct control of the wifi radio? Is such a thing possible?
I found out I was able to send packets out through my monitor mode interface as long as I had correct 802.11 with radiotap headers. I think the problem I was originally experiencing (not being able to sniff the packets) was because they were malformed and thus not actually getting sent out.
I was able to accomplish this by adapting the example code found here, courtesy of someone named Evan Jones, except I did not need to use an Atheros based card or Madwifi drivers, everything worked fine with the mon0 interface created with aircrack-ng.
I am certain that Apple Mac do this. Apple call it 'bonjour'. There may well be a proper IETF spec for it. This is an Article on Bonjour this is Wikipedia on an open component of bonjour which might help get you moving.
I would like to create a wireless network from a laptop. If laptops come within range, I would like it to send them a welcome message and send them a goodbye message when they leave the wifi range. Is it possible to do this in C?
Please help me out with this.
It is possible, but it is a very complex task and I don't think that programming language choice is the first thing to look into.
As a start, you can read up on Wikipedia on Wireless ad-hoc networks.
How should your messages be received and displayed on the remote side? If you want to use some existing protocol over TCP/IP, or create your own (deploying custom applications on the remote machines), you will need to mess with networks and this is not always possible as one machine can be a part of only one network. So the machines need to be not connected to anything and somehow allow you to connect to them, it involves changing network settings on all that machines (for example, setting them to join the ad-hoc network with predefined name).
If all machines automatically join the existing network, this question has nothing to do with wireless (physical layer) but with Avahi, Netbios or whatever other services allowing you to get notifications and/or enumerate devices in the network.