Page 1 of 1

Network monitoring/extraction?

Posted: Sat Sep 26, 2015 2:45 pm
by xs10tlist

I'm asking for assistance on a specific question regarding Little Snitch functionality. I work from home using our wireless router/modem system using internet provided by Cox (major cable provider in our area). I have some indications that my husband might be intercepting some of my emails, but I have not confronted him on this yet. He is website developer and so has many applications on his computer that I'm not familiar with. One is Little Snitch and I have done a little homework on this.

My question: can someone use Little Snitch to capture particular emails going out on the wireless network, with the capability of not only capturing them but reading them?

Again, just gathering information before confronting the issue head-on. I'm just hoping I'm wrong.


Re: Network monitoring/extraction?

Posted: Sat Sep 26, 2015 3:59 pm
by GrandOldBoy
Whoah! Heavy issue here! :)

I don't want to step on anyone's toes, or be the cause of a domestic dispute; so what I provide here is for informational purposes only.

Since you asked specifically regarding the abilities of Little Snitch, if a LS user opens the LS Network Monitor, he or she will see a list of incoming and outgoing data on the local network, such as your wi-fi network.

By right-clicking a domain name or IP address that is listed to the right of a particular app -- say, the Mail app for example -- he will see an option to capture the data packets for that particular app.

Once the Little Snitch user determines that he or she has saved enough data packets, he can then terminate the capture, and a ".pcap" file will be saved in his or her "Downloads" folder.

The ".pcap" file can be opened and read with such apps as WireShark and Cocoa Packet Analyzer.

Thus, if a person is skilled and knows what they are doing, yes, they can read email that is flowing through a local network in this fashion.

In fact, that is precisely what the U.S. government's formerly named "Carnivore" packet sniffer does as well. They pressure ISPs and the like into attaching the Carnivore packet sniffer system to their networks, in order to sniff the data traffic of anyone they please, sometimes without the necessary authority or legal warrants to do so. Thank you, Patriot Act, 9/11, George W. Bush, etc. :(

Please note, however, that there are other ways to sniff data packets, even without using Little Snitch.

As I already mentioned, WireShark and Cocoa Packet Analyzer are two tools which are widely used by IT folks to analyze and troubleshoot their networks.

However, someone on your local wi-fi network doesn't necessarily have to use Little Snitch, WireShark Cocoa Packet Analyzer, etc., in order to see what you are typing in your emails.

For example, someone can clandestinely install and enable Apple Remote Desktop, Timbuktu, or similar program on your computer, without you even knowing about it. By doing so, depending on the settings, they can not only see everything that you do on your computer, but if they set it up properly, they can even control your computer.

Furthermore, if someone on your local network knows your account name and admin password, they can connect to your machine, and do quite a bit, as if they are you.

For example, they can go to the Mail app support folder in your user library, copy the mboxes to their own machine, and then read all incoming and outgoing mail, if they have the right tools. You don't have to be a very advanced Mac user to do this.

The simple truth of the matter is that despite what a lot of people continue to erroneously believe, there is very little, if any, privacy on the Internet. A persistent and skilled hacker, government agency, husband, wife, boyfriend, girlfriend, curious person, etc., can eventually access what they want, if they persevere, across the Internet, or on a local LAN, such as your wi-fi network.

If large conglomerates, government agencies, universities, credit card companies, online businesses, etc., are not immune to being hacked, and their data stolen, isn't it kind of foolish to believe that us little guys on the bottom somehow remain immune?

In light of this, figuring out how to read someone else's email is really small potatoes by comparison.

But is YOUR husband doing this? Obviously, you better have some solid, clear proof before you go accusing him.

Regardless, it looks to me like you two really need to sit down and have a serious talk, because there is obviously a trust issue here.

Let me conclude by stating that I am not very knowledgeable in this area, so my information may not be 100% accurate, but I do believe that it is close to accurate.

I am sure that the Objective Development team, and other more experienced Little Snitch users here can correct anything mistaken which I may have stated, and add to it, if they so choose.

Re: Network monitoring/extraction?

Posted: Sat Sep 26, 2015 4:25 pm
by xs10tlist
Thanks, Grand. Yes, we have some trust issues apparently. One thing I can say is that he cannot (or wouldn't) access my computer because it's provided by a university and I have it passcoded. I don't believe he knows the passcode, and I change it regularly. So any interference would only be through his computer and what he can do as someone who knows how to access our wireless network's information.

I'm assuming from your post that as long as he has the software installed on his computer, he doesn't even have to be here when I'm using my computer to get that info. Rather, it's stored and he just "extracts" it off of Little Snitch, and/or some other program as you described. In other words, the data doesn't have to be occurring in real time. Correct?

Re: Network monitoring/extraction?

Posted: Sat Sep 26, 2015 5:33 pm
by GrandOldBoy
To clarify, as far as I know, apps such as Little Snitch, WireShark and Cocoa Packet Analyzer can only capture LIVE data streams.

In other words, I don't believe that those programs can capture static data that is ALREADY stored on your machine.

In short, for example, for him to capture your incoming and outgoing email messages, you would have to have Mail app launched, and you would have to actively -- in real time -- be sending and receiving email messages across your wi-fi network, while he has the capture function of Little Snitch -- or some other similar program -- enabled.

Of course, if you leave the Mail app running all the time, and have it set to poll your email server(s) on a regularly scheduled basis -- say every 15 minutes, every half hour, every hour, etc. -- even while you are away from home, then as long as that same Internet connection is open between your machine/Mail app and the remote mail server(s), I suppose that theoretically-speaking, he could start a data stream capture before he leaves for the day, and just leave his machine running until he comes home.

I imagine though that doing so would result in a fairly large ".pcap" file, although I don't recall if the data is immediately written to the file, or if it is saved in a buffer, until the user manually saves the data to his hard drive. If it is the latter, then I would think that there would be a limitation regarding the maximum size of the buffer, and that only so much data could be collected in the buffer. Maybe it all depends on how much memory the machine has. Or maybe Little Snitch itself has a buffer limitation. Or perhaps Mac OS X has a buffer limitation.

I honestly don't know the answer these questions. Again, someone more knowledgeable than I -- such as the Objective Development team, or other more experienced users here -- could probably give you more concrete answers.

Personally, I never use Little Snitch's capture capability. Neither do I use WireShark, Cocoa Packet Analyzer, or any similar app. Like many users, I use Little Snitch primarily to protect my own privacy. After all, I have a lot of sensitive, personal data on this machine, such as family photos and movies, financial records, software registrations and serial numbers, etc. It is information which belongs on this machine, and nowhere else. Thus, Little Snitch prevents unscrupulous, questionable people, companies, agencies and organizations from surreptitiously mining my personal data, and sending it to some remote server, who knows where, where it may be sold, traded, or used for who knows what.

While some people like to claim that only software pirates use Little Snitch, this accusation is utterly bogus. In my view, anyone who does not take concrete steps to protect their own privacy on their own machine is both foolish, and living dangerously.

Anyway, that is my two cents worth regarding the issue. :)

Re: Network monitoring/extraction?

Posted: Sat Sep 26, 2015 5:58 pm
by RLD
LittleSnitch cannot capture anything unless you are accessing the internet through his computer. He can only capture what goes through his computer

Re: Network monitoring/extraction?

Posted: Sat Sep 26, 2015 6:09 pm
by GrandOldBoy
RLD, are you certain of this?

It makes me wonder then why the feature is called "Network Monitor". To me, that clearly suggests network-wide monitoring. However, I admit that I could be wrong.

It would be good if we could get a clear answer from the Objective Development team.

Even if that is the case, as I explained to the OP, there are still other ways -- besides Little Snitch -- in which the woman's hubby could access her email messages.

One method I neglected to mention was the subtle installation of a keylogger.

While SIP protects the overall system, I wonder what other security measures Apple may have introduced in recent years which would protect this woman from her current fears.

Re: Network monitoring/extraction?

Posted: Sat Sep 26, 2015 6:57 pm
by GrandOldBoy
Here is an interesting confirmation regarding continuous packet capturing, which I just came upon while web surfing.

According to Google Web Analytics Manager, Chris Le, Little Snitch's network sniffer ". . . will continue to capture the next time the process starts up."

In other words, if my understanding is correct, let's say that process happens to be the Mail app. If the Mail app is shut down, and then started up again later, if Little Snitch's capture function is still in operation, it will just keep on capturing whatever new data is sent or received by Mail app.

You can read his full article -- it is short -- here: ... k-sniffer/

Regarding the question of whether or not Little Snitch's network sniffer can capture data packets from other computers that are on the same network -- i.e., ethernet or wi-fi -- while I am still not 100% certain of this, I do find it interesting that in the Network Monitor window, if you click on the first icon in the top left corner of the window, there is an option which says "Show local network".

I am not sure of what this means, and I cannot test it, because while I previously had multiple computers on my LAN, as well as a printer, I no longer do.

I am going to continue to research this issue, because I would really like to know.

However, overall, I think I have basically answered this woman's central question regarding her suspicions concerning her husband.

Think about it. The guy runs his own wi-fi network. He also runs his own web server. If you ask me, even if he doesn't or can't use Little Snitch to capture and read email messages from his wife's computer, I suspect that if he really wants to, he does possess the knowledge to do it some other way -- perhaps in one of the other ways that I mentioned -- and his wife may never even know about it. He could even crack her password without her realizing it.

Please note that I am NOT saying that he has done this. I obviously don't know, because I don't know the guy. However, based on the little that she has told us about him, I do suspect that he possesses the knowledge to spy on her in some way. Only she can determine if he really has.

What do the rest of you think?

Re: Network monitoring/extraction?

Posted: Sun Sep 27, 2015 12:24 am
by RLD
GrandOldBoy wrote:RLD, are you certain of this?

Yep I'm pretty certain of this. Remember she stated she was using the router not a pass through via the Mac computer. Now if their router accepts snmp protocol; and if he had installed snmp on his mac thru mac ports, cask, or finch, then he could read the packets passing through the router and if I remember correctly wire shark could also translate those packets after being received by snmp.

It would really be much easier to install a keylogger or some other malware to read whats going on or maybe even guessing/stealing (via malware) what she might use for a password and read her mail/msgs on her laptop.

Re: Network monitoring/extraction?

Posted: Tue Sep 29, 2015 12:16 pm
by doffactory
Tough situation. However, I do not think that if he is tech savvy, he needs LittleSnitch for monitoring the activities you do. One can always set up all the monitoring in the router itself. One of the many examples can be a simple proxy server on the router, through which all the connections go out of your house. But there are also other possibilities. Instead of explaining all these, I would rather focus on how to mitigate the issue: you mentioned you use University-laptop. I suppose your university may also provide a VPN connection too (for reaching databases, etc.). Use a VPN connection. Make sure your emails (and other "sensitive" data) are downloaded after the VPN connection has been established. Check, whether you have the IP of the university, make a DNS-leak test. If all is good, you are connected through VPN and you can download your emails, without allowing anybody to sniff (except university). Other than this, the only option is to strictly use SSL I am afraid.

Re: Network monitoring/extraction?

Posted: Mon Oct 12, 2015 10:48 pm
by bugmenot
note that capturing e-mail traffic, as described above, hardly ever works nowadays because most mail providers secure mail communications with SSL.

You can check this in your mail program -> settings -> accounts:
If it uses port 110 / 143 / 25 your communication with the mailserver is probably not secure.
If it uses ports 465 / 587 / 993 your communication with the mailserver is probably secure (and can't be captured in the local network.)

Anyways, if i wanted to read my wife's e-mail, i'd probably just find out what her password is. Probably easier.

Re: Network monitoring/extraction?

Posted: Thu Oct 15, 2015 11:35 pm
by Medic427
There are no trust issues just the real probability of something happening. One good example is a case where two young women put a laptop in their bathroom and these were windows machines. Someone who turned out to be the landlord was able to use spyware to turn on the laptop camera and video tape these girls. This person wound up with a jail sentence but if you are young woman or young girl please understand that almost all phones with built n cameras and laptop cameras will allow this to happen.

Android just had the stage fright breach please google it and we all remember how Jennifer Lawrence and others forgot to uncheck back up my photos. This is the problem people think that everything is unlikely to hacked but honestly it is a real possibility. This depends of course of the other parties gain vs loss to the risk of getting caught. Then again if you are sixteen years old and know how to use wireshark really well then some accounts I have read online is to do it because it is fun.

I honestly believe that these is a serious flaw though in our national security because they are collecting data on everyone but solve nothing. A good example is here where I live on Long Island there is one operating serial killer. If you can triangulate people via cell phones and if they are really sloppy they will use gps and leave it on. Then the other thing if it is a fairly new car there are a lot of models that can be disabled right from gps and satellite connection. In addition to a device that does this function specifically and unless you feel like tearing the whole car apart you will probably not find it. Reason? This is not their first dance nor bar bbq. This technology is right in your car if you own a GM Onstar vehicle as well. In fact if you own a GM Equipped Onstar vehicle if you are behind on payments they will disable the car.

This is why when news stories came out that people were hacking cars with bluetooth I first thought hmmm........ When did you put two and two together if most vehicles that had Onstar had this ability it was only a matter of time before someone was stupid enough to tie in all the technology to bluetooth but why they did so that it controls brakes and steering is absolutely DumbKoff in the BMW,VW,Audi case. Just blanket ALL american made cars have this feature. In addition there is a small accident chip recorder that most newer cars well actually for a long time has been in every single car. This was put there because when the police investigate a fatal accident this is like a black box but for your car. Then you could say I was doing 20mph when they know from that your collision actually happened at 50 mph. None of this matters because this was a process that began a long time ago and has only intensified to the maximum.

Oh yes in the United States for Cell Phones there is StingRay now The only people that drive and ride encrypted are federal agencies that I know of in the United States an example is Secret Service. I know that because at one time I was obsessed with being in law enforcement on the state and then move to the federal but that is all overweigh for an old bastard like me now. I have absolutely gone off the tracks but then again in explaining how much tech their is and my people who kill other people are still out there?

Re: Network monitoring/extraction?

Posted: Thu Oct 15, 2015 11:47 pm
by Medic427
One final thing if you want to keep something secret do not use technology. It just is the case. If you lock down your network then there is always other ways. Tempest if you have one of those CRT monitors etc... So the KGB are the smartest people there is. They went back to using typewriters. That is the answer if you really are concerned get a typewriter like the KGB and type any letters to your loved ones or who ever else and hand deliver it. That is the only way from your hands to their hands.

If you used to work for a defense contractor or had loved ones who did then to fix it make a burn can and only burning not shredding will make sure that secret goes no where. Then again I never saw that again since I was a child. It seemed to work well for them though in the 60s cold war. Then finally we are screwing ourselves with all this technology do not get me wrong. I love every single new gadget that is released but no remembers something called an Electro Magnetic Pulse. If your car is not EMP shielded then your electric car OR your regular car will not work at all with all this technology. The more tech the more possible system failures you can have.

If you want the full deal on how bad things are security wise google Steve Gibson and check out his podcasts from his show on Twit tv online. He seems like an amazing guy and a wonderful person. The best thing though is he knows pretty much a ton of things on the latest security breaches and issues.

Love to you all and peace,