Background

I had been listening to the Darknet Diaries security podcast, specifically the Superbox / ep 172 episode.

The security resarcher, D3ada55, mentioned her dad had bought a whole load of cheap streaming devices from Walmart, and she discovered they were sending vast quantities of data to China (odd, since they were installed in North America!). Clearly something weird was going on. The rest of the episode was interesting and informative as usual.

During this, I had a thought: say I had a compromised device on my network. How would I know? Hmmmmm.

So I grabbed Claude Code and built a solution!

Basic Functionality

  • Gather details of network connections to the internet.
  • Store and digest them.
  • Alert me if something looks bad ASAP.
  • Daily updates of changes to nework access profile.
  • Charts with some simple dimensonal breakdowns (gotta have charts).
  • Keep current with theats over time.

Implementation

Gathering Network Data

Here is a quick diagram of my network infrastucture: .

Like many networks, all traffic to the internet flows through a single gateway, making it an obvious data gathering point.

My gateway is manufactured by Mikrotik who have more professional features in their gear.

So, I enabled the IPFIX netflow data collection on the gateway. This means details of each traffic flow will be relayed to my house server. The volume is relatively low as it is just the flow metadata, and not the contents/details of every single packet.

Third Party Data

The system downloads the following data sources on a daily basis:

  • Spamhaus drop list - IPs known to be used by professional spam or cyber crime operators maintained by Spamhaus.
  • Firehol level1 - Bad IP list maintained by Firehol.
  • Feodo Tracker - List of botnet command and control server IPs maintained by Feodo Tracker. Note, this list is currently empty due to successful takedowns of these botnets.
  • ipsum l5 - aggregation of suspicious/malicious IP address lists maintained by Stamparm ipsum.
  • Tor exit nodees - list of Tor exit nodes maintained by the Tor project itself. More details on including this shortly.
  • Maxmind free geoip location data - this allows the system to resolve IPs to country and network.

Processes

On my house server, there are various processes running in a single Docker container:

  • goflow2 - provided by the netsampler/goflow2 package - receives the data from the gateway and saves to disk in JSON format.
  • flow-analyzer - digests the above received data every minute and checks for any obviously connections to threat systems.
  • daily-summary - sends a daily email of changes in the network profile.
  • web-server - A tiny web server allowing interactive exploration of the data.
  • ti-updater - keeps the third party data sets up to date.

Local Data Storage

I use a combination of sqlite and json files stored on local disk. I was actively trying to avoid a database server like Postgres to keep the size down.

Output

Web GUI

This is what the web gui looks like:

You can see the volume of data grouped by network or country over various time periods. You can also drill into an individual local device.

Even though there are no reported threats, I quickly check this display every few days, looking to see if the traffic profile has changed in a suspicious manner.

Daily Network Profile Email

This is what one of my daily profile change emails looks like:

Subject: [house-net] daily summary: 0 TI hit(s), 18 new ASN(s), 0 new country code(s)

window:  2026-07-01T06:00:00+00:00 -> 2026-07-02T06:00:00+00:00
totals:  0 TI hit(s) across 0 unique destination(s), 18 new ASN(s), 0 new country code(s) across 7 device(s)

172.18.1.15
  new ASNs:
    AS30103       Zoom Video Communications, Inc    e.g. 159.124.21.182

172.18.1.23
  new ASNs:
    AS7941        Internet Archive                  e.g. 207.241.225.195
    AS42697       Netic A/S                         e.g. 77.243.51.122
    AS399784      Internet Archive Canada           e.g. 204.62.248.204

172.18.1.24
  new ASNs:
    AS47474       Virtual1 Limited                  e.g. 193.115.242.165
    AS198554      8X8 UK Limited                    e.g. 109.70.58.81
    
[snip]

Urgent threat detection email

There is also a second email which tells me of any TI hits as soon as they’re detected (within a minute). Here’s a manually generated example:

Subject: [house-net] LOW: 172.18.1.7 -> 11.22.33.44 | tor-exit

timestamp:    2026-07-03T10:34:33.690726+00:00
kind:         ti-match
severity:     low
source:       172.18.1.7
destination:  11.22.33.44 (address-removed-for-privacy) :9001/TCP
geoip:        DE / AS197540 (netcup GmbH)
bytes/pkts:   0.2 KB / 4
matched:      tor-exit

Tor Threat detection testing

Tor, or The Onion Router is a privacy focussed decentralised virtual network. Very important for some, but it is also used by attackers to disguise their tracks.

In order to test the system, I made a connection to a known Tor exit node. The system alerted me within a minute. As I do not use Tor on my network, this would be an obvious indication something was up.

Code

Is on my github.

Conclusion

This will definitely not catch everything.

I do like having some visibilty of what my network is doing on a normal basis.

And charts, mmm charts!