GrapheneOS Default Network Connections

The testing methodology was practically the same as our LineageOS test.

Testing methodology.

  • A Computer was used as a Hotspot running both Network Miner 2.8 and Wireshark to log all network request
  • Pixel 5 was installed with the latest version of GrapheneOS (August 2023)
  • Setup was completed without connecting to WiFi or a cellular network
  • There was no SIM card in while installing, setting up, or testing
  • After setup was complete, WiFi was connected to the computer running the Hotspot
  • After a base line was logged, we turned on GPS

Screenshot of Wireshark with DNS filter.

  • connectivitycheck.grapheneos.network
  • time.grapheneos.org
  • apps.grapheneos.org
  • releases.grapheneos.org

Total bandwidth sent and received for each IP

Some of the IP’s are used for different services. For instance the apps and releases sub domains use the same IP address.

  • connectivitycheck.grapheneos.network and time.grapheneos.org – 25.794 KiB
  • apps.grapheneos.org and releases.grapheneos.org – 39.468 KiB
  • Total – 65.262 KiB

Turning on GPS

After turning on the GPS toggle, there was a DNS query for

qualcomm.psds.grapheneos.org

This will download the files needed to speed up the GPS speed and accuracy. You can turn this off in the Settings -> Location -> Predicted Satellite Data Service (PSDS)

You can also enable/disable the Secure User Plan Location (SUPL)

You can read more about PSDS and SUPL on the GrapheneOS website https://grapheneos.org/faq#other-connections

LineageOS Default Network Connections

This was a fairly simple test to see what network connections a fresh LineageOS install on a Google Pixel 5 makes. During the initial setup, GPS was disabled. After we set it up and got a base line, we turned GPS on to see what DNS requests it made.

Testing methodology.

  • A Computer was used as a Hotspot running both Network Miner 2.8 and Wireshark to log all network request
  • Pixel 5 was installed with the latest version of LineageOS 20 (August 2023)
  • Setup was completed without connecting to WiFi or a cellular network
  • There was no SIM card in while installing, setting up, or testing
  • After setup was complete, WiFi was connected to the computer running the Hotspot
  • After a base line was logged, we turned on GPS
  • GApps were not installed.

Fresh Install Network Requests

After setup was complete, we connected the Pixel 5 to the PC running NetworkMiner and Wireshark. It immediately made a handful of requests to the following 5 domain names

  1. www.google.com
  2. connectivitycheck.gstatic.com
  3. time.android.com
  4. g.co
  5. firebaseinstallations.googleapis.com

connectivitycheck.gstatic.com is used to detect if the current network has internet and also to detect if there is a captive portal that you need to log into.

time.android.com would be to check the time and make sure it is correct.

Not sure what the extra 3 are used for. It is possible that firebaseinstallations.googleapis.com is used for the Android System Intelligence, or some other app that comes by default on LineageOS.

The following NetworkMiner screenshot shows all the IP addresses that were returned for the DNS queries. Note that a DNS query can return multiple IP addresses for a domain name, and then the device only use one of those IP addresses to transmit traffic.

A couple of normal network broadcast, multicast, and gateway addresses are blurred out as they are normal for devices on a local network.

Here is a Wireshark screenshot for all the DNS requests.

Total bandwidth sent and received for each IP

Using Wireshark, we were able to get a total amount of data sent and received for each of the domains.

  1. www.google.com – 12.976 KiB
  2. connectivitycheck.gstatic.com – 1.497 KiB
  3. time.android.com 270 bytes
  4. g.co – 21.883 KiB,
  5. firebaseinstallations.googleapis.com – 16.225 KiB
  6. Total for Pixel 5 – 52.851 KiB

Turning on GPS

Turning on GPS immediately led to a connection to xtrapath5.xboxprod.izatcloud.net.

The four lines are just different IP’s for the same domain.

From the Location settings, we can toggle on or off the “Use assisted GPS”.

The settings say the following about Assisted GPS “Download satellite assistance data from the internet which can greatly improve the GPS startup performance. For emergency calls, assisted GPS is always allowed”

Essentially, it will download some files that help your phone find satellites faster which will get you a faster GPS lock. Without it, it can take awhile to find your position.

During the initial setup (First screenshot below), you can toggle on/off Assisted GPS. By default, Android System Intelligence and the Browser are allowed to use Location.

Hopefully that is a helpful overview of the default LineageOS network connections and what some of them are used for.

Wireshark – Please turn off promiscuous mode for this device

Recently received the following error while trying to do a packet capture on windows.

There are two solutions to this problem

  1. Disable promiscuous mode for the adapter
  2. Update Npcap

Disable Promiscuous mode

“Please turn off promiscuous mode for this device”

You can turn on promiscuous mode by going to Capture -> Options

Uncheck promiscuous

And click Start

Update Npcap

If you need promiscuous mode on, then look at installing a newer version of Npcap

https://npcap.com/dist/

Restart Wireshark, and Start a capture.

https://ask.wireshark.org/question/30138/please-turn-off-promiscuous-mode-for-this-device/

Wireshark Filtering

Filter to show DHCP packets

You can find detailed info here. https://wiki.wireshark.org/DHCP

But you should be able to filter out the DHCP request with either

dhcp

or

bootp
Filter DHCP request

Filter by IP Address

ip.addr == 192.168.1.1

Filter by Mac Address

eth.dst == 01:00:5e:7f:ff:fa

Better way to Filter

Wireshark has a robust set of options for filtering items.

From the Packet Details pane you can select any piece of information you want to filter, right click -> Apply As Filter -> Selected

You can also copy it and then past it in the filter bar. Right click -> Copy -> As Filter

Copy As Filter

How to stream Mikrotik Packet Sniffer to Wireshark

Setup Packet Sniffer on Mikrotik

Go to Tools -> Packet Sniffer

Mikrotik Packet Sniffer Settings

Configure the Streaming options. Set the Server IP address to the computer you are running Wireshark on

Configure IP address to stream to.

Configure the Filter settings. Unless you want to stream everything from the router to your computer.

Set filter options

Configure Wireshark

Make sure the TZSP is enabled in the “Enabled Protocols” Window. Either by going to “Analyze -> Enabled Protocols” or “Ctrl + Shift + E”

Enable TZSP protocol

Run Wireshark.

Wireshark

Helpful links

https://wiki.mikrotik.com/wiki/Ethereal/Wireshark