I know there are two IP addresses: the public IP address, which is given by the Wi-Fi router and is the same for all the devices connected to it and is the IP address visible to websites; and the private IP address, which is the IP address assigned to every device connected to the Wi-Fi and it's used by the Wi-Fi for sending the exact packets to the the exact device.
I am also aware that the ISP and websites can see see and log what you do online, which is associated with your public IP address.
But does that happen with private IP addresses also? Can the ISP of the Wi-Fi router see and keep a log about exactly which packets from which website are being sent to which exact device connected to the Wi-Fi and then associate it with the private IP address of that device?
(I know that Wi-Fi routers can be used to log and associate the web activities with the private IP addresses, if that feature is enabled by the administrator. I am not talking about that. I am asking if the same thing can be done by the ISP of the Wi-Fi router.)
47 Answers
But does that happen with private IPs also? I mean, like, the ISP of the wifi router sees and keeps a log about exact which packets from which website is being sent to which eaxct device connected to the wifi and then associating it with the private IP of that device?
Generally no. As you said, the private IP addresses are assigned to devices by the wifi router, and this happens outside the "ISP network" boundary. By the time a packet from your device reaches the ISP, the packet's header contains only the public source IP address, not the private one.
(However, keep in mind that if the router itself was provided by the ISP and is still remotely managed by the ISP, then the ISP can remotely configure the router to log every connection and forward the log entries to the ISP.)
9The simple answer is "not in most cases" - however the total answer is a lot more nuanced.
In the common case where a router is doing NAT, and where the ISP has no login to the router and there are standard protocols in use like HTTP/HTTPS, the ISP can't see the IP address of the individual devices behind the router. A small number of protocols provide this information in an unencrypted form that can be recovered by the ISP. This information can also be leaked by, for example, email headers within email sent through an on-site mail server, or even more rarely by an on site proxy server adding an X-Forwarded-For header for HTTP communication.
It is sometimes possible to trick browsers into revealing this information by intercepting the content. Using HTTPS makes this a lot harder. Its also likely that information about machines behind an IP address can be inferred based on the source ports and other "fingerprinting" information available to an ISP or person tapping into that data. This won't reveal an IP address, but could identify individual machines in the network using the shared IP address - and this can be done regardless of http/https.
All this assumes the router is doing NAT. This is not a safe assumption. For example, if the router has IPV6 enabled, then NAT is not typically used, and the individual device can be seen directly. It is entirely practical (and not uncommon) to have both IPV4 behind NAT and IPV6 available on a router - and IPV6 can be set up without any user configuration or DHCP. Some sites (Google properties for a start) will use IPV6 if its available, even while other sites are using IPV4.
I also observe your statement about ISP logging is an approximation of the truth, but is incorrect in nuance. Most ISP's would not log packets to websites, they would log packets between IP addresses, and very often there is a 1:many or many to many relationship between IP addresses and websites (eg youtube and google have a many:many relationship, and most websites are on shared hosting). Its not shouted from the rooftops, but most governments install equipment at ISP's and siphon off data (there are standardized protocols for this, and IMHO its a scandle that its not well known and publicised in ISP's T&C's). I expect that this government equipment is capable of getting the name of the websites visited and the public IP address of the visitor - even if the data is encrypted (as the domain name is not encrypted by HTTPS in most cases - due to the shared hosting and IPV4 limitations mentioned above)
1If the ISP maintains the router and assigns the WAN IP address, they can see everything you can, including DHCP details. So they know you have 30 devices connected, and that two of these are routers again. They might also be interested in you having to disable their Wi-Fi and running access points. Otherwise they can "tune" your Wi-Fi remotely based upon logs. They can survey your MAC addresses to find smart speakers or high end handsets and tailor marketing campaigns accordingly.
Less so if the router is not carrying their firmware.
There are scenarios where packets with private network addresses can make their way out, although they're not your addresses.
Say I set up some server on my home network, which is 172.16.51.0/24. I give the server the static address of 172.16.51.5. I set up a script or something on my laptop to periodically try to access it, using the IP address.
If I take my laptop over to your network and let the script try to access the server, it's still trying to access 172.16.51.5, even though that's (probably) not in your network. Because my laptop sees that the destination is in another network (and it doesn't already know a 'better' route), it sends the packets to the default gateway, which is your router.
Your router is now receiving packets with a destination of 172.16.51.5, which is just "somewhere else" as far as it's concerned. It then forwards the packets on to its default gateway (your ISP), while rewriting the source address to be your WAN address.
Notice that your private address space choice wasn't leaked, but someone else's was.
Some routers block these packets by default, but some don't. I've seen this at work when people bring in personal devices, and the devices 'remember' the IP of a printer, network share, or something else on their home network. Our router/firewall (which is from Palo Alto Networks), doesn't block these by default.
You're getting a lot of great answers, but I thought I'd chime in with an analogy:
Suppose you're back in the office. You've written a letter to a client in another state, but you didn't write your information on the letter. You hand the letter to the receptionist, and tell her you expect a response from them.
The receptionist then opens the letter and writes a note on her desk: "Happy at office number XYZ is expecting a reply from Company X." The receptionist also got a nameless letter to company X from your colleague, so they might also note a few key things to separate your reply from company X from your coworker's reply from company X.
The receptionist puts your letter in an envelope with only your company's mailing address, the name of the recipient, and the mailing address of company X. When the receptionist receives a reply to your letter, the reply may not necessarily have your name, but the receptionist has enough information to correctly infer that the reply should go to you.
On the Internet, the receptionist is your router. It's giving your device an "office number" (read: private IP address). No other computer outside your network knows (or cares) what this private IP address is. To the outside world, you share an IP address with every other computer on your network. (This address is called a public IP address) When your computer sends data and expect a reply from a server, the router knows about this and forwards the reply to your computer. This process is called Network Address Translation (NAT).
Surprising, there are a couple ways your ISP (or even somebody like Stack Exchange) could collect information of this sort in IPv4.
They could use passive OS fingerprinting (see
p0f) to distinguish machines. This involves things like examining the usage and ordering of the TCP options in the SYN and normal packets of your connection. This will not distinguish between multiple machines running the same (or sufficiently similar) TCP stacks, unless they are deliberately configured differently.They could get some information by artificially decreasing the TTL on your incoming packets and seeing if they get a time exceeded message, no message, or data received (as indicated by it being ACKed). This will let one discover the presence of interior routers, and the number of hops. This might get you the IP addresses of interior routers, depending on if the NAT adjusts them. Similarly, the NAT implementation might not deal properly with the packet header embedded in the ICMP error message (though this is probably done properly by most NAT implementations).
I suggest emailing yourself and check the mail full header ('see email source'option or something common).
Here is mine:Received: from 3x.3x.1x.7x.nat.umts.dynamic.t-mobile.pl (HELO kabina2) (mynick@mymailserver@[3x.3x.1x.7x])As you can see, I am behind the NAT, my inner ip is 3x.3x.1x.7x and my laptop name is kabina2. So nothing is secret.
An email was sent from localhost running my written in Django portal.
If I send an email using external post services (in this case from wp.pl to poczta.fm) this part of header look so:from mx2.wp.pl (mx2.wp.pl [212.77.101.7]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by fmx23.pf.interia.pl (Postfix) with ESMTPS for <>; Sun, 7 Nov 2021 13:54:21 +0100 (CET) Received (wp-smtpd smtp.wp.pl 17571 invoked from network); 7 Nov 2021 13:54:19 +0100
In this case there are only mail daemon's IPs visible. But you should remember that all switches, routers etc are creating its own connection tables and nothing is really private in this world.
