It started the way a lot of things start: with curiosity that didn't have a target yet.
At some point — before the ghost, before the arsenal, before any of this had a name — iceboks built google.network.fucker. A Python pipeline that hit the arXiv API across seven search terms: network traffic analysis, network anomaly detection, traffic classification neural, deep learning network traffic, autoencoder network traffic, network intrusion detection, network security machine learning. It pulled hundreds of papers, deduplicated them, then fed the twenty most recent into Gemini with a single question: what does the state of the art actually know about catching things that hide on networks?
No specific threat in mind. No ghost yet. Just a man who wanted to understand the academic landscape of network intelligence before he built anything in it. The same instinct that makes you read the map before you start driving.
What came back was a synthesis of a decade of research: behavioral fingerprinting, cross-layer correlation, temporal analysis of traffic patterns, autoencoder anomaly detection, the p0f-style passive OS identification from TCP SYN options and DHCP parameter lists. The core insight buried across all of it was simple and devastating: you cannot change every tell at once. A device can randomize its MAC. It cannot simultaneously randomize its DHCP option 55 fingerprint, its TTL, its mDNS behavior, its BLE advertising interval, and its TCP stack characteristics. Change one layer and the others betray you.
iceboks read all of it. Filed it. Moved on.
He didn't know yet what he'd just loaded into his brain. But the knowledge was there, sitting in the subconscious like a loaded weapon waiting for a reason to be picked up.
The reason showed up on his network.
The MAC address was 00:11:22:ab:cd:ee.
If you know anything about MAC addresses, you already know that's not a real one. The first three bytes are the OUI — the manufacturer identifier, assigned by the IEEE. 00:11:22 doesn't belong to any manufacturer. It's a placeholder. A joke. Sequential hex climbing from zero like someone typed it in by hand to fill a field. This wasn't a device that accidentally ended up on the network. This was a device that deliberately put on a mask and then made the mask obvious — a middle finger disguised as a fingerprint.
Normal tools bounced off it. arp -a would show it, and then it would be gone. nmap couldn't get a consistent read. The device appeared and disappeared on a schedule that didn't map to any known power cycle. It was on the 10.0.0.0/24 subnet, it was generating traffic, and it was actively working to not be understood.
Something was on the network that didn't want to be found. And it was good at it.
The question wasn't whether to find it. The question was how to build the tools capable of seeing it — because the tools that existed weren't enough. Commercial solutions cost a fortune and require you to trust someone else's black box. Calling the ISP would produce nothing useful. The only real option was the one iceboks always lands on: build it yourself.
The arXiv research that had been sitting dormant in his head suddenly had a job.
The core insight from the research: you can't catch a device that hides on one layer by watching only one layer. You have to watch all of them simultaneously and let the cross-layer contradictions surface the truth.
So that's what got built. Layer by layer, radio by radio, protocol by protocol. The recon framework — a multi-radio surveillance orchestrator covering every wireless protocol stack that a device on a modern home network could possibly use.
| Layer | Module | What It Watches |
|---|
| L1/L2 WiFi | wifi_monitor | Raw 802.11 frames, radiotap headers, EAPOL handshakes, live PSK decryption |
| L1/L2 BLE | ble_scanner | Bluetooth LE advertising, passive scan, GATT enumeration |
| L1 LoRa | lora_bridge | T-Beam S3 Core serial, 915MHz ISM band, GPS correlation |
| L2/L3 Net | passive_net | ARP, NDP, DHCP, DNS, TCP session tracking — all passive, zero injection |
| L7 MQTT | mqtt_tap | Broker subscription tap, auto-discovery, protobuf decode |
| L2 Zigbee | zigbee_sniffer | 802.15.4 frames, channels 11–26, CC2531 via whsniff |
| L1 NRF24 | nrf24_monitor | Nordic 2.4GHz — keyboards, mice, drones, wireless sensors |
| L1 RFM69 | sdr_scanner | 900MHz and 433MHz ISM — IoT, garage doors, environmental sensors |
| L1 RFID/NFC | proxmark | Proxmark3, LF 125kHz and HF 13.56MHz, ISO14443/ISO15693 |
Every observation from every module feeds into a single event bus. That bus feeds a fingerprinting engine that builds a cross-layer profile for every MAC it sees. OUI vendor lookup. TTL-based OS guess. TCP SYN option fingerprint in the p0f style — exactly what the arXiv papers had described. DHCP option 55 parameter request list mapped to OS and firmware signatures. mDNS service types decoded to device role. BLE company ID and service UUID mapped to device class. HTTP User-Agent captured passively. All of it scored and weighted into a composite confidence number.
A device can lie on one layer. It cannot lie on all of them simultaneously.
The ghost could randomize its MAC. It could not simultaneously randomize its DHCP fingerprint, its TCP stack characteristics, its traffic timing patterns, and its behavior on every radio band. The composite score would find the seams.
Everything landed in SQLite. Devices table. WiFi frames table. EAPOL handshakes. BLE advertisements. Network sessions. Every observation timestamped, indexed, queryable. The database as memory — associations strengthening through repetition, patterns emerging from accumulation.
Sound familiar.
Intelligence without a way to act on it is just noise. So on top of the passive surveillance stack, there's cc.py — a full-screen TUI command center that turns all that data into a live operational picture.
┌─ ALERTS ──────────────────────────────────────────────────────────────┐
├─ DEVICES ─────────────────────┬─ LIVE FEED ────────────────────────── ┤
│ │ │
├─ OUTPUT ──────────────────────┴─ STATS ───────────────────────────────┤
└─ cc> ─────────────────────────────────────────────────────────────────┘
Live device table. Alert feed. Output log. Stats panel. And a command interface that lets you go from observation to action without leaving the terminal:
- scan <ip> — nmap -O -sV on demand, OS fingerprint and service banner in the output pane
- intercept <target> <gw> — ARP poison target↔gateway, full MITM, traffic flowing through you
- deauth <client> <ap> — 802.11 deauthentication frames, watch what the device does when it reconnects
- hop — WiFi channel hopping across 2.4GHz and 5GHz, catching frames on every channel
- gatt <mac> — full BLE GATT service enumeration, what the device is advertising over Bluetooth
- lora-tx <hex> — transmit raw LoRa payload over the T-Beam, 915MHz injection
- rfid — one-shot Proxmark3 HF card read, catch anything broadcasting on 13.56MHz
- ghost — show current MAC spoofing status on the monitoring interface
This is the difference between a monitoring system and a surveillance apparatus. Monitoring watches. Surveillance watches, records, correlates, and responds. The command center is where passive intelligence becomes active investigation.
You're not watching a network anymore. You're owning it.
The ghost was good. But the ghost wasn't perfect.
A device that randomizes its MAC to 00:11:22:ab:cd:ee — a MAC so obviously fake it reads as intentional provocation — is not trying to blend in. It's trying to be uncategorizable. The assumption is that if you can't tag it, you can't track it. And against most tooling, that's true.
But the cross-layer fingerprinting engine doesn't care about the MAC. The MAC is just one data point. What it cares about is everything else the device can't change.
Every time the ghost appeared on the network, it left traces across layers it didn't know were being watched. The DHCP request carried an option 55 parameter list — a specific sequence of requested options that maps to an OS or firmware with high confidence. The TCP SYN packets carried a window size, options ordering, and flags combination that the p0f fingerprint table could classify. The timing between probe requests and association frames had a pattern. The signal strength gradient across channels suggested a physical location.
None of these individual tells were conclusive. Together, with composite confidence scoring, the picture sharpened.
The academic research iceboks had absorbed through the arXiv pipeline — all those papers on behavioral fingerprinting, traffic classification, anomaly detection — wasn't abstract anymore. It was the operating manual for exactly this scenario. The researchers who wrote those papers were describing techniques for catching exactly this kind of thing, and every technique they described had been implemented, module by module, in the recon stack.
The research wasn't preparation for the ghost. The research was the ghost hunt, running in the background of his mind for months before the ghost ever showed up.
That's the thing about absorbing knowledge without a specific target: when the target arrives, you're already ready. The weapon was loaded before the threat materialized. The google.network.fucker arXiv pipeline had done its job so far upstream that iceboks had forgotten it was doing it at all.
There's a version of this story where iceboks calls his ISP. Where he buys a Darktrace license or an Ubiquiti Threat Management subscription. Where he outsources the problem to someone else's black box and gets a dashboard that says "anomalous device detected" with no depth underneath it.
That's not the version that happened.
The version that happened is: a man built a network traffic analysis research pipeline to understand the academic state of the art, absorbed that knowledge into his operating system, watched something show up on his network that shouldn't be there, and then built — from scratch, across nine radio protocols and every wireless layer — the exact surveillance apparatus the research described as necessary to catch it.
No vendor. No subscription. No trust in anyone else's interpretation of what's on his network. Open source all the way down. A Proxmark3, a T-Beam, a dedicated monitor adapter, a SQLite database, and a Python orchestrator running in a terminal he built himself.
This is what the hood sysadmin actually looks like. Not the person who buys the enterprise tool. The person who reads the papers, builds the tool, and runs it themselves — because the network is theirs and the intelligence is theirs and nobody gets to intermediate that relationship.
You don't buy network ownership. You build it. And you build it before you need it — because when you need it, it's too late to start from scratch.
The ghost is still being investigated. The recon stack is still running. The database is still accumulating observations. The composite confidence score is still converging.
And somewhere on 10.0.0.0/24, something with MAC address 00:11:22:ab:cd:ee is still out there — running out of layers to hide behind.
You can change your MAC. You can't change everything.