Hi,
I’m Oleksandr and I represent the RawBox Squad.
When I first came across Nym Network, I was hooked by the fact that Nym’s main trick is to counter traffic analysis with modern AI. At that point (summer 2023), Nym was showing how it worked in general, and I even used Nym Connect to try out the first prototype. But at that point, it wasn’t clear to me exactly what the threat was, what it looked like, and how Nym mixnet helped counteract network traffic analysis.
The very next summer 2024 after RawBox joined the Nym Squad League I decided to figure out what traffic looked like normally and with mixnet enabled. And for the first time I demonstrated how NGN works on the example of a YouTube stream during the KEC & NYM Meetup.
https://www.youtube.com/live/J28eaj5fdqo?si=9cGgCk2Ow7kQwjg2&t=8884
Traffic analysis and application segmentation by modern Next gen firewalls was obvious, and mixnet operation made such analysis extremely difficult
Based on this experiments we agreed with Sudo in advance that this project will be supported and RawBox can extend traffic visualisation framework to the real world use cases and Apps like blockchain explorers, Tor Browser traffic, wallet traffic, Bitcoin full node peer-to-peer block sync, VPN, and finally - the mixnet.
Thus, I’m sharing my findings with you on how you can use open-source tools to continue your own research.
Below, you will find the agenda with the links to the video screencasts:
1. Clear net
1.1. Intro to the patterns
1.2. Software as a root cause of traffic patterns
1.3. Traffic analysis of Bitcoin blockchain explorer
1.3.1. Traffic filters
1.3.2. Snifftet traffic overview
1.3.3. Firefox Developer Tools: Network
1.3.4. Wireshark I/O Graphs
1.3.5. Wireshark: metadata universe
1.3.6. Associating user with tx/wallet/amount/whatever
https://drive.proton.me/urls/1FM6RYMJ0G#Du3cwiPdOnPR
1.4. Traffic analysis of bitcoin transaction in Sparrow Wallet
1.4.1. Transaction selection in Wireshark I/O Graphs
1.4.2. Single bitcoin transaction. Zoom in. Crop
1.4.3. Repeating 3 times and extracting the pattern
1.4.4 Merge: Associating user’s location/IP with transaction
https://drive.proton.me/urls/SRQF57TFW0#P2zh8Abx5FKc
https://drive.proton.me/urls/NHT38GDG4C#plJY10GLuzYl
https://drive.proton.me/urls/RC36T2BZ80#LPjn7PVW1zYc
https://drive.proton.me/urls/SVG4NBH1Y8#XozeEGCSQtFE
1.5. Traffic analysis of Bitcoin Core full node
1.5.1 .Syncing few hundred bitcoin blocks (batch sync)
1.5.2. Traffic filter of one peer
1.5.3. Regular sync with selected peer
https://drive.proton.me/urls/TB34SA79PR#JdJajItsCw19
2. Tor Traffic analysis
2.1. Tor idle traffic (dummy?)
2.2. Duckduckgo: Tor standard traffic view
2.3. Duckduckgo: Tor .onoin traffic view
2.4. Wireshark I/O Graphs: Tor doesn’t fix the issue with patterns
https://drive.proton.me/urls/P2SNDWZY6G#YruIBYnX1V8J
3. VPN (NymVPN Wireguard or ProtonVPN. Your choice)
3.1. Traffic analysis of Bitcoin blockchain explorer
3.2. Traffic analysis of bitcoin transaction in Sparrow Wallet
3.3. Traffic analysis of Bitcoin Core full node
https://drive.proton.me/urls/DBMXP802ZG#o9kBHt3Bsz5Q
4. Nym mixnet
4.1. Idle clear net traffic (in parallel: sniffnet & wireshark)
4.2. The moment of switching the mixnet mode ON
4.3. BTC explorer traffic
4.4. Sparrow wallet (failed due to the connection error).
By some reason the app couldn’t connect to the mempool.space
4.5. Bitcoin Node sync. Download via the NymVPN. Keep syncing in mixnet mode
4.6. Experiments with disabling the mixnet, enabling the 4K HDR video, and comparing it’s pattern with the web traffic and mixnet.
4.7. Dotted visualisation of the noise
https://drive.proton.me/urls/FB2XG1KJ20#afIFZIldw7Hj
5. Simple packet time and size pattern in excel sheet
Here I’d like to export captured metadata of bitcoin transaction to .csv file and then plot it in another view and focus on the timing and packet size. 
https://drive.proton.me/urls/RC36T2BZ80#LPjn7PVW1zYc
In the same way, for the mixnet mode you may try to plot by yourself a statistical distribution of the packet delays and their size. I suggest you to see a flat discrete probability distribution.
Finally, section 5 should show confirm that no pattern can be extracted by AI (ML) algorithms from “flat” noise traffic in mіxnet mode.
6. All data pack may be found here
https://drive.proton.me/urls/GWN5KB35R4#6Apg6Ytfwu2z
7. Bonus track: The sound of the network
Here you will find a python scripts “as is” to filter the traffic and listen your network
The algorythm is simple:
- capture the traffic stream with tshark
- get the timing and packet size
- play the sound for few hundred milliseconds when new packet arrives
- sound tone (frequency) = packet size (frame length)
Examples:
https://youtu.be/bWkeg1MRsnM
https://youtu.be/ZfdWX2bS2e4
https://drive.proton.me/urls/NJ6A33114R#Ppln2QLjCWed
As the result of this small research I’d like to share my findings:
Finding 1:
The patterns are hardcoded in a software. Apps just follow the algorithm with predicted behaviour: no matter it is a browser app, or a compiled one. When the algorithm touches the network - the App’s pattern can be detected
Finding 2:
Now, the Apps simply can’t change their behaviour on the fly (except undefined behaviour bugs haha 
). Thus, today the only way to get unpredicted (untrackable) behaviour on the App level is the integration of Nym directly to the App code (where it can be applied: tx, msg, emails, etc).
Finding 3: Looks like the mixnet packets has normal probability distribution. Sometime,I saw outliers in a traffic that may be classified as the anomalies to detact traffic patterns. Nym may try to experimented in making “flat” traffic distributuion?
Finding 4: Nym mixnet breaks the patterns