Carnivore FAQ (Frequently Asked Questions)
This document provides some answers (or sometimes just guesses) to common questions
posted about Carnivore.
Version 3, October 6, 2001
Author: Robert Graham
"They that give up essential liberty to obtain a little temporary safety deserve neither liberty
nor safety." -- Benjamin Franklin, 1759
1. What is Carnivore?
Carnivore helps the FBI conduct wiretaps on Internet connections.
The Red Pill: Carnivore is an FBI assistance program that helps ISP overcome tech-
nical difficulties when complying with court orders. The FBI is not allowed to put Carni-
vore on the network unless the ISP claims it cannot (or will not) comply with the court
order. The Internet is not run by the government, so can only place Carnivore boxes
on the Internet without permission from an ISP (which rarely gives permission without
a court order).
The Blue Pill: Carnivore is a sophisticated new wiretapping/eavesdropping program
that scans people's e-mail. There is a widespread
The FBI's story: "Carnivore is a computer-based system that is designed to allow the
FBI, in cooperation with an Internet Service Provider (ISP), to comply with court orders
requiring the collection of certain information about emails or other electronic commu-
nications to or from a specific user targeted in an investigation."
The FBI explains the origin of the codename: "Carnivore chews all the data on the
network, but it only actually eats the information authorized by a court order."
1.1. What is the Internet?
Studies have shown that more than half of the population believes that the Internet is
run by the United States government.
It isn't. There is no central control over the Internet.
Instead, the Internet is simply a collection of networks all connected together. There is
not centralized point on the Internet where all the traffic can be monitored. When you
connect to a website, your traffic goes through several Internet "carriers" known as
If the FBI wants to eavesdrop on some network traffic, it has to go to the ISP that car-
ries that traffic and ask politely. The ISP will refuse unless the FBI has a court order
forcing them to comply.
1.2. What does Carnivore intercept?
Carnivore is used in two ways: as a "content-wiretap" and a "trap-and-trace/pen-
register". It is most often used in the second mode.
A telephone "content wiretap" is where law enforcement eavesdrops on the suspect's
telephone calls, recording the oral communications on tape. Carnivore can do similar
things for Internet communication:
capture all e-mail messages to and from a specific user's account
capture all the network traffic to and from a specific user or IP address
A less invasive style of wiretapping is the telephone "trap-and-trace," where police
tracks all the caller IDs of inbound telephone calls. For example, if your child has been
kidnapped, the FBI will put a trap and trace on your phone in hopes of discovering the
telephone number of the kidnappers when they call your for ransom. There is a similar
feature known as a "pen-register" that tracks all outbound telephone numbers dialed. If
you are a suspected drug dealer, the FBI might perform a virtual stake out where they
put a trap-and-trace plus pen-register on your phone in order to discover everyone you
call, and everyone who calls you. Similar functionality for the Internet consists of:
capture all the e-mail headers (including e-mail addresses) going to and from
an e-mail account, but not the actual contents (or Subject: line)
list all the servers (web servers, FTP servers) that the suspect accesses, but
don't capture the content of this communication
track everyone who accesses a specific web page or FTP file
track all web pages or FTP files that a suspect accesses
You'll notice that the trap-and-trace/pen-register functionality is mostly a subset of the
content-wiretap interception. This is because the legal standards are more relaxed. A
full content-wiretap can only be authorized by a federal district court judge, and only in
cases of clear probable cause when certain crimes have been committed. The pur-
pose of a full content-wiretap is to gather evidence to use during prosecution. In con-
trast, a pen-register can be authorized by lower judges. It is often used during the
course of a criminal investigation in order to find out background information. This in-
formation is not considered "hard evidence" and may not stand up in court. Instead, it
is often simply part of the background investigation.
Therefore, if the FBI suspects you of a crime for which you are using e-mail, they will
do their best to get a court order to grab the full contents. If they cannot do that, they
will back off and try to get a court order for all the e-mail addresses of people you cor-
respond with (for example).
1.3. How does Carnivore intercept Internet communication?
Carnivore acts like a "packet sniffer". All Internet traffic is broken down into bundles
called "packets". Carnivore eavesdrops on these packets watching them go by, then
saves a copy of the packets it is interested in.
It is important to note that Carnivore is a passive wiretap. It does not interfere with
communication. Some news reports falsely claim that Carnivore interposes itself into
the stream, first grabbing data, then passing it along. Likewise, there are reports of
Carnivore causing problems at ISPs. This is not due to Carnivore interfering with net-
work communications, but deployment issues.
1.4. How often is Carnivore used?
The FBI claims that Carnivore has been used roughly 25 times leading up to August,
The FBI claims that they used Carnivore only 10% of the time for such court orders:
most of the time the ISP complies with the court order using their own facilities.
The FBI claims that the majority of cases have been for counter terrorism, though they
also mention hacking and drug trafficking.
The FBI claims that the majority of uses have been the "pen-register" mode of tracking
"From:" and "To:" headers, not in full capture of e-mails.
1.5. What does the Carnivore box consist of?
Each Carnivore box is likely to be slightly different. The FBI claims that the standard
configuration looks something like:
A COTS (Commercial Off The Shelf) Windows NT (or Windows 2000) box with
128-megabytes of RAM, a Pentium III, 4-18 gigabytes of disk space, and a 2G
Jaz drive where evidence is written to.
The software is written in C++
The box has no TCP/IP stack (so it cannot get hacked into from the net)
A hardware authentication device is used to control access to the box (prevent-
ing ISP personnel from accessing the device without leaving visible signs of
What they call a "network isolation device", which is probably a Shomiti or Ne-
tOptics tap. This prevents the box from transmitting even if a hacker where able
to break in somehow.
COTS "communications software", whatever that means. My guess is that this
means that Carnivore is written as C++ plugins to the EtherPeek program.
Some units are rumored to have dial-in modem ports, but it seems that the
standard procedure is to have an FBI agent come in daily to exchange the Jaz
disk for a fresh one.
2. What is the controversy surrounding Carnivore?
People are worried about the privacy implications of Carnivore. There are three main
How (exactly) Carnivore works, and whether there are bugs that lead to privacy
How Carnivore can be misused by law enforcement.
The privacy debate of wiretaps in general, and the changing rules of the Inter-
net in particular.
2.1. Does Carnivore contravene the Fourth Amendment?
The Fourth Amendment states:
The right of the people to be secure in their persons, houses, papers, and ef-
fects, against unreasonable searches and seizures, shall not be violated, and
no Warrants shall issue, but upon probable cause, supported by Oath or affir-
mation, and particularly describing the place to be searched, and the persons or
things to be seized.
Carnivore requires a warrant to be issued given "probable cause" clearly specifying
who the suspect is (e.g. email address), what lines will be tapped, and what kind of in-
formation is being seized (e.g. emails). Furthermore, wiretaps like Carnivore are usual-
ly held to a higher standard. A warrant for the contents of your e-mail can only be is-
sued by a Federal District judge or higher, whereas normal search warrants can be
authorized by any judge.
For paranoids: At least for now, the government considers tapping your e-mail a se-
rious thing and curtails most of the FBI's ability to read it. The NSA may be coordinat-
ing with the Brits to monitor your e-mail (such as in the rumored Echelon project), but
the FBI probably isn't.
2.2. Does Carnivore suck up mail from unintended targets?
There is a huge controversy over this issue because the FBI refuses to disclose how
Carnivore works (see below). It is technically possible to write a system in a robust
manner that won't capture data from innocent people. However, industry practice has
been to take short-cuts in sniffing devices. If the FBI follows industry practice, then
there are several cases whereby they may capture unintended data a small percen-
tage of the time.
A spokesman from the EFF has made the claim on national TV that it would be im-
possible for Carnivore to focus on a single person without capturing data from every-
body else. The EFF claim was that even experts in AI (Artificial Intelligence) would not
be able to build such a system. Like many people, the spokesman was thinking of the
program from the wrong perspective. While the content of e-mail messages would be
impossible to scan, the "envelopes" of messages are highly "structured" and easy to
scan. For example, you own e-mail program clearly shows the "From:" and "To:" fields
from the e-mail envelope – Carnivore grabs these in exactly the same manner.
Note that according to U.S. law, a judge would not grant a court order unless the FBI
was able to demonstrate that Carnivore "minimizes" the data collected.
2.3. Does Carnivore do content-searching, such as sniffing e-mails that
contain the word "plutonium"?
No. Carnivore does not "search" Internet traffic; it instead "decodes" the traffic looking
for addresses, and collects only the data that matches the addresses it is looking for.
There is more to it than that. Content-searching would be illegal. A judge would never
give a court order that would allow content-searching. The FBI may have other sys-
tems for illegally searching content. They may also illegally deploy their content-
searching system along with Carnivore when they have a court order. However, since
"Carnivore" is the name of the system that complies with court orders, then by defini-
tion, Carnivore does not do content-searching.
Note, however, that Carnivore does have the built-in capability to do content searches.
This content-searching system was designed for the legal purpose of gathering web-
based e-mail, but it could be subverted to search for any pattern. In other words, while
it wasn't designed for content-searching, and the FBI does not intend to use Carnivore
for content-searching, it does have the built-in ability to do this. When asked if Carni-
vore could do content-searches, the FBI lied to the public and said "no".
2.4. Is Carnivore a network of black-boxes deployed throughout the Inter-
net? Is Carnivore an unrestrained wiretap of the entire Internet?
No. This type of widespread monitoring is not allowed by law.
To install a Carnivore box, the FBI must have a court order specifying exactly what is
to be monitored (e.g. email contents), for exactly who monitoring will take place (e.g.
email address), and is limited for how long the box may be in place. Furthermore, the
ISP does not have to accept a Carnivore box if they can satisfy the search warrant us-
ing their own means. Carnivore is only used when the ISP cannot satisfy the search
As of August 2000, the FBI had roughly only 20 Carnivore boxes. These boxes are
stored in Quantico, Virginia. They are only used in specific cases under court order.
The courts do not allow any one box to be in place for more than a month or two. Fur-
thermore, these boxes are rarely placed on ISP backbones, but usually close to the
servers they are designed to monitor.
For paranoids: This is not a satisfactory answer for paranoids who believe that gov-
ernment does not follow its own laws, so let me phrase it another way: if the govern-
ment is doing widespread monitoring (such as the rumored Echelon program), it isn't
doing it with Carnivore. Carnivore is not made for widespread monitoring, and is in-
stead designed for only "surgical" wiretaps. Carnivore is widely publicized and many
ISP engineers have direct experience with Carnivore (and know where the boxes are
placed); Echelon is much more secretive. In other words, the government may have
black-boxes deployed throughout the network, but they aren't Carnivore black-boxes.
2.5. Will Carnivore corrupt e-mails or otherwise misrepresent them?
This is what makes Carnivore different from other e-mail monitoring products. There
are numerous products that can monitor e-mails in a manner similar to Carnivore (I
wrote one back in 1991), but they have the problem that they may incorrectly capture
the e-mail messages. Fragments of e-mail can be lost, or fragments from other e-mails
could accidentally be inserted.
This is why the FBI insisted that they use Carnivore instead of these other products.
An e-mail message captured by Carnivore will not hold up in court unless the FBI can
prove that the message was captured without corruption.
In order to accomplish this goal, Carnivore works as a raw packet sniffer. Unlike other
e-mail monitoring products, it does not capture the messages, but instead captures the
raw Internet traffic that was used to transfer the e-mail. This Internet traffic contains
"checksums" and "sequence numbers". A checksum makes sure that traffic hasn't
been corrupted, and a sequence number means that you can prove that you captured
the entire message without any fragments from other e-mail messages. It doesn't pre-
vent corruption, but clearly points out any corruption that may have occurred. If there
are no bad checksums or missing sequence numbers, then you can prove in a court of
law that no corruption has taken place.
2.6. Is Carnivore permanently located at the ISP?
It is unlikely to be in place for more than a month. There are strict government regula-
tions on the use of wiretaps. The most difficult law is that they must be renewed every
30 days. This means that 30 days after getting the first court order, the FBI must go
back to the judge and ask for an extension. This applies to all wiretaps. About half of
all wiretaps do not get extensions.
The FBI claims that they longest a Carnivore unit has been in place was 45 days.
2.7. Why doesn't the FBI release source code?
The FBI makes the following justifications as to why they don't release source code:
They say that hackers will find ways around it.
They claim that part of the code is from commercially licensed (i.e. they are
contractually forbidden from releasing it).
Title 18 section 2512 of the United States Code prohibits posses-
sion/distribution of devices designed to surreptitiously eavesdrop on other
Industry experts don't believe these arguments:
Hackers already know how to find ways around Carnivore (e.g. PGP, anonym-
ous remailers, anonymizing services, etc.). Experts think the real reason is that
the code has not gone through a security audit and that hackers can easily at-
tack Carnivore and bring it down. Experts believe that the only way to harden
code against hacker attacks is to open it up to peer review.
The fact that key portions are licensed from commercial vendors rather than
created by the FBI demonstrates that the FBI does not know how to create
such code in the first place. This hints at severe weaknesses within the pro-
gram that can lead to privacy violations (such as using the same short-cuts pre-
valent in network sniffers).
Sniffers and network monitoring products are pervasive throughout the industry.
Carnivore is less capable than many programs people already have installed on
their desktops. Carnivore would indeed be a useful e-mail backup tool.
The FBI makes the statement in their RFP: "The Department recognizes that the Car-
nivore system is subject to certain inherent design limitations that preclude its use in
certain situations. Those limitations will be identified to the Contractor [reviewing the
system], but for obvious reasons will not be made public." Experts don't understand
what obvious reasons the FBI could be talking about.
2.8. Is the FBI forthcoming on basic details?
No (experts think not).
The FBI claims that it has been forthcoming on basic details of the program. Many ex-
perts disagree, blaming the FBI for creating an environment of fear and mistrust.
Even though it won't disclose the source code to Carnivore, it could disclose a lot more
about it. For example, the FBI could run Carnivore in a test lab through all permuta-
tions (e-mail content, e-mail headers, IP packets, RADIUS logon, etc.) and disclose
the evidence gathered along with original tracefiles. This would clearly demonstrate
the capabilities of Carnivore without exposing the advanced details that they want to
2.9. Can email be forged, introducing false evidence?
Yes, easily (you can do this yourself). You can simply reconfigure your own email sys-
tem to use somebody else's email address. This won't allow you to read their email,
but will certainly allow you to impersonate them when sending email out.
Another common problem is through the use of "Trojan Horses". This would allow a
hacker to not only forge an email, but to make it come from that person's IP address
as well. Currently, this fools the FBI as well as courts. For example, Fred Modolvski
was convicted of posting a fraudulent press release from his machine – he claims that
a hacker broke into his machine and sent the message. Currently, no defendant has
yet successfully used this "hacker defense"; it would be quite easy for hackers to
3. What laws allow Carnivore?
1968 Title III of the Omnibus Crime Control and Safe Streets Act
Commonly known simply as "Title III"; this law makes wiretapping legal.
1986 ECPA (Electronic Communications Privacy Act)
Commonly pronounced Ecpa (ek-pah). This law was designed to clarify how existing
wiretap laws apply to cyberspace, but at the same time sets boundaries on how much
the government can invade our on-line privacy.
1986 Computer Fraud and Abuse Act
Makes breaking into federal computers and trafficking in stolen passwords felonies.
Requires telephone "carriers" (including ISPs) to help with investigations. A court order
usually comes in two parts: one authorizing the FBI to sniff, the other obligating the
ISP to help out. Because of this law, all digital telephony equipment now contains
"wiretap" ports for telephone wiretapping.
1998 roving wiretap
Allows the FBI to tap lots of people's communication as long as it only keeps records
of the suspect's communications. In other words, Carnivore can be placed on a back-
bone that listens to thousands of people's e-mails as long as it only remembers e-
mails for the specific suspect.
3.1. What are "pen-registers" and "trap-and-traces"?
A pen-register is a device the FBI might put on your phone line in order to record every
telephone number you dial. A trap-and-trace is a different kind of device that records
the caller-ID of everyone who dials you. Remember the movies when the suspect calls
in, and the FBI says "keep him on the line" so they can trace him? That is a trap-and-
These two items are frequently used as a sort of electronic "stake-out". Because they
only reveal the numbers called, the date/time, and potentially the length of the call,
they aren't as intrusive into privacy as a full wiretap. Therefore, the legal standards ne-
cessary to obtain a court order for them are significantly reduced.
Judges will grant pen-register court order for investigations. According to the FBI, Car-
nivore is usually used more often for pen-register style monitoring for investigation
purposes. However, in order to monitor the full contents of e-mail messages, law-
enforcement needs to show the judge compelling evidence that you have committed
the crime. In other words, the investigation phase is over, they are now looking for
proof in order to convict.
3.2. What is a "court order"?
FBI agents must go to a judge and get them to authorize use of Carnivore. The court
who the suspect is
account information (i.e. the exact e-mail address)
what crime they are suspected of
what is going to be tapped (i.e. which wire, etc.)
The judge then authorizes the search warrant. At the same time, the judge will create
a court order demanding that the ISP comply with the FBI.
Full content-wiretaps may only be used for certain felonies (e.g. terrorism, drug traf-
ficking, kidnapping). They may only be issued by a Federal District Judge, not any old
judge. They may only be granted to FBI agents. They may only be used to gather hard
evidence, not for background reconnaissance.
3.3. I thought computer records are regarded as "hearsay"?
They can be in many circumstances, but not always.
According to the Federal Rules of Evidence, business records (including computer
records) are considered "hearsay" (and not admissible in court) because there is no
firsthand proof that they are accurate, reliable, or trustworthy. There are exceptions to
this rule when you can demonstrate accuracy, reliability, and trustworthiness.
For example, the FBI cannot simply capture a single e-mail and claim it as evidence.
Instead, Carnivore must be running all the time (for a week, month, etc.). All of the e-
mails captured during that time must be maintained. The FBI cannot simply take one
e-mail from this set and use it as evidence, they must instead present to the court all
e-mails captured during this time. If one e-mail says "let's bomb the World Trade Cen-
ter", but the next e-mail says "I was only joking", then the FBI must present both to the
defense team. Defense lawyers will themselves study the records in order to find ex-
Second, the captured data must be "authenticated" according to rule 901 of the Fed-
eral Rules of Evidence. The FBI agents that put Carnivore into the ISP and locks it
down will need to document everything they did. The FBI does not simply give Carni-
vore to an ISP engineer and have them install it, because the ISP engineer is not nec-
essarily a qualified witness. In cases where the ISP gathers the information without
Carnivore, they must carefully document what they do.
Third, Carnivore must meet the "best evidence" rule. ISPs are usually able to create
copies of e-mail directly from their servers. These copies have a higher integrity than
e-mails sniffed from the wire (Carnivore might miss a packet, and therefore leave a
gaping hole in the e-mail). Therefore, the FBI can only use Carnivore when the ISP is
not willing or is unable to copy the e-mail from their servers.
3.4. What is "chain of possession"?
As part of the Rules of Evidence, all evidence must be "sealed" in a tamper-proof
manner. Carnivore uses a Jaz drive for this. As soon as the Jazz disk is removed from
the machine, it is immediately sealed in a bag, then written on the outside who (the
FBI agent) sealed it and what date/time. From then on, anybody who opens that seal
must likewise sign the form and clearly document what they did with the evidence. The
evidence must not be altered (except in certain cases).
This is one of the reasons that the FBI cannot put a TCP/IP stack on the box. They
cannot risk the defense team using this as an excuse as to why the evidence might be
3.5. What is "minimization"?
The laws state that the FBI must be very careful to minimize how much it inadvertently
eavesdrops on. Agents must be very careful to monitor only the information authorized
by the court order, and nothing more. For example, if they are wiretapping the tele-
phone of the father of a family, then if a kid dials-out, they must immediately turn off
the recording machines. For telephones, this requires an FBI agent who constantly lis-
tens on the line monitoring for such things.
This means that the FBI is not allowed to listen for any emails containing the word
"plutonium", because it would inadvertently capture messages from innocent people.
Instead, they must prove to a judge that they can tap into only the traffic for the specif-
ic suspect; i.e. they must give the judge the exact e-mail address they are going to
FBI agents are very paranoid about this. If extra stuff leaks into their recordings, they
must carefully discard it. Also, if a lot of stuff has leaked in, then the defense attorneys
will "move to suppress" the evidence claiming proper procedure was not followed.
Remember, the FBI has to prove a legitimate reason to the judge in order to get a
court order, but also must be careful when they get the evidence that it won't be
thrown out of court. This is especially important because full content-wiretaps are only
obtained in order to get hard evidence that will indeed be used in court.
Note that full content-wiretaps have been used in this discussion; pen-register style
wiretaps are a little more lenient because they do not record the full contents of a con-
versation, only the parties doing the conversing.
3.6. What prevents Carnivore from being used illegally?
The exclusionary rule. This principle in U.S. law states that evidence seized by police
in violation of constitutional protection from unreasonable search and seizure may not
be used against a criminal defendant at trial.
There are some problems with this rule. The first is that exceptions are allowed when
evidence is obtained in "good faith" with a search warrant that is later ruled invalid.
This means if FBI agents can convince a judge to grant an invalid search warrant, the
evidence is still admissible in court. This is a problem because there are subtle privacy
issues here that confuse even technologists (and judges are notoriously computer illi-
For example, a "pen-register" wiretap should only be able to grab the equivalence of
call-records, such as the timestamp when the e-mail was sent, the size of the e-mail,
and the from/to e-mail addresses. Most technologists would therefore claim that Car-
nivore should therefore restrict itself to the SMTP "envelope". However, the FBI de-
signed Carnivore to dig deeper into the e-mail headers, grabbing much more informa-
tion. The FBI is clearly willing to overstep their bounds hoping that they can justify their
excessive monitoring under such provisions as the "good faith" provision.
The second problem with the exclusionary rule is that it only applies to cases where
the FBI intends to present evidence at trial. In the aftermath of the 9/11/2001 terrorist
attacks, the FBI deployed Carnivore widely in order to tap into e-mails. They had no in-
tention of using the information in trial, so they had no restraints on abuses.
4. What are the in-depth technical details of Carnivore?
4.1. Is Carnivore a sophisticated new technology?
Carnivore is often portrayed in the press as something extremely technologically so-
phisticated and clever. It isn't. It is technologically behind exis.
For example, on news article claims that when the FBI unveiled Carnivore, it "asto-
nished industry specialists". It didn't. There are numerous products on the market sig-
nificantly more advanced than Carnivore.
The author of this FAQ wrote an e-mail sniffing program identical to Carnivore 9 years
ago. Carnivore has a couple of things that are unique to it (capturing e-mail packets
rather than messages, RADIUS monitoring), but these aren't necessarily sophisti-
cated. The author of this FAQ wrote "Altivore" that is an exact duplicate of Carnivore in
4.2. IP sniffing
Reportedly, the FBI has used Carnivore in a mode they call "Omnivore": capturing all
the traffic to/from the specified IP address. (Remember, a court order has to specify
exactly who is being monitored, the FBI is outlawed from monitoring everybody). Re-
portedly, they used the AG Group's EtherPeek for this purpose. This is one of only a
few packet sniffers that can accept an IP address as a capture filter, then write in real
time (with no lost packets) directly to the disk.
There are numerous products that can fulfill these types of requirements. The easiest
is the freeware program known as TCPDUMP, which is available for both Windows
and UNIX. If the court order specifies a full capture for the IP address of 192.0.2.189,
the command would simply be:
tcpdump –w tracefile.tcp host 192.0.2.189
You can even do your own Carnivore. The popular personal firewall from ISS (Internet
Security Systems) called "BlackICE Defender" has a feature called "Packet Logging".
It will monitor all traffic to and from your own machine and save it directly to disk just
like Carnivore. You can use this feature if you think you are under attack (though there
are limits to its admissibility in court). The popular freeware utility known as "Ethereal"
can then be used to display the contents of this data.
IP sniffing may also be done in a pen-register mode. Many packet sniffers could be
used for this capability. The desired IP address would be specified in a "capture filter",
then the "slice/snap" length would be set to 54 bytes. This would capture all the
TCP/IP "headers", but not the content. The raw data would be saved live to a file.
Again, using TCPDUMP as an example:
tcpdump –w tracefile.tcp host 192.0.2.189 –s 54
However, I suspect that this is overstepping the bounds of the law collecting more in-
formation than the warrant allows. In order to align it more closely with a traditional
pen-register, it would need to capture a lot less information. It would monitor the wire
and create a record that looks like the following:
IP address of initiator
IP address of the receiver
Time when conversation started
Duration of conversation
This would require more complex programming within the system.
4.3. RADIUS and DHCP triggering
In the case of dial-up connections, the suspect has no fixed IP address. Therefore,
Carnivore has to sniff the RADIUS logon/authentication packets in order to discover
the IP address in use. This is the probably the only feature unique to Carnivore: the
ability to track dialup users.
However, ISPs can still comply with court ordered wiretaps of dial-up users without
Carnivore. They can often hard-code configuration information within their authentica-
tion systems that reserves a special IP address for the suspect's account. At this point,
the tcpdump described above can be used in order to sniff the suspect's traffic.
The same sort of issue applies to DHCP. Whereas RADIUS is often used to assigned
IP addresses for dial-up users, DHCP is used for high-speed users (cable-modems,
DSL, company networks).
4.4. How does Carnivore sniff e-mail messages?
The SMTP protocol (the system for exchanging e-mail) looks something like the fol-
<-- 220 mx.altivore.com SMTP server.
>>> HELO mx.example.com
<-- 250 mx.altivore.com Hello [192.0.2.183], pleased to meet you
>>> MAIL FROM: <email@example.com>
<-- 250 <firstname.lastname@example.org> … Sender ok
>>> RCPT TO: <email@example.com>
<-- 250 <firstname.lastname@example.org>
<-- 354 Start mail input; end with <CRLF>.<CRLF>
<-- 250 Queued mail for delivery
<-- 221 mx.altivore.com closing connection
What you are seeing here is an exchange of data between two mail exchangers. One
exchanger contacts the other in order to forward e-mail to it. Carnivore listens in on
them surreptitiously. They start with a few greetings, and then get down to business.
The exchanger that initiated the connection first transmits the "envelope" containing
the MAIL FROM and RCPT TO fields, and then sends the "message". The message is
terminated by a blank line containing a single dot.
The message itself contains "headers" and a "body". These aren't shown in the dia-
gram. One of the big questions about Carnivore is whether it tracks just the SMTP
"envelope", or whether is looks within the RFC822 "body". The following is a sample e-
mail message that would be transferred over this connection:
From: "Alice Cooper"
To: "Bob D Graham"
Date: Thu, 7 Sep 2000 15:51:24 -0700
X-Priority: 3 (Normal)
X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0)
X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6600
How is the plutonium shipment coming? I need it by Friday.
The logic is quite simple. If the court order specifies the suspect's e-mail account as
"email@example.com", then Carnivore triggers when it sees that address in the SMTP
envelope, and starts capturing the e-mail message until it sees the end. Some court
orders might limit this to only the headers rather than the content. In this case, Carni-
vore has to stop capturing at the first blank line. Furthermore, Carnivore has to remove
the "Subject:" header because that is also considered "content" by the courts.
There are several products on the market that can capture e-mails in a similar fashion.
One of the important differences with Carnivore is that it doesn't record the e-mail
messages themselves, but instead captures the raw packets that carry the e-mails. In
this fashion, it has a solid history of checksums and TCP sequence numbers that
clearly show missing fragments are inadvertently captured fragments. This is extreme-
ly important in order to validate the authenticity of the data.
A pen-register mode can also be used. The MAIL FROM and RCPT TO addresses
can be logged to a file whenever either of them matches the suspect's address. The
log entry would look like:
MAIL FROM address
RCPT TO address
Email message length
4.5. HTTP and FTP
In the sample scenarios described by the FBI, the describe cases where they want to
track all the websites accessed by the suspect. The way they do that is filter for any
packet from the suspect to port 80 (meaning HTTP), and record the IP address. This
may be complicated by having to parse RADIUS described above.
4.6. HTTP, FTP, and NTTP
One of the claims I've read in the news is that Carnivore does something with HTTP
more than monitoring IP addresses of the sites. I think the news reporters were con-
fused, but there are some things the FBI could do with sniffing technology.
One technique would be to do a "trap-and-trace" on a webpage. For example, the FBI
could put a sniffing device next to the server hosting this webpage, then monitor eve-
ryone who access just this one page on the site. Similar techniques could be used for
monitoring users of certain FTP files.
NTTP (Usenet news) can be a little more interesting. The FBI can do trap-and-trace on
specific newsgroups. Web-pages are actually fairly well controlled (little bad stuff) and
innocent people often find themselves unintentionally at web-pages due to search en-
gines. However, Usenet is less regulated and there are areas frequented by persistent
cybercriminals. The various hacking newsgroups come to mind.
There are rumors that Carnivore was used to capture IRC traffic. I'm not quite sure
what that means – if the FBI wanted to tune into IRC chatrooms, they could simply use
any number of programs that simply log onto the chatrooms and record all the con-
tents. Indeed, the FBI probably records the full contents of the most popular hacker
IRC chatrooms. The reason is that this isn't "wiretapping" -- it is simply recording data
that is publicly visible. You don't need to be at the ISP to do this, but can monitor cha-
trooms from anywhere on the net.
Note that IRC supports generic handles rather than fixed account names. People can
(and often do) masquerade as others. When the FBI monitors IRC, they want to track
it back to the IP address that originated the content.
4.8. Does Carnivore drop packets?
This is a frequent question for sniffers like Carnivore: what are the traffic-rates they
can handle before they get overloaded and start "dropping" traffic?
The sniffing component within Carnivore is well known in the industry to drop packets
at fairly low traffic rates. However, Carnivore is frequently used in a "surgical" manner.
It is placed on the "edge" of the Internet (where traffic levels are low) rather than on
the "core" (where traffic levels are high). If monitoring e-mail, it can be placed next to
the e-mail server sniffing only its traffic. This greatly reduces the traffic load that it taps
Note that the author of this FAQ has built a sniffing system that can handle a full giga-
bit of traffic, which makes it at least 20 times faster than Carnivore.
4.9. Is Carnivore based upon Etherpeek?
EtherPeek was certainly used originally for investigative work by the FBI. It probably is
what the FBI called "Omnivore". They would obtain court orders for all traffic to/from an
IP address and save it directly to evidence files. EtherPeek supports this feature well
whereas other commercial sniffers don't do this as well.
However, the FBI found EtherPeek too limiting, and created their own product based
upon the sniffing subsystem created by PCAUSA (http://www.pcausa.com).
5. How can I defend myself against Carnivore?
5.1. Forge E-mail sender
Remember that Carnivore needs to match your e-mail address against the From and
To fields it sees in the e-mail envelope.
Therefore, one easy solution is to lie. When sending e-mail, simply change your name.
Since Carnivore will never see your e-mail address go across the wire, it cannot cap-
ture the e-mail nor record the fact that it was even sent.
This is different for every e-mail system, so it will require some effort on your part to
learn how this can be done. There are a number of problems here. For example, the
recipient won't be able to hit the "reply" button in order to respond to your e-mail. You
might be able to correctly use the "Reply-To" field in order to fix this (Carnivore likely
doesn't monitor the Reply-To field).
Remember that this only prevents Carnivore from seeing your outgoing e-mail; it
doesn't hide incoming e-mail from detection. If you want to hide that, you need to use
something like an anonymous remailer (as described below).
5.2. E-mail Encryption
The easiest way to defend yourself against people eavesdropping on you is to "en-
crypt" your e-mail.
There are many encryption products available that will encrypt your e-mail. All of them
are strong enough to prevent law enforcement from decrypting your e-mail – when
used properly. This is the key point to remember: the chief reason that law-
enforcement is able to decrypt a suspect's data is because the software wasn't used
correctly. Unless you are willing to learn about how to use products correctly and pay
attention to the encryption process, it is unlikely that you can use encryption success-
fully to defend yourself.
Even if you use encryption properly, there are still methods that law enforcement can
use to defeat it. The easiest way is when law-enforcement forces the suspect to reveal
his or her keys. It is currently the law in the United Kingdom that citizens must reveal
their encryption keys to law enforcement whenever they ask. Even in the United
States, citizens must reveal their keys when required by a court order. (I.e. in some
countries, you must reveal your keys to the police, in others, you must reveal your
keys to the court).
In the year 2000, the FBI secretly entered the office of Nicodemo Scarfo (as suspected
Mafioso) and installed a "key logger" (logged all keystrokes typed by Scarfo). This al-
lowed the FBI to capture his passwords, which then enabled them to decrypt his e-
5.3. Anonymous Remailers
A popular tool among "cypherpunks" is a system known as an "anonymous remailer".
This is a system that forwards e-mail traffic in such a way as making it untraceable by
The most effective remailers use encryption. An e-mail message will be encrypted
multiple times. It is sent to the first remailer, which decrypts the message once in order
to discover the name of the next remailer along its path. The remainder of the mes-
sage is still encrypted so that only the next hop can decrypt it.
The e-mail travels from hop to hop until it reaches its destination, who then decrypts it
the last time in order to recover the original message.
This process defeats not only full-content wiretaps but also pen-register style wiretaps.
A Carnivore system located near the sender can only discover that the suspect is
sending e-mail to a remailer, but cannot discover who the destination is. Likewise, a
Carnivore wiretap located at the recipient can only discover that a message was re-
ceived from a remailer, but not who originally sent the e-mail.
5.4. Attack Carnivore
There are likely many weaknesses in Carnivore that can be attacked directly.
For example, if you suspect that the FBI might be monitoring your e-mail, you might
configure your system to send out an unending stream of e-mail. This attack would be
designed to fill up Carnivore's storage mechanism. There are a number of random
content generators on the Internet that can craft e-mails that seem somewhat mea-
ningful, but which really aren't. This would force FBI agents to examine each and
every e-mail by hand in order to make sure it wasn't a real e-mail.
When Carnivore is using RADIUS or DHCP to track a person's IP address, then there
is a good chance the end-user can forge such packets that convinces Carnivore to
Remember that Carnivore can be used to monitor Internet traffic other than e-mail.
Besides e-mail, one common use is to monitor web traffic: which websites you visit, as
well as tracking which people might be accessing a particular website.
There are a number of companies that offer services to make your web surfing ano-
nymous. They allow you to establish an SSL connection to their proxies, preventing
anybody from monitoring which websites your are visiting (other the fact that you are
accessing the anonymization service). Likewise, if you are accessing a website being
monitored by Carnivore, it can only detect that the inbound connection is coming from
the anonymization service, but not who that person is.
One supplier of such services, Zero Knowledge Systems, discontinued their anonymi-
zation service in October 2001.
SSL provides encrypted communications that prevents sniffers from watching what
you send to a server, or what the server sends in response. You probably use this pro-
tocol when conducting e-commerce transactions (such as buying something on the In-
ternet with your credit-card).
SSL not only hides your credit-card from people sniffing the wire, but also hides the
transactions from Carnivore. Law enforcement will be able to record (in pen-register
style monitoring) that you are accessing the website, but will not be able to detect what
you did on the website.
Note that SSL only works when the website supports it. More and more websites are
beginning to support this protocol for generic surfing. The reason that many don't is
because it requires an investment in expensive hardware to handle all the encryption.
Also note that SSL only works when the user is paying attention to the details. SSL
has a system of "mutual authentication" that verifies the server you are talking to is,
indeed, who it claims to be. If it isn't, then the browser will provide a warning. Many
users don't pay attention to the warnings. This means that somebody could setup a
server in the middle that reroutes your traffic through it. This would allow somebody
like the FBI to decrypt your traffic, record it, then re-encrypt it. Therefore, you must pay
attention to SSL warnings that indicate this sort of thing is going on.
5.7. Choose a better ISP (e.g. Earthlink)
The ISP "Earthlink" has a long track record of refusing Carnivore. They sued the FBI
over this issue. In the wake of the September 11, 2001 terrorist attacks, the FBI widely
deployed Carnivore. The ISP "AOL" submitted to Carnivore deployments, but "Earth-
link" refused and carried out the court orders itself. (AOL is the largest consumer ISP,
Earthlink is second or third). This means that if you are concerned about privacy, then
you should consider an ISP such as Earthlink (or others that have a published Carni-
vore policy). This doesn't stop the fulfillment of the court order, but it does prevent the
FBI from overstepping their privilege.
6. What was the RFP of August 24, 2000?
On August 24, 2000, the FBI issued a "Request For Proposal" for "experts" to come in
to evaluate Carnivore. Many experts have shied away from this because of the hand-
cuffs placed on them, feeling that the FBI is just looking for a rubber stamp to alleviate
the public's fears that than submitting their system to a full review.
"Questions that have been raised include concern that the FBI's temporary use
of the Carnivore system could interfere with the proper functioning of an ISP's
network; concern that the system might, when used properly, provide investiga-
tors with more information than is authorized by a given court order; and con-
cern that even if the system functions appropriately when properly used, its ca-
pabilities give rise to a risk of misuse, leading to improper invasions of privacy."
What this means is that:
Bungling on the FBI's part caused problems for a major ISP (Earthlink), who is
now suing to keep Carnivore off their networks. The government wants to prove
that under proper usage, Carnivore won't cause such problems in the future.
People are worried that Carnivore will capture more information that allowed by
the court order. For example, a spokesman for EFF says that even experts in AI
would not be able to figure out how to make Carnivore work properly. The FBI
wants to prove their case in face of this criticism.
People are worried that the "powerful" capabilities can be misused in order to
Some academics refuse to participate. They believe that the FBI is simply trying allay
the public's fears without addressing the real concerns. The RFP gives strict limitations
on how the product is to be evaluated, and has full control over what the evaluator is
allowed to publish as results. Therefore, the FBI can certain create a "technical eval-
uation" that gives Carnivore a clean bill of health while still failing to address any of the
7. How does Carnivore relate to…?
People often compare Carnivore to other things. This sections lists some of the more
7.1. How does Carnivore compare to Britain's Regulatory Investigative
Powers (RIP) bill?
RIP will mandate black-boxes permanently located at all ISPs, unlike Carnivore, where
boxes have to be brought on site for each investigation and removed when the inves-
tigation is done.
Like Carnivore, a court order is needed.
7.2. How does Carnivore compare to Russia's SORM?
SORM requires ISP to forward all traffic to the FSB (formerly KGB).
The FSB does not need a warrant and can use the information for whatever reason it
wants. They also are outlawing encryption (unless key recovery is used).
(SORM is a Russian acronym for System of Ensuring Investigative Activity).
7.3. How does Carnivore compare to Japan's laws?
The law, passed August 13 of 1999, allowed law enforcement to wiretap telephone,
fax, and Internet communications. It is modeled on the United State's 1994 CALEA
law, though it specifically singles out crimes involving drugs, guns, illegal immigration,
and murders committed by groups (i.e. organized crime and cults).
There is a Japanese law that requires all ISPs to make available pen-register style log
of all Internet communications that their law enforcement can subpoena at any time.
In Japan, the police are not allowed to wiretap lawyers, doctors, and religious leaders
(though cults do not count as religions – the wiretap laws are designed partially to deal
with incidents like the sarin gas attacks by the Aum Shinrikyo cult).
Article 21 of the Constitution of Japan:
Freedom of assembly and association as well as speech, press and all other
forms of expression are guaranteed. 2) No censorship shall be maintained,
nor shall the secrecy of any means of communication be violated.
7.4. How does Carnivore compare to Echelon?
ECHELON is the name given to the global electronic surveillance system rumored to
be run by the NSA (the United States "National Security Agency").
ECHELON sits between the worlds well-known information and wild paranoid specula-
tion. On one hand, we know that the NSA's mission is electronic surveillance. On the
other hand, we don't know how far the abilities of NSA extend.
The NSA is forbidden by law from surveillance within the United States. In theory, it is
also not allowed to monitor the activities of U.S. citizens abroad.
However, it is also known that the NSA has extensive "exchange agreements" with in-
telligence organizations of other countries. For example, there is the well-known
UKUSA agreement among the English speaking countries of Australia, New Zealand,
the United Kingdom, and the United States. An example of this agreement is where
the United Kingdom spies upon the United States, and then shares with the NSA
some of the information it gathers. Therefore, even though the NSA is unable to spy
on Americans, it still can get intelligence on Americans through this exchange agree-
It is widely accepted that the NSA and the NRO (National Reconnaissance Office) op-
erate surveillance satellites, including those for electronic surveillance as well as pho-
tographing the earth's surface. These satellites can monitor Earth-based microwave
transceivers as well as cell-phone traffic.
The NSA likewise has numerous ground-based stations spread throughout the world.
For example, the NSA operates a ground-based station in communist China for the
purposes of monitoring Russian activities. (This information is shared with the Chi-
nese, of course).
Undersea telephone cables have also been tapped. In one famous incident, an Ameri-
can submarine successfully attached wiretaps to a major Russian undersea cable dur-
ing the Cold War.
The amount of information monitored by the NSA is huge. This is more information
than human beings can process, so computers process it. It is widely accepted that
the NSA uses a "keyword dictionary" for their monitoring. Massive supercomputers sift
through the traffic looking for these keywords. Note that these dictionaries are updated
almost daily according to world conditions.
Despite the fact that roughly half the countries in the world rely upon radio communi-
cations for long distance and international calls (which the NSA can easily monitor),
the major world powers have now moved to fiber optics. Not only are fiber optics diffi-
cult to tap, but the traffic levels are extremely high. In the year 2000, it was estimated
that the mount of Internet traffic flowing through cables beneath the Atlantic was
roughly 200 gigabits/second. While this 10 million times faster than a dialup connec-
tion, it reasonably in the range that the NSA could monitor. In the year 2000, the com-
pany Network ICE was selling Internet monitoring equipment where a single machine
costing roughly $5000 running its software could monitor roughly 1-gigabit/second.
This means that the NSA would be able to monitor all cross-Atlantic traffic with a small
investment of only $10-million in hardware.
8. Obvious misconceptions
8.1. Does Carnivore contravene the First Amendment?
I see frequent debates where people describe Carnivore's invasion of First Amend-
ment rights. I assume this is because of confusion about the nature of the Bill of Right.
Since the First Amendment is the most frequently debated issue in the press, many
people confuse the First Amendment with all ten amendments that make up the Bill of
Get it straight: Carnivore is a Fourth Amendment issue, not a First Amendment.
(Note: You could claim that monitoring of free speech is in essence an invasion of free
speech, and therefore Carnivore is also a First Amendment issue. However, the
Founding Fathers long ago debated that and it is still a Fourth Amendment issue).
8.2. Does Carnivore slow down e-mail?
In the wake of the September 11, 2001 terrorist attacks, many people noticed that e-
mail was a lot slower. Many suspected it was due to Carnivore.
It is true that Carnivore was used heavily during the investigations and widely dep-
loyed. However, remember that Carnivore is a passive "sniffer": it watches e-mail as it
goes by, but it does not intervene. It cannot slow down e-mail.
The reason that e-mail seemed to slow down was because of the Nimda and SirCam
virus/worm. The SirCam worm had been clogging up e-mail systems leading up to
September 11, and the Nimda worm exploded on September 17, causing dramatic
slowdowns all across the Internet.
Federal Bureau of Investigation, the national police force of the United States. The FBI
does no "spying" like the CIA or NSA, but is instead only involved in criminal matters.
Freedom of Information Act, the primary means in which the public can get information
on Carnivore. FOIA allows any citizen to request government documents.
File Transfer Protocol, a popular method of transfering files on the Internet. The FBI
can carry out the equivalent of a pen-register by sniffing just the control-channel on
Internet Service Provider, a private company that provides Internet services. When
you dial-up the Internet, you go through your local ISP. Many people believe that the
government runs the Internet. This is wrong. Since the government doesn't control the
Internet, they cannot put Carnivore boxes everywhere. Instead, they must ask the ISP
politely. Virtually all ISPs will refuse unless presented with a court-order.
A less invasive wiretap that courts will allow without probable-cause. A pen-register
records just the telephone numbers a suspect dials. In the context of Carnivore, "pen
mode" also refers to trap-and-trace style Internet monitoring.
Simple Mail Transfer Protocol, virtually all e-mail on the Internet is transfered via
SMTP. When you send e-mail, it goes from your machine to your local ISP via SMTP,
and from their toward its destination again via SMTP. Tapping just the Internet traffic
carrying SMTP allows Carnivore to sniff e-mails.
An internet wiretap program. Sniffers are used widely as diagnostic tools in order to
debug problems on the Internet. For example, if you notice that you cannot get to
www.yahoo.com, then you can bet that engineers somewhere are putting sniffers on
the wire in order to figure out what the problem is. Sniffers are also widely used to in-
vade privacy, such as capturing e-mails, passwords, and files. The technology behind
A popular sniffer program used by computer geeks. It is described in section 4.2.
A less invasive wiretap that courts will allow without probable-cause. A pen-register
records just the telephone numbers of inbound calls to a suspect.
10. Where can I learn more
FBI's Carnivore page
This page is light on details and heavy on misdirection (such as the insistence on call-
ing it a "diagnostic tool" rather than a "wiretap").
EFF: Electronic Frontier Foundation
Tagline: "Protecting Rights and Promoting Freedom in the Electronic Frontier". The
EFF has been on the front lines of the Carnivore debate publishing documents ob-
tained by FOIA.
EPIC: Electronic Privacy Information Center
This page is a glossary of terms, many of which have relevance to Carnivore, wiretap-
ping, and other privacy issues.
Sniffing/wiretap utilities used by hackers that are significantly more advanced than
icantly more advanced than