In live mode, there are two classes of network traffic. First, there’s interaction with attackers and other network endpoints, and secondly, the traffic between the Canary and its Console.

Attacker to Canary communication

Communications with other users on the network occur at their instigation. For example, if an attacker attempts to reach the Canary on HTTP (port 80) and the web service is running, then a web page will be returned.

Whether the Canary services are encrypted naturally depends on the service. For example, the Canary’s SSH and HTTPS services are encrypted and attacker traffic to these services will not be visible to other network participants. However, for clear-text services a network-observer would be able to record the traffic between the attacker and the Canary.

Canary to Console communication

The second class of traffic in live mode is traffic between the Canary and the Console, which relies on a custom DNS overlay protocol.

There is no other communication between birds and console, only valid DNS traffic. These will be sent to whatever DNS server the bird uses (either statically assigned or handed out over DHCP).