Carnivore FAQ (Frequently Asked Questions)

This document provides some answers (or sometimes just guesses) to common questions posted about Carnivore.

The original document no longer exists, and I am happy to keep this important information available and alive right here in the public archive.

Version 3, October 6, 2001
Author: Robert Graham
Original Location:
Original Location:

"They that give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety." -- Benjamin Franklin, 1759

1. What is Carnivore?

Carnivore helps the FBI conduct wiretaps on Internet connections.

The Red Pill: Carnivore is an FBI assistance program that helps ISP overcome technical difficulties when complying with court orders. The FBI is not allowed to put Carnivore on the network unless the ISP claims it cannot (or will not) comply with the court order. The Internet is not run by the government, so can only place Carnivore boxes on the Internet without permission from an ISP (which rarely gives permission without a court order).

The Blue Pill: Carnivore is a sophisticated new wiretapping/eavesdropping program that scans people's e-mail. There is a widespread

The FBI's story: "Carnivore is a computer-based system that is designed to allow the FBI, in cooperation with an Internet Service Provider (ISP), to comply with court orders requiring the collection of certain information about emails or other electronic communications to or from a specific user targeted in an investigation."

The FBI explains the origin of the codename: "Carnivore chews all the data on the network, but it only actually eats the information authorized by a court order."

1.1. What is the Internet?

Studies have shown that more than half of the population believes that the Internet is run by the United States government.

It isn't. There is no central control over the Internet.

Instead, the Internet is simply a collection of networks all connected together. There is not centralized point on the Internet where all the traffic can be monitored. When you connect to a website, your traffic goes through several Internet "carriers" known as "ISPs".

If the FBI wants to eavesdrop on some network traffic, it has to go to the ISP that carries that traffic and ask politely. The ISP will refuse unless the FBI has a court order forcing them to comply.

1.2.  What does Carnivore intercept?

Carnivore is used in two ways: as a "content-wiretap" and a "trap-and-trace/pen-register". It is most often used in the second mode.

A telephone "content wiretap" is where law enforcement eavesdrops on the suspect's telephone calls, recording the oral communications on tape. Carnivore can do similar things for Internet communication:

A less invasive style of wiretapping is the telephone "trap-and-trace," where police tracks all the caller IDs of inbound telephone calls. For example, if your child has been kidnapped, the FBI will put a trap and trace on your phone in hopes of discovering the telephone number of the kidnappers when they call your for ransom. There is a similar feature known as a "pen-register" that tracks all outbound telephone numbers dialed. If you are a suspected drug dealer, the FBI might perform a virtual stake out where they put a trap-and-trace plus pen-register on your phone in order to discover everyone you call, and everyone who calls you. Similar functionality for the Internet consists of:

You'll notice that the trap-and-trace/pen-register functionality is mostly a subset of the content-wiretap interception. This is because the legal standards are more relaxed. A full content-wiretap can only be authorized by a federal district court judge, and only in cases of clear probable cause when certain crimes have been committed. The purpose of a full content-wiretap is to gather evidence to use during prosecution. In contrast, a pen-register can be authorized by lower judges. It is often used during the course of a criminal investigation in order to find out background information. This information is not considered "hard evidence" and may not stand up in court. Instead, it is often simply part of the background investigation.

Therefore, if the FBI suspects you of a crime for which you are using e-mail, they will do their best to get a court order to grab the full contents. If they cannot do that, they will back off and try to get a court order for all the e-mail addresses of people you correspond with (for example).

1.3. How does Carnivore intercept Internet communication?

Carnivore acts like a "packet sniffer". All Internet traffic is broken down into bundles called "packets". Carnivore eavesdrops on these packets watching them go by, then saves a copy of the packets it is interested in.

It is important to note that Carnivore is a passive wiretap. It does not interfere with communication. Some news reports falsely claim that Carnivore interposes itself into the stream, first grabbing data, then passing it along. Likewise, there are reports of Carnivore causing problems at ISPs. This is not due to Carnivore interfering with network communications, but deployment issues.

1.4. How often is Carnivore used?

The FBI claims that Carnivore has been used roughly 25 times leading up to August, 2000.

The FBI claims that they used Carnivore only 10% of the time for such court orders: most of the time the ISP complies with the court order using their own facilities.

The FBI claims that the majority of cases have been for counter terrorism, though they also mention hacking and drug trafficking.

The FBI claims that the majority of uses have been the "pen-register" mode of tracking "From:" and "To:" headers, not in full capture of e-mails.

1.5. What does the Carnivore box consist of?

Each Carnivore box is likely to be slightly different. The FBI claims that the standard configuration looks something like:

2. What is the controversy surrounding Carnivore?

People are worried about the privacy implications of Carnivore. There are three main concerns:

2.1. Does Carnivore contravene the Fourth Amendment?


The Fourth Amendment states:

The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.

Carnivore requires a warrant to be issued given "probable cause" clearly specifying who the suspect is (e.g. email address), what lines will be tapped, and what kind of information is being seized (e.g. emails). Furthermore, wiretaps like Carnivore are usually held to a higher standard. A warrant for the contents of your e-mail can only be issued by a Federal District judge or higher, whereas normal search warrants can be authorized by any judge.

For paranoids: At least for now, the government considers tapping your e-mail a serious thing and curtails most of the FBI's ability to read it. The NSA may be coordinating with the Brits to monitor your e-mail (such as in the rumored Echelon project), but the FBI probably isn't.

2.2. Does Carnivore suck up mail from unintended targets?

There is a huge controversy over this issue because the FBI refuses to disclose how Carnivore works (see below). It is technically possible to write a system in a robust manner that won't capture data from innocent people. However, industry practice has been to take short-cuts in sniffing devices. If the FBI follows industry practice, then there are several cases whereby they may capture unintended data a small percentage of the time.

A spokesman from the EFF has made the claim on national TV that it would be impossible for Carnivore to focus on a single person without capturing data from everybody else. The EFF claim was that even experts in AI (Artificial Intelligence) would not be able to build such a system. Like many people, the spokesman was thinking of the program from the wrong perspective. While the content of e-mail messages would be impossible to scan, the "envelopes" of messages are highly "structured" and easy to scan. For example, you own e-mail program clearly shows the "From:" and "To:" fields from the e-mail envelope – Carnivore grabs these in exactly the same manner.

Note that according to U.S. law, a judge would not grant a court order unless the FBI was able to demonstrate that Carnivore "minimizes" the data collected.

2.3. Does Carnivore do content-searching, such as sniffing e-mails that contain the word "plutonium"?

No. Carnivore does not "search" Internet traffic; it instead "decodes" the traffic looking for addresses, and collects only the data that matches the addresses it is looking for.

There is more to it than that. Content-searching would be illegal. A judge would never give a court order that would allow content-searching. The FBI may have other systems for illegally searching content. They may also illegally deploy their content-searching system along with Carnivore when they have a court order. However, since "Carnivore" is the name of the system that complies with court orders, then by definition, Carnivore does not do content-searching.

Note, however, that Carnivore does have the built-in capability to do content searches. This content-searching system was designed for the legal purpose of gathering web-based e-mail, but it could be subverted to search for any pattern. In other words, while it wasn't designed for content-searching, and the FBI does not intend to use Carnivore for content-searching, it does have the built-in ability to do this. When asked if Carnivore could do content-searches, the FBI lied to the public and said "no".

2.4. Is Carnivore a network of black-boxes deployed throughout the Internet? Is Carnivore an unrestrained wiretap of the entire Internet?

No. This type of widespread monitoring is not allowed by law.

To install a Carnivore box, the FBI must have a court order specifying exactly what is to be monitored (e.g. email contents), for exactly who monitoring will take place (e.g. email address), and is limited for how long the box may be in place. Furthermore, the ISP does not have to accept a Carnivore box if they can satisfy the search warrant using their own means. Carnivore is only used when the ISP cannot satisfy the search warrant.

As of August 2000, the FBI had roughly only 20 Carnivore boxes. These boxes are stored in Quantico, Virginia. They are only used in specific cases under court order. The courts do not allow any one box to be in place for more than a month or two. Furthermore, these boxes are rarely placed on ISP backbones, but usually close to the servers they are designed to monitor.

For paranoids: This is not a satisfactory answer for paranoids who believe that government does not follow its own laws, so let me phrase it another way: if the government is doing widespread monitoring (such as the rumored Echelon program), it isn't doing it with Carnivore. Carnivore is not made for widespread monitoring, and is instead designed for only "surgical" wiretaps. Carnivore is widely publicized and many ISP engineers have direct experience with Carnivore (and know where the boxes are placed); Echelon is much more secretive. In other words, the government may have black-boxes deployed throughout the network, but they aren't Carnivore black-boxes.

2.5. Will Carnivore corrupt e-mails or otherwise misrepresent them?


This is what makes Carnivore different from other e-mail monitoring products. There are numerous products that can monitor e-mails in a manner similar to Carnivore (I wrote one back in 1991), but they have the problem that they may incorrectly capture the e-mail messages. Fragments of e-mail can be lost, or fragments from other e-mails could accidentally be inserted.

This is why the FBI insisted that they use Carnivore instead of these other products. An e-mail message captured by Carnivore will not hold up in court unless the FBI can prove that the message was captured without corruption.

In order to accomplish this goal, Carnivore works as a raw packet sniffer. Unlike other e-mail monitoring products, it does not capture the messages, but instead captures the raw Internet traffic that was used to transfer the e-mail. This Internet traffic contains "checksums" and "sequence numbers". A checksum makes sure that traffic hasn't been corrupted, and a sequence number means that you can prove that you captured the entire message without any fragments from other e-mail messages. It doesn't prevent corruption, but clearly points out any corruption that may have occurred. If there are no bad checksums or missing sequence numbers, then you can prove in a court of law that no corruption has taken place.

2.6. Is Carnivore permanently located at the ISP?


It is unlikely to be in place for more than a month. There are strict government regulations on the use of wiretaps. The most difficult law is that they must be renewed every 30 days. This means that 30 days after getting the first court order, the FBI must go back to the judge and ask for an extension. This applies to all wiretaps. About half of all wiretaps do not get extensions.

The FBI claims that they longest a Carnivore unit has been in place was 45 days.

2.7. Why doesn't the FBI release source code?

The FBI makes the following justifications as to why they don't release source code:

Industry experts don't believe these arguments:

The FBI makes the statement in their RFP: "The Department recognizes that the Carnivore system is subject to certain inherent design limitations that preclude its use in certain situations. Those limitations will be identified to the Contractor [reviewing the system], but for obvious reasons will not be made public." Experts don't understand what obvious reasons the FBI could be talking about.

2.8. Is the FBI forthcoming on basic details?

No (experts think not).

The FBI claims that it has been forthcoming on basic details of the program. Many experts disagree, blaming the FBI for creating an environment of fear and mistrust.

Even though it won't disclose the source code to Carnivore, it could disclose a lot more about it. For example, the FBI could run Carnivore in a test lab through all permutations (e-mail content, e-mail headers, IP packets, RADIUS logon, etc.) and disclose the evidence gathered along with original tracefiles. This would clearly demonstrate the capabilities of Carnivore without exposing the advanced details that they want to keep secret.

2.9. Can email be forged, introducing false evidence?

Yes, easily (you can do this yourself). You can simply reconfigure your own email system to use somebody else's email address. This won't allow you to read their email, but will certainly allow you to impersonate them when sending email out.

Another common problem is through the use of "Trojan Horses". This would allow a hacker to not only forge an email, but to make it come from that person's IP address as well. Currently, this fools the FBI as well as courts. For example, Fred Modolvski was convicted of posting a fraudulent press release from his machine – he claims that a hacker broke into his machine and sent the message. Currently, no defendant has yet successfully used this "hacker defense"; it would be quite easy for hackers to frame somebody.

3. What laws allow Carnivore?

1968 Title III of the Omnibus Crime Control and Safe Streets Act
Commonly known simply as "Title III"; this law makes wiretapping legal.

1986 ECPA (Electronic Communications Privacy Act)
Commonly pronounced Ecpa (ek-pah). This law was designed to clarify how existing wiretap laws apply to cyberspace, but at the same time sets boundaries on how much the government can invade our on-line privacy.

1986 Computer Fraud and Abuse Act
Makes breaking into federal computers and trafficking in stolen passwords felonies.

1994 CALEA
Requires telephone "carriers" (including ISPs) to help with investigations. A court order usually comes in two parts: one authorizing the FBI to sniff, the other obligating the ISP to help out. Because of this law, all digital telephony equipment now contains "wiretap" ports for telephone wiretapping.

1998 roving wiretap
Allows the FBI to tap lots of people's communication as long as it only keeps records of the suspect's communications. In other words, Carnivore can be placed on a backbone that listens to thousands of people's e-mails as long as it only remembers e-mails for the specific suspect.

3.1. What are "pen-registers" and "trap-and-traces"?

A pen-register is a device the FBI might put on your phone line in order to record every telephone number you dial. A trap-and-trace is a different kind of device that records the caller-ID of everyone who dials you. Remember the movies when the suspect calls in, and the FBI says "keep him on the line" so they can trace him? That is a trap-and-trace.

These two items are frequently used as a sort of electronic "stake-out". Because they only reveal the numbers called, the date/time, and potentially the length of the call, they aren't as intrusive into privacy as a full wiretap. Therefore, the legal standards necessary to obtain a court order for them are significantly reduced.

Judges will grant pen-register court order for investigations. According to the FBI, Carnivore is usually used more often for pen-register style monitoring for investigation purposes. However, in order to monitor the full contents of e-mail messages, law-enforcement needs to show the judge compelling evidence that you have committed the crime. In other words, the investigation phase is over, they are now looking for proof in order to convict.

3.2. What is a "court order"?

FBI agents must go to a judge and get them to authorize use of Carnivore. The court order specifies:

The judge then authorizes the search warrant. At the same time, the judge will create a court order demanding that the ISP comply with the FBI.

Full content-wiretaps may only be used for certain felonies (e.g. terrorism, drug trafficking, kidnapping). They may only be issued by a Federal District Judge, not any old judge. They may only be granted to FBI agents. They may only be used to gather hard evidence, not for background reconnaissance.

3.3. I thought computer records are regarded as "hearsay"?

They can be in many circumstances, but not always.

According to the Federal Rules of Evidence, business records (including computer records) are considered "hearsay" (and not admissible in court) because there is no firsthand proof that they are accurate, reliable, or trustworthy. There are exceptions to this rule when you can demonstrate accuracy, reliability, and trustworthiness.

For example, the FBI cannot simply capture a single e-mail and claim it as evidence. Instead, Carnivore must be running all the time (for a week, month, etc.). All of the e-mails captured during that time must be maintained. The FBI cannot simply take one e-mail from this set and use it as evidence, they must instead present to the court all e-mails captured during this time. If one e-mail says "let's bomb the World Trade Center", but the next e-mail says "I was only joking", then the FBI must present both to the defense team. Defense lawyers will themselves study the records in order to find exonerating evidence.

Second, the captured data must be "authenticated" according to rule 901 of the Federal Rules of Evidence. The FBI agents that put Carnivore into the ISP and locks it down will need to document everything they did. The FBI does not simply give Carnivore to an ISP engineer and have them install it, because the ISP engineer is not necessarily a qualified witness. In cases where the ISP gathers the information without Carnivore, they must carefully document what they do.

Third, Carnivore must meet the "best evidence" rule. ISPs are usually able to create copies of e-mail directly from their servers. These copies have a higher integrity than e-mails sniffed from the wire (Carnivore might miss a packet, and therefore leave a gaping hole in the e-mail). Therefore, the FBI can only use Carnivore when the ISP is not willing or is unable to copy the e-mail from their servers.

3.4. What is "chain of possession"?

As part of the Rules of Evidence, all evidence must be "sealed" in a tamper-proof manner. Carnivore uses a Jaz drive for this. As soon as the Jazz disk is removed from the machine, it is immediately sealed in a bag, then written on the outside who (the FBI agent) sealed it and what date/time. From then on, anybody who opens that seal must likewise sign the form and clearly document what they did with the evidence. The evidence must not be altered  (except in certain cases).

This is one of the reasons that the FBI cannot put a TCP/IP stack on the box. They cannot risk the defense team using this as an excuse as to why the evidence might be tainted.

3.5. What is "minimization"?

The laws state that the FBI must be very careful to minimize how much it inadvertently eavesdrops on. Agents must be very careful to monitor only the information authorized by the court order, and nothing more. For example, if they are wiretapping the telephone of the father of a family, then if a kid dials-out, they must immediately turn off the recording machines. For telephones, this requires an FBI agent who constantly listens on the line monitoring for such things.

This means that the FBI is not allowed to listen for any emails containing the word "plutonium", because it would inadvertently capture messages from innocent people. Instead, they must prove to a judge that they can tap into only the traffic for the specific suspect; i.e. they must give the judge the exact e-mail address they are going to monitor.

FBI agents are very paranoid about this. If extra stuff leaks into their recordings, they must carefully discard it. Also, if a lot of stuff has leaked in, then the defense attorneys will "move to suppress" the evidence claiming proper procedure was not followed. Remember, the FBI has to prove a legitimate reason to the judge in order to get a court order, but also must be careful when they get the evidence that it won't be thrown out of court. This is especially important because full content-wiretaps are only obtained in order to get hard evidence that will indeed be used in court.

Note that full content-wiretaps have been used in this discussion; pen-register style wiretaps are a little more lenient because they do not record the full contents of a conversation, only the parties doing the conversing.

3.6. What prevents Carnivore from being used illegally?

The exclusionary rule. This principle in U.S. law states that evidence seized by police in violation of constitutional protection from unreasonable search and seizure may not be used against a criminal defendant at trial.

There are some problems with this rule. The first is that exceptions are allowed when evidence is obtained in "good faith" with a search warrant that is later ruled invalid. This means if FBI agents can convince a judge to grant an invalid search warrant, the evidence is still admissible in court. This is a problem because there are subtle privacy issues here that confuse even technologists (and judges are notoriously computer illiterate).

For example, a "pen-register" wiretap should only be able to grab the equivalence of call-records, such as the timestamp when the e-mail was sent, the size of the e-mail, and the from/to e-mail addresses. Most technologists would therefore claim that Carnivore should therefore restrict itself to the SMTP "envelope". However, the FBI designed Carnivore to dig deeper into the e-mail headers, grabbing much more information. The FBI is clearly willing to overstep their bounds hoping that they can justify their excessive monitoring under such provisions as the "good faith" provision.

The second problem with the exclusionary rule is that it only applies to cases where the FBI intends to present evidence at trial. In the aftermath of the 9/11/2001 terrorist attacks, the FBI deployed Carnivore widely in order to tap into e-mails. They had no intention of using the information in trial, so they had no restraints on abuses.

4. What are the in-depth technical details of Carnivore?

4.1. Is Carnivore a sophisticated new technology?


Carnivore is often portrayed in the press as something extremely technologically sophisticated and clever. It isn't. It is technologically behind exis.

For example, on news article claims that when the FBI unveiled Carnivore, it "astonished industry specialists". It didn't. There are numerous products on the market significantly more advanced than Carnivore.

The author of this FAQ wrote an e-mail sniffing program identical to Carnivore 9 years ago. Carnivore has a couple of things that are unique to it (capturing e-mail packets rather than messages, RADIUS monitoring), but these aren't necessarily sophisticated. The author of this FAQ wrote "Altivore" that is an exact duplicate of Carnivore in a weekend.

4.2. IP sniffing

Reportedly, the FBI has used Carnivore in a mode they call "Omnivore": capturing all the traffic to/from the specified IP address. (Remember, a court order has to specify exactly who is being monitored, the FBI is outlawed from monitoring everybody). Reportedly, they used the AG Group's EtherPeek for this purpose. This is one of only a few packet sniffers that can accept an IP address as a capture filter, then write in real time (with no lost packets) directly to the disk.

There are numerous products that can fulfill these types of requirements. The easiest is the freeware program known as TCPDUMP, which is available for both Windows and UNIX. If the court order specifies a full capture for the IP address of, the command would simply be:

tcpdump –w tracefile.tcp host

You can even do your own Carnivore. The popular personal firewall from ISS (Internet Security Systems) called  "BlackICE Defender" has a feature called "Packet Logging". It will monitor all traffic to and from your own machine and save it directly to disk just like Carnivore. You can use this feature if you think you are under attack (though there are limits to its admissibility in court). The popular freeware utility known as "Ethereal" can then be used to display the contents of this data.

IP sniffing may also be done in a pen-register mode. Many packet sniffers could be used for this capability. The desired IP address would be specified in a "capture filter", then the "slice/snap" length would be set to 54 bytes. This would capture all the TCP/IP "headers", but not the content. The raw data would be saved live to a file. Again, using TCPDUMP as an example:

tcpdump –w tracefile.tcp host –s 54

However, I suspect that this is overstepping the bounds of the law collecting more information than the warrant allows. In order to align it more closely with a traditional pen-register, it would need to capture a lot less information. It would monitor the wire and create a record that looks like the following:

This would require more complex programming within the system.

4.3. RADIUS and DHCP triggering

In the case of dial-up connections, the suspect has no fixed IP address. Therefore, Carnivore has to sniff the RADIUS logon/authentication packets in order to discover the IP address in use. This is the probably the only feature unique to Carnivore: the ability to track dialup users.

However, ISPs can still comply with court ordered wiretaps of dial-up users without Carnivore. They can often hard-code configuration information within their authentication systems that reserves a special IP address for the suspect's account. At this point, the tcpdump described above can be used in order to sniff the suspect's traffic.

The same sort of issue applies to DHCP. Whereas RADIUS is often used to assigned IP addresses for dial-up users, DHCP is used for high-speed users (cable-modems, DSL, company networks).

4.4. How does Carnivore sniff e-mail messages?

The SMTP protocol (the system for exchanging e-mail) looks something like the following.

<--  220 SMTP server.
>>>  HELO
<--  250 Hello [], pleased to meet you
>>>  MAIL FROM: <>
<--  250 <> … Sender ok
>>>  RCPT TO: <>
<--  250 <>
>>>  DATA
<--  354 Start mail input; end with <CRLF>.<CRLF>

>>>(e-mail message)

>>>  \r\n.\r\n
<--  250 Queued mail for delivery
>>>  QUIT
<--  221 closing connection

What you are seeing here is an exchange of data between two mail exchangers. One exchanger contacts the other in order to forward e-mail to it. Carnivore listens in on them surreptitiously. They start with a few greetings, and then get down to business. The exchanger that initiated the connection first transmits the "envelope" containing the MAIL FROM and RCPT TO fields, and then sends the "message". The message is terminated by a blank line containing a single dot.

The message itself contains "headers" and a "body". These aren't shown in the diagram. One of the big questions about Carnivore is whether it tracks just the SMTP "envelope", or whether is looks within the RFC822 "body". The following is a sample e-mail message that would be transferred over this connection:

From: "Alice Cooper" 
To: "Bob D Graham" 
Subject: Shipment
Date: Thu, 7 Sep 2000 15:51:24 -0700
MIME-Version: 1.0
Content-Type: text/plain;
Content-Transfer-Encoding: 7bit
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0)
Importance: Normal
X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6600

How is the plutonium shipment coming? I need it by Friday.


The logic is quite simple. If the court order specifies the suspect's e-mail account as "", then Carnivore triggers when it sees that address in the SMTP envelope, and starts capturing the e-mail message until it sees the end. Some court orders might limit this to only the headers rather than the content. In this case, Carnivore has to stop capturing at the first blank line. Furthermore, Carnivore has to remove the "Subject:" header because that is also considered "content" by the courts.

There are several products on the market that can capture e-mails in a similar fashion. One of the important differences with Carnivore is that it doesn't record the e-mail messages themselves, but instead captures the raw packets that carry the e-mails. In this fashion, it has a solid history of checksums and TCP sequence numbers that clearly show missing fragments are inadvertently captured fragments. This is extremely important in order to validate the authenticity of the data.

A pen-register mode can also be used. The MAIL FROM and RCPT TO addresses can be logged to a file whenever either of them matches the suspect's address. The log entry would look like:

4.5. HTTP and FTP

In the sample scenarios described by the FBI, the describe cases where they want to track all the websites accessed by the suspect. The way they do that is filter for any packet from the suspect to port 80 (meaning HTTP), and record the IP address. This may be complicated by having to parse RADIUS described above.

4.6. HTTP, FTP, and NTTP

One of the claims I've read in the news is that Carnivore does something with HTTP more than monitoring IP addresses of the sites. I think the news reporters were confused, but there are some things the FBI could do with sniffing technology.

One technique would be to do a "trap-and-trace" on a webpage. For example, the FBI could put a sniffing device next to the server hosting this webpage, then monitor everyone who access just this one page on the site. Similar techniques could be used for monitoring users of certain FTP files.

NTTP (Usenet news) can be a little more interesting. The FBI can do trap-and-trace on specific newsgroups. Web-pages are actually fairly well controlled (little bad stuff) and innocent people often find themselves unintentionally at web-pages due to search engines. However, Usenet is less regulated and there are areas frequented by persistent cybercriminals. The various hacking newsgroups come to mind.

4.7. IRC

There are rumors that Carnivore was used to capture IRC traffic. I'm not quite sure what that means – if the FBI wanted to tune into IRC chatrooms, they could simply use any number of programs that simply log onto the chatrooms and record all the contents. Indeed, the FBI probably records the full contents of the most popular hacker IRC chatrooms. The reason is that this isn't "wiretapping" -- it is simply recording data that is publicly visible. You don't need to be at the ISP to do this, but can monitor chatrooms from anywhere on the net.

Note that IRC supports generic handles rather than fixed account names. People can (and often do) masquerade as others. When the FBI monitors IRC, they want to track it back to the IP address that originated the content.

4.8. Does Carnivore drop packets?


This is a frequent question for sniffers like Carnivore: what are the traffic-rates they can handle before they get overloaded and start "dropping" traffic?

The sniffing component within Carnivore is well known in the industry to drop packets at fairly low traffic rates. However, Carnivore is frequently used in a "surgical" manner. It is placed on the "edge" of the Internet (where traffic levels are low) rather than on the "core" (where traffic levels are high). If monitoring e-mail, it can be placed next to the e-mail server sniffing only its traffic. This greatly reduces the traffic load that it taps into.

Note that the author of this FAQ has built a sniffing system that can handle a full gigabit of traffic, which makes it at least 20 times faster than Carnivore.

4.9. Is Carnivore based upon Etherpeek?

EtherPeek was certainly used originally for investigative work by the FBI. It probably is what the FBI called "Omnivore". They would obtain court orders for all traffic to/from an IP address and save it directly to evidence files. EtherPeek supports this feature well whereas other commercial sniffers don't do this as well.

However, the FBI found EtherPeek too limiting, and created their own product based upon the sniffing subsystem created by PCAUSA (

5. How can I defend myself against Carnivore?

5.1. Forge E-mail sender

Remember that Carnivore needs to match your e-mail address against the From and To fields it sees in the e-mail envelope.

Therefore, one easy solution is to lie. When sending e-mail, simply change your name. Since Carnivore will never see your e-mail address go across the wire, it cannot capture the e-mail nor record the fact that it was even sent.

This is different for every e-mail system, so it will require some effort on your part to learn how this can be done. There are a number of problems here. For example, the recipient won't be able to hit the "reply" button in order to respond to your e-mail. You might be able to correctly use the "Reply-To" field in order to fix this (Carnivore likely doesn't monitor the Reply-To field).

Remember that this only prevents Carnivore from seeing your outgoing e-mail; it doesn't hide incoming e-mail from detection. If you want to hide that, you need to use something like an anonymous remailer (as described below).

5.2. E-mail Encryption

The easiest way to defend yourself against people eavesdropping on you is to "encrypt" your e-mail.

There are many encryption products available that will encrypt your e-mail. All of them are strong enough to prevent law enforcement from decrypting your e-mail – when used properly. This is the key point to remember: the chief reason that law-enforcement is able to decrypt a suspect's data is because the software wasn't used correctly. Unless you are willing to learn about how to use products correctly and pay attention to the encryption process, it is unlikely that you can use encryption successfully to defend yourself.

Even if you use encryption properly, there are still methods that law enforcement can use to defeat it. The easiest way is when law-enforcement forces the suspect to reveal his or her keys. It is currently the law in the United Kingdom that citizens must reveal their encryption keys to law enforcement whenever they ask. Even in the United States, citizens must reveal their keys when required by a court order. (I.e. in some countries, you must reveal your keys to the police, in others, you must reveal your keys to the court).

In the year 2000, the FBI secretly entered the office of Nicodemo Scarfo (as suspected Mafioso) and installed a "key logger" (logged all keystrokes typed by Scarfo). This allowed the FBI to capture his passwords, which then enabled them to decrypt his e-mail.

5.3. Anonymous Remailers

A popular tool among "cypherpunks" is a system known as an "anonymous remailer". This is a system that forwards e-mail traffic in such a way as making it untraceable by law enforcement.

The most effective remailers use encryption. An e-mail message will be encrypted multiple times. It is sent to the first remailer, which decrypts the message once in order to discover the name of the next remailer along its path. The remainder of the message is still encrypted so that only the next hop can decrypt it.

The e-mail travels from hop to hop until it reaches its destination, who then decrypts it the last time in order to recover the original message.

This process defeats not only full-content wiretaps but also pen-register style wiretaps. A Carnivore system located near the sender can only discover that the suspect is sending e-mail to a remailer, but cannot discover who the destination is. Likewise, a Carnivore wiretap located at the recipient can only discover that a message was received from a remailer, but not who originally sent the e-mail.

5.4. Attack Carnivore

There are likely many weaknesses in Carnivore that can be attacked directly.

For example, if you suspect that the FBI might be monitoring your e-mail, you might configure your system to send out an unending stream of e-mail. This attack would be designed to fill up Carnivore's storage mechanism. There are a number of random content generators on the Internet that can craft e-mails that seem somewhat meaningful, but which really aren't. This would force FBI agents to examine each and every e-mail by hand in order to make sure it wasn't a real e-mail.

When Carnivore is using RADIUS or DHCP to track a person's IP address, then there is a good chance the end-user can forge such packets that convinces Carnivore to stop monitoring.

5.5. Anonymizers

Remember that Carnivore can be used to monitor Internet traffic other than e-mail. Besides e-mail, one common use is to monitor web traffic: which websites you visit, as well as tracking which people might be accessing a particular website.

There are a number of companies that offer services to make your web surfing anonymous. They allow you to establish an SSL connection to their proxies, preventing anybody from monitoring which websites your are visiting (other the fact that you are accessing the anonymization service). Likewise, if you are accessing a website being monitored by Carnivore, it can only detect that the inbound connection is coming from the anonymization service, but not who that person is.

One supplier of such services, Zero Knowledge Systems, discontinued their anonymization service in October 2001.

5.6. SSL

SSL provides encrypted communications that prevents sniffers from watching what you send to a server, or what the server sends in response. You probably use this protocol when conducting e-commerce transactions (such as buying something on the Internet with your credit-card).

SSL not only hides your credit-card from people sniffing the wire, but also hides the transactions from Carnivore. Law enforcement will be able to record (in pen-register style monitoring) that you are accessing the website, but will not be able to detect what you did on the website.

Note that SSL only works when the website supports it. More and more websites are beginning to support this protocol for generic surfing. The reason that many don't is because it requires an investment in expensive hardware to handle all the encryption.

Also note that SSL only works when the user is paying attention to the details. SSL has a system of "mutual authentication" that verifies the server you are talking to is, indeed, who it claims to be. If it isn't, then the browser will provide a warning. Many users don't pay attention to the warnings. This means that somebody could setup a server in the middle that reroutes your traffic through it. This would allow somebody like the FBI to decrypt your traffic, record it, then re-encrypt it. Therefore, you must pay attention to SSL warnings that indicate this sort of thing is going on.

5.7. Choose a better ISP (e.g. Earthlink)

The ISP "Earthlink" has a long track record of refusing Carnivore. They sued the FBI over this issue. In the wake of the September 11, 2001 terrorist attacks, the FBI widely deployed Carnivore. The ISP "AOL" submitted to Carnivore deployments, but "Earthlink" refused and carried out the court orders itself. (AOL is the largest consumer ISP, Earthlink is second or third). This means that if you are concerned about privacy, then you should consider an ISP such as Earthlink (or others that have a published Carnivore policy). This doesn't stop the fulfillment of the court order, but it does prevent the FBI from overstepping their privilege.

6. What was the RFP of August 24, 2000?

On August 24, 2000, the FBI issued a "Request For Proposal" for "experts" to come in to evaluate Carnivore. Many experts have shied away from this because of the handcuffs placed on them, feeling that the FBI is just looking for a rubber stamp to alleviate the public's fears that than submitting their system to a full review.

"Questions that have been raised include concern that the FBI's temporary use of the Carnivore system could interfere with the proper functioning of an ISP's network; concern that the system might, when used properly, provide investigators with more information than is authorized by a given court order; and concern that even if the system functions appropriately when properly used, its capabilities give rise to a risk of misuse, leading to improper invasions of privacy."

What this means is that:

Some academics refuse to participate. They believe that the FBI is simply trying allay the public's fears without addressing the real concerns. The RFP gives strict limitations on how the product is to be evaluated, and has full control over what the evaluator is allowed to publish as results. Therefore, the FBI can certain create a "technical evaluation" that gives Carnivore a clean bill of health while still failing to address any of the major concerns.

7. How does Carnivore relate to…?

People often compare Carnivore to other things. This sections lists some of the more common questions.

7.1. How does Carnivore compare to Britain's Regulatory Investigative Powers (RIP) bill?

RIP will mandate black-boxes permanently located at all ISPs, unlike Carnivore, where boxes have to be brought on site for each investigation and removed when the investigation is done.

Like Carnivore, a court order is needed.

7.2. How does Carnivore compare to Russia's SORM?

SORM requires ISP to forward all traffic to the FSB (formerly KGB).

The FSB does not need a warrant and can use the information for whatever reason it wants. They also are outlawing encryption (unless key recovery is used).

(SORM is a Russian acronym for System of Ensuring Investigative Activity).

7.3. How does Carnivore compare to Japan's laws?

The law, passed August 13 of 1999, allowed law enforcement to wiretap telephone, fax, and Internet communications. It is modeled on the United State's 1994 CALEA law, though it specifically singles out crimes involving drugs, guns, illegal immigration, and murders committed by groups (i.e. organized crime and cults).

There is a Japanese law that requires all ISPs to make available pen-register style log of all Internet communications that their law enforcement can subpoena at any time.

In Japan, the police are not allowed to wiretap lawyers, doctors, and religious leaders (though cults do not count as religions – the wiretap laws are designed partially to deal with incidents like the sarin gas attacks by the Aum Shinrikyo cult).

Article 21 of the Constitution of Japan:
Freedom of assembly and association as well as speech, press and all other
forms of expression are guaranteed. 2) No censorship shall be maintained,
nor shall the secrecy of any means of communication be violated.

7.4.  How does Carnivore compare to Echelon?

ECHELON is the name given to the global electronic surveillance system rumored to be run by the NSA (the United States "National Security Agency").

ECHELON sits between the worlds well-known information and wild paranoid speculation. On one hand, we know that the NSA's mission is electronic surveillance. On the other hand, we don't know how far the abilities of NSA extend.

The NSA is forbidden by law from surveillance within the United States. In theory, it is also not allowed to monitor the activities of U.S. citizens abroad.

However, it is also known that the NSA has extensive "exchange agreements" with intelligence organizations of other countries. For example, there is the well-known UKUSA agreement among the English speaking countries of Australia, New Zealand, the United Kingdom, and the United States. An example of this agreement is where the United Kingdom spies upon the United States, and then shares with the NSA some of the information it gathers. Therefore, even though the NSA is unable to spy on Americans, it still can get intelligence on Americans through this exchange agreement.

It is widely accepted that the NSA and the NRO (National Reconnaissance Office) operate surveillance satellites, including those for electronic surveillance as well as photographing the earth's surface. These satellites can monitor Earth-based microwave transceivers as well as cell-phone traffic.

The NSA likewise has numerous ground-based stations spread throughout the world. For example, the NSA operates a ground-based station in communist China for the purposes of monitoring Russian activities. (This information is shared with the Chinese, of course).

Undersea telephone cables have also been tapped. In one famous incident, an American submarine successfully attached wiretaps to a major Russian undersea cable during the Cold War.

The amount of information monitored by the NSA is huge. This is more information than human beings can process, so computers process it. It is widely accepted that the NSA uses a "keyword dictionary" for their monitoring. Massive supercomputers sift through the traffic looking for these keywords. Note that these dictionaries are updated almost daily according to world conditions.

Despite the fact that roughly half the countries in the world rely upon radio communications for long distance and international calls (which the NSA can easily monitor), the major world powers have now moved to fiber optics. Not only are fiber optics difficult to tap, but the traffic levels are extremely high. In the year 2000, it was estimated that the mount of Internet traffic flowing through cables beneath the Atlantic was roughly 200 gigabits/second. While this 10 million times faster than a dialup connection, it reasonably in the range that the NSA could monitor. In the year 2000, the company Network ICE was selling Internet monitoring equipment where a single machine costing roughly $5000 running its software could monitor roughly 1-gigabit/second. This means that the NSA would be able to monitor all cross-Atlantic traffic with a small investment of only $10-million in hardware.

8. Obvious misconceptions

8.1. Does Carnivore contravene the First Amendment?


I see frequent debates where people describe Carnivore's invasion of First Amendment rights. I assume this is because of confusion about the nature of the Bill of Right. Since the First Amendment is the most frequently debated issue in the press, many people confuse the First Amendment with all ten amendments that make up the Bill of Rights.

Get it straight: Carnivore is a Fourth Amendment issue, not a First Amendment.

(Note: You could claim that monitoring of free speech is in essence an invasion of free speech, and therefore Carnivore is also a First Amendment issue. However, the Founding Fathers long ago debated that and it is still a Fourth Amendment issue).

8.2. Does Carnivore slow down e-mail?


In the wake of the September 11, 2001 terrorist attacks, many people noticed that e-mail was a lot slower. Many suspected it was due to Carnivore.

It is true that Carnivore was used heavily during the investigations and widely deployed. However, remember that Carnivore is a passive "sniffer": it watches e-mail as it goes by, but it does not intervene. It cannot slow down e-mail.

The reason that e-mail seemed to slow down was because of the Nimda and SirCam virus/worm. The SirCam worm had been clogging up e-mail systems leading up to September 11, and the Nimda worm exploded on September 17, causing dramatic slowdowns all across the Internet.

9. Glossary

Federal Bureau of Investigation, the national police force of the United States. The FBI does no "spying" like the CIA or NSA, but is instead only involved in criminal matters.

Freedom of Information Act, the primary means in which the public can get information on Carnivore. FOIA allows any citizen to request government documents.

File Transfer Protocol, a popular method of transfering files on the Internet. The FBI can carry out the equivalent of a pen-register by sniffing just the control-channel on port 21.

Internet Service Provider, a private company that provides Internet services. When you dial-up the Internet, you go through your local ISP. Many people believe that the government runs the Internet. This is wrong. Since the government doesn't control the Internet, they cannot put Carnivore boxes everywhere. Instead, they must ask the ISP politely. Virtually all ISPs will refuse unless presented with a court-order.

A less invasive wiretap that courts will allow without probable-cause. A pen-register records just the telephone numbers a suspect dials. In the context of Carnivore, "pen mode" also refers to trap-and-trace style Internet monitoring.

Simple Mail Transfer Protocol, virtually all e-mail on the Internet is transfered via SMTP. When you send e-mail, it goes from your machine to your local ISP via SMTP, and from their toward its destination again via SMTP. Tapping just the Internet traffic carrying SMTP allows Carnivore to sniff e-mails.

An internet wiretap program. Sniffers are used widely as diagnostic tools in order to debug problems on the Internet. For example, if you notice that you cannot get to, then you can bet that engineers somewhere are putting sniffers on the wire in order to figure out what the problem is. Sniffers are also widely used to invade privacy, such as capturing e-mails, passwords, and files. The technology behind Carnivore is

A popular sniffer program used by computer geeks. It is described in section 4.2.

A less invasive wiretap that courts will allow without probable-cause. A pen-register records just the telephone numbers of inbound calls to a suspect.

10. Where can I learn more

FBI's Carnivore page
This page is light on details and heavy on misdirection (such as the insistence on calling it a "diagnostic tool" rather than a "wiretap").

EFF: Electronic Frontier Foundation
Tagline: "Protecting Rights and Promoting Freedom in the Electronic Frontier". The EFF has been on the front lines of the Carnivore debate publishing documents obtained by FOIA.

EPIC: Electronic Privacy Information Center

Hacking Dictionary
This page is a glossary of terms, many of which have relevance to Carnivore, wiretapping, and other privacy issues.

Sniffing/wiretap utilities used by hackers that are significantly more advanced than Carnivore.