User Tools

Site Tools

This documentation applies only Turris OS 3.x that is no longer present in newly sold routers. The new documentation is located at

About data collection

Data collection on Turris Omnia is 100% voluntary and has to be enabled by the user in the Foris user interface. You can read more about how to do that here. We are very grateful for any participation from your side because analyzing your data helps us improve overall security and also provide you, the user, with information about your router’s traffic. Users, who participate in the Turris project, and have the older versions of Turris, agree to data collection in the first three years of participation, after which the router is transferred into their property and participation in data collection becomes 100% voluntary as well.

To find out about the legal aspects, see data collection EULA and our automatic updates EULA.

What kind of data do we collect?

A couple of different programs collect data and send it to the server. They are primarily: Nikola and Ucollect, which encompasses several parts (plugins) each of which has a different function.


Ucollect watches packets on the interface open to the Internet (WAN), looks at details in their headers (for example protocol type or IP address). Only information in the headers is examined, not the data itself, however, some collected data contains the user’s IP address. The specific functions of the individual Ucollect plugins are described below.

Basic statistics

These statistics are collected via the count plugin, which is described below in more detail. In simple terms, the packets are sorted into categories (for example all packets, incoming, TCP, …) and once in a while the packet count of the individual categories and their size is sent to the server.

These statistics help to gather basic information about Internet use, for example how widespread IPv6 is in general or the ratio download : upload. Data is aggregated in groups of routers (it cannot be traced back, which specific router the data comes from) every day and the original unaggregated data is deleted once in 10 days.

PCAP statistics

The PCAP interface, which looks at packets that come through the network card, provides statistics on how many packets were available to the application and how many were discarded. These statistics are sent to the server and are used to check Ucollect‘s activity.

The data is deleted after 10 days.


Nikola analyzes logs from firewall (IPTables) and it also sends records about the packets, which were caught in firewall. These are usually attempts from the outside to connect to nonexistent services, for example, password-break attacks on SSH or port scanning.

This data is aggregated in groups of routers (so that it cannot be traced back, which specific router the data comes from) every day and the original unaggregated data is deleted once in 10 days.

Ucollect plugins

The following plugins collect and analyze network data. What you see here is only meant as an overview of the functions these plugins have and the kind of data that is collected through them. If you are interested in the full details, see relevant code documentation. This data is used to improve security and uncover potential threats and provide you, the user, with information about your router’s traffic.


This plugin is used to measure bandwidth (also called the speed of data transfer or „connection speed“) of the network connection by counting bytes per second. It is important to note this is a “passive” measurement - this means we count how many bytes actually flowed through the network, not the full potential. This data is mainly used to create graphs for users so that you can check how much data flowed through your network.


This is a very simple plugin with the function of counting the number and size of individual packets in order to generate basic statistics. The plugin also counts groups of packets based on various properties such as protocol version (IPv4/IPv6), direction of travel (In/Out of the local network), protocol suite (TCP/UDP/IMCP) and a few other flags.


This plugin gathers network flows and reports them to the server. Tracking flow is similar to tracking connection: we group packets with the same addresses and ports together, count how much goes in each direction and send these items to the server in intervals depending on amount of time and traffic. However, it is important to add that we don’t sort all the data, just a selection of data - mainly protocols, which are in some way interesting and remote IP addresses, which pose a potential threat. This data together with the data from refused helps to uncover potentially infected computers in your network and in the event of an attack help to uncover what happened.


This plugin does not send us anything, we, however, send it data in that we update the lists of blocked IP addresses. It is an addition to the Turris firewall package, which contains the basic blacklists and performs the actual blocking. This way the IP addresses can be added and removed from the blacklist much faster – within minutes instead of hours.


The purpose of this plugin is to track refused outbound connection. Whenever a connection is attempted from inside the network and it fails for whatever reason, it is stored. Sometimes (either when too many connections are stored or when a timeout is reached), the stored connections are sent to the server. The purpose of this is to detect malware that tries to connect to a bunch of masters on startup.


The goal of this plugin is to run tasks that gather some information and send the information back to the server, when the server requests it (it pings remote servers). The purpose here is to see how accessible various parts of the Internet are. In addition, the plugin also examines the servers’ SSL certificates, which helps to uncover forged certificates and detects NAT.


The goal of this plugin is to check if Internet service providers properly block packets with spoofed addresses (addresses not in their ranges). Upon request, the plugin sends two packets to the server: one is with the correct source address, the other is spoofed. The server compares them to see if the spoofed addresses get blocked correctly. You can read about what spoofing is and why it can be dangerous here.