Running all network traffic through Pi 2 Model B

[Nerq]

Hello everyone,

I have a question that might be straightforward, but I have been unable to Google the answer. Basically I want to run all traffic on my network through a Raspberry Pi and log the traffic (I am working on some network traffic visualisation), so it is basically running the cable from my modem into the ethernet port on my Raspberry and then plugging in a usb to ethernet adapter that runs into my WiFi-router.

Modem -> Raspberry Pi -> WiFi Router

A lot of the tutorials that I have found are focused around making the Raspberry a WiFi router, this is not my goal. I am hoping that this solution can be somewhat generic, so I can take the setup and connect to different network, and visualise whatever data is passing through that. I hope that my question makes sense, and that someone can help me out Please let me know if you have some other questions.

[fruitoftheloom]

Hello everyone,

I have a question that might be straightforward, but I have been unable to Google the answer. Basically I want to run all traffic on my network through a Raspberry Pi and log the traffic (I am working on some network traffic visualisation), so it is basically running the cable from my modem into the ethernet port on my Raspberry and then plugging in a usb to ethernet adapter that runs into my WiFi-router.

Modem -> Raspberry Pi -> WiFi Router

A lot of the tutorials that I have found are focused around making the Raspberry a WiFi router, this is not my goal. I am hoping that this solution can be somewhat generic, so I can take the setup and connect to different network, and visualise whatever data is passing through that. I hope that my question makes sense, and that someone can help me out Please let me know if you have some other questions.

https://wiki.debian.org/BridgeNetworkConnections

iptraf is in repository - IPTraf is an ncurses-based IP LAN monitor that generates various network statistics including TCP info, UDP counts, ICMP and OSPF information, Ethernet load info, node stats, IP checksum errors, and others.

[Nerq]

Wow, fast reply.

And it works! Thanks a lot.

Next step is to figure out what websites are being visited. If anyone has any suggestions, feel free to let me know.

[n3tm4n]

A quick and very dirty way using tcpdump would be to have a look at what domain names are being resolved. You wouldn't actually be looking at the traffic itself, but it would give you an indication as to the websites being hit via their names. This wouldn't catch those using IP addresses directly in the URL for example. Nor would it differentiate between web / emal / any other protocol, its just pulling out the DNS resolution requests.

I guess it depend on how granular you want to be.

Code: Select all

tcpdump -i eth0 src net 172.16.1.0/24 and udp and port 53 -a -n -p -t -l | cut -d '?' -f 2

Change the src net (source network address) as required, the rest of the options are outlined below:

-i listen on eth0
-a output human readable ascii
-n dont resolve names
-p dont put interface into promiscuous mode
-t dont print timestamps
-l make output buffered so you can pipe it to a file or other command

That gives you output as shown below:

Code: Select all

IP 172.16.1.9.54746 > 10.1.1.8.53: 17841+ A? www.cisco.com. (31)
IP 172.16.1.9.62396 > 10.1.1.8.53: 35508+ A? socialmedia.cisco.com. (39)
IP 172.16.1.9.59799 > 10.1.1.8.53: 6911+ A? ma281-r.analytics.edgesuite.net. (49)
IP 172.16.1.9.54947 > 10.1.1.8.53: 10254+ A? services.plymedia.com. (39)
IP 172.16.1.9.60948 > 10.1.1.8.53: 35254+ A? ciscosystemsinc.tt.omtrdc.net. (47)

adding the

Code: Select all

| cut -d '?' -f 2

Just cuts it down to

Code: Select all

 www.cisco.com. (31)
 socialmedia.cisco.com. (39)
 ma281-r.analytics.edgesuite.net. (49)
 services.plymedia.com. (39)
 ciscosystemsinc.tt.omtrdc.net. (47)

I'm no expert so I am sure there are more tidy ways of achieving this, as I said its dirty.

You can look to have it running in the background perhaps tee'ing it to a file, then just tail the file when you want to have a look.

tcpdump can be installed using apt-get from the standard repositories. Driftnet is another interesting tool to watch packets by, but probably a tool for a different discussion as it pulls images from passing traffic and shows them in a GUI. It isn't foolproof by any stretch, but does show people some of the possibilities when it comes to network sniffing.

HTH Jon.