My Network Sniffer

[Xtrato]

I have setup a network sniffer that i can use to capture packets between two networking devices. I made a YouTube video in which i explain how it works and below you will find both the shell script and python script i used to setup the bridge and dump the packets respectively.

The raspberry pi is placed in the middle and any data traveling between each device is captured by it. A second USB to Ethernet adapter is used to provide the second interface. The adapter i used is a USB to Fast Ethernet 10100 Mbps Network LAN Adapter Vista Linux 27723.

When the Raspberry pi starts it loads two scripts. The first is this shell script below:

Code: Select all

ifconfig eth0 0.0.0.0
ifconfig eth1 0.0.0.0
brctl addbr bridge0
brctl addif bridge0 eth0
brctl addif bridge0 eth1
ifconfig bridge0 up

This script removed the IP address from eth0 and eth1. It then creates a bridge called bridge0. Adds the interfaces to bridge0 and starts the bridge.

The second script that starts after the one above is this python script.

Code: Select all

import subprocess
#from dbupload import upload_file #Used for Dropbox uploading
from datetime import datetime # Used the genreate the filename
count = 0 #Counts the number of files that have been dumped
while True:
    count = count + 1
    fileName = str(datetime.now().day) + "-" + str(datetime.now().month) + "-" + str(datetime.now().year) + " AT " + str(datetime.now().hour) + "-" + str(datetime.now().minute)
    tcpDumpProcess = subprocess.Popen(["tcpdump", "-Z", "root", "-w", fileName, "-i", "bridge0", "-G", "60", "-W", "1"]) #Sets up the TCPDump command
    tcpDumpProcess.communicate() #Runs the TCPDump command
    print "Currently dumping file number " + str(count) + "."
    #upload_file(fileName,"/",fileName, "YOUR_EMAIL","YOUR_PASSWORD") #Uploads the dump file to dropbox
    #print "File uploaded Successfully"

This can obviously be done without using python and running the TCPDump command from command line. My intention was to integrate Dropbox uploading to the process but failed due to the inability to gain an internet connection from the raspberry pi when configured with a software bridge.

With both these files saves onto the raspberry pi and executed from the rc.local file at startup it will allow the raspberry pi to automatically capture network traffic between two devices.

[SirLagz]

Good work!
I had a plan similar to this, but instead of using 2 NICs, I was thinking about putting the Pi into the same box as this and then use the Pi to capture all the packets that go between 2 of the ports.
Do you think that would work ?

[Xtrato]

Sorry I don't quite understand what you mean. The only way I could think of capturing packets on route to their destination is to have two Ethernet interfaces used to retrieve and transmit.

[SirLagz]

The passive ethernet hub would transmit packets destined for one computer onto both ports.
With the Pi's NIC in promiscuous mode, it would receive packets destined for another computer with the passive ethernet hub.
When the computer replies, it would send packets destined for the original source, but as the hub is passing packets to the Pi, the Pi would also get those packets as well !
A passive network sniffer in a way.

[gridrun]

Most smart/managed switches (such as this one: http://www.amazon.com/NETGEAR-ProSafe-G ... B0000BVYT3) offer a feature called 'port mirroring'.

This sets a certain port on the switch to 'mirror' the traffic between two or more different ports on that switch. You'd connect your network tap there.

[rurwin]

When I need to do packet sniffing I just put an old 10Mbps Ethernet hub in the network. Those mirror all the data to all their ports. When 100Mbps came on the scene, such devices became switches and only the ports involved in the traffic see the traffic. Of course it slows the network down, but generally that is not a problem. It's also a lot cheaper than any switch intelligent enough to do port mirroring.

[SirLagz]

When I need to do packet sniffing I just put an old 10Mbps Ethernet hub in the network. Those mirror all the data to all their ports. When 100Mbps came on the scene, such devices became switches and only the ports involved in the traffic see the traffic. Of course it slows the network down, but generally that is not a problem. It's also a lot cheaper than any switch intelligent enough to do port mirroring.

That's exactly what that passive ethernet hub that I linked does Except it's a lot cheaper and easier to find than an old ethernet hub haha

[gridrun]

It's also a lot cheaper than any switch intelligent enough to do port mirroring.

Hey, the little netgear I linked is actually dirt cheap :p

But really, you can turn most any "dumb" switch into a hub, you just have to flood it with spoofed ARP replies. As soon as it's tables fill up (usually there's room for 4096 MAC addresses), almost all of them will fall back into broadcast mode.

See http://www.irongeek.com/i.php?page=back ... -man/macof

The advantage of using a mirror port (or even a professional network tap) is of course that the monitoring system can't influence the monitored line as traffic is only delivered to the mirror/tap port, and never received from. As such, it is also practically impossible to obtain information on or even detect the presence of the monitoring system.

Another argument for mirror ports and network taps is that it can be done with gigabit Ethernet, 10G and even 40G. Although this doesn't really matter with the Pi

[mdoldan]

I'd just like to warn anyone that thinks placing a hub or un-managed switch between a network connection about the pitfalls and potential problems you may introduce.

You need to consider tagged traffic such as CoS, QoS, VoIP, and Video prioritization.
Hubs and un-managed switches can strip off these tags and therefore have a detrimental affect on your network.
It is best to understand in detail the traffic being passed across the connection from a layer 2, 3, and 4 perspective before introducing such a device.

The port mirroring capability of most enterprise managed switches provide an effective and unobtrusive way of collecting and analyzing traffic data without impacting the traffic flow.