BUILD a Packet Capture Appliance for $200! Raspberry Pi

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

packing people what's going on so I wanted to show you something that I've been working on here in my home office and that's building a do-it-yourself packet capture Appliance now on the channel we talk quite a bit about how important it is to capture traffic the problem is though if we're looking around the industry we can see some very expensive purposed built Hardware so the question that's come in from quite a few of you is how can I do this from my home office or a small office and is a purpose-built appliance really worth that money well the short answer for most home environments the what I'm going to show you is good enough it's not until you get up into the multi-gig 10 gig 40 100 Gig environments where you need to think about some purpose-built Hardware but here in this video I'm going to show you how I was able to take a Raspberry Pi for just four gigs of RAM and a Samsung hard drive and build my own packet capture Appliance everything's said and done for under 250 bucks so first the Raspberry Pi and as you can see this one has a case that I purchased for it here's the box that came in so just a regular Raspberry Pi computer you could just as easily do this with a Raspberry Pi 3. I have friends that have it doesn't take a huge amount of resource the thing about it though is a lot of times these have these mini SDS on here which they might have the capacity sometimes you can get like 128 gigs even more with those micro SDs but the problem is is that writing to them frequently can burn them out so that's why you might think about getting a USB hard drive and that's what this is just this is a Samsung t7 I think I got it on Amazon for about 75 bucks by the way all this is in the links down below you can see all the stuff that I purchased to make this happen but the nice thing about this type of hard drive is that it gives you capacity for longer captures so 500 gigabytes will get me quite a bit of time but also I don't have to worry about burning out the little micro SD on the Raspberry Pi now that's the actual Appliance these two devices but then how do I get this into a position where it can capture traffic on my Network well there's one more component you got to think about and that is having a switch that can do spanning okay so that means that I can take a port everything to and from that port and copy it over to a mirror report now this is a Netgear plus switch Pro safe gs105e it's not going to cost you too much so first let me show you how you can connect all of this and then you can begin getting that capture ready on your Raspberry Pi okay so I got that all connected back up again so basically what it is is I have my PF sense coming from that's just basically the router that I have doing all my heavy lifting and then I connected that into the switch on Port one and then from there I went to my aero devices which are managing all of my Wi-Fi so now that that switch is a key location where I can take my Raspberry Pi capture box and connect it into that Management Port so I can see all of the traffic coming and going now that's an important location to capture from so I can do a rolling buffer I can do a basically a stream to disk capture of all the traffic coming and going so I can do analysis for performance or security but that's also a good location for the Raspberry Pi to be because I can also configure it to be an IDs to do some other watchdogging on that Network traffic now there's something else that you want to remember if you set up your network this way I figure I'll just go ahead and draw this out for you so if you have your ISP here's your cloud and we're coming off the ISP we're going to the router that they give us that modem router that does our DNS or DHCP all that stuff so if we have this coming in and we're capturing there right so this is the interface we're just kicking that out to our little capture Appliance okay so make sure though if you do connect to that your devices that are doing your Wi-Fi or just connecting everything else you want to make sure that that wireless device is just providing access point make sure that it's not another router that is then natting everybody behind it and the reason is because all you're going to see on that point of capture is just one client client doing all the traffic you won't be able to break it out and see the individual devices and what they're up to on your network okay so I have my devices set up just as APS not as routers that are natting that traffic so now let's take a look at how I configured that Raspberry Pi to begin capture so there's quite a few steps here and just to keep this video short I'm trying to not let this go on for an hour but basically I first got the Raspberry Pi and I got that micro SD and I went and did a headless install meaning I didn't have an external monitor or a keyboard what I did is I was able to download the Raspberry Pi OS and configure it using the raspberry pi imager for here I'll just link another video in the description down below of how to set this up basically you can use your options to be able to enable SSH ahead of time and set it up so that once you pull out that card and you put it into your Raspberry Pi boot up your pie you can go ahead and Sh into the Wi-Fi interface now I found the IP address from my Wi-Fi interface off of my router itself I was able to see what address it got or you could use nmap to find it as well but then once you have that IP then you can SSH into the pi but to just keep things visual for you I'm going to go ahead and VNC into the Raspberry Pi makes a little bit easier to demonstrate so here I can see I've got my pie set up I've got the ethernet interface connected into that switch and I've got that disk connected that t7 Samsung disk now I didn't have to do any kind of special formatting for it I just plugged it in and it showed up here and I was good to go now to access that disk if I just come into my file folder structure under home pi and if I come down to in fact it's not home it's actually media pi t7 and then P CAP so this is going to be actually where I store all the P caps that I'm going to be capturing in a ring buffer scenario so how do I actually get that set up so let me actually just open up a prompt here and I'm just going to come into my terminal okay so let's actually see how I did that so first let me just double check so who am I and I am Pi so the first thing I'm going to do is just do sudo apt update okay make sure that I'm good to go there and next let's just do sudo apt install Wireshark all right now this is just going to walk me through the install process now there's a few different things that you've got to make sure that you configure here it's going to ask you do you want non-default users to be able to capture I went ahead and I said no I don't um that's just going to be a security consideration so you might want to think about that and then moving through the other standard thing so it really was I was after here is I'm installing Wireshark but there's also several other command line tools that get installed along with Wireshark all right so I want to be able to use Wireshark on the pi but also just to be able to capture and just dump information to this hard drive okay so the next thing that I'm doing I'm just going to navigate to that media folder so this is what I want to do now this is where we want to pay a little bit closer attention all right so I'm just going to use the dump cap utility alright so I'm just going to say dump cap now what I want to do is I just want to say dump cap Dash D and what that does is it's going to show me all the interfaces that are available on the pi now I have two interfaces that are available one is my ethernet 0 and one is the W lens zero okay so I'm using the wlan0 as my management interface that's how I'm interacting with the pi all right so the ethernet 0 is going to be the one that actually captures those packets okay so that's going to be the one that I want to activate so I'm just going to do dump cap Dash D and then I'm sorry Dash I and then I'm going to say one because I want to capture off ethernet 0 and then I want to just write and I'll write this all right here I'm just going to say ring dot pcappng now I'm going to use the dash B switch to configure the ring buffer capabilities of Wireshark so I'm just going to say files colon and I'm just going to say 100 and then file size colon 5000. okay that this is going to save 100 500 make files all right so 500 Megs is about the size that I like to work with when I'm chewing through stuff and especially on my home network or on a small office you're not going to burn through 500 Meg files too quickly unless you're doing a lot of streaming video and you have a ton of traffic so you got to think about how big do you want those files to be and how many of them do you want to store all right so let's just start with this and let me just double check here I'm actually missing a switch here I'm missing Dash B it's going to complain so if I hit enter alright so now I have a file that's started and it's going to be recording packets to that file once that file fills to 500 Megs it's going to go ahead and create the next one and the next one then the next one then the next one all the way through 100 files and then I'll go back and overwrite this very first one now this is a trick that I use quite a bit when I'm capturing intermittent problems or if I want to write data to disk for an extended period of time now here I've got a 500 gig drive so that's going to give me quite a bit of time on my home network so that's something that I can factor in when I'm creating those file sizes and also the number that I'm storing okay now from here there's a bunch more that we can do again I want to keep this video short but this is where we can start to rip through some of this data using other tools like circata like brim even setting up the pi as an IDs so stay tuned to the channel here because I'm going to be showing you a few more things that I'm going to do with my little packet capture Appliance as I build out its capabilities all right so to set up your own custom built Appliance for packet capture you don't need heavy lifting Hardware that's going to do that for you the really expensive stuff there is a time and place for that if you're capturing a data center or in a high throughput environment 100 you want to think about getting some good Hardware but for your home office you can do it with a Raspberry Pi and a hard drive hopefully you enjoyed this video and you see how you can do this for just about 250 bucks now how do you read this traffic once you've captured it I know you're asking that question so go ahead and click here and we'll dig a little deeper and how to read large pcaps

Info

Channel: Chris Greer

Views: 11,856

Rating: undefined out of 5

Keywords: intro to wireshark, wireshark, how to use wireshark, tcp/ip analysis, introduction to wireshark, chris greer, wireshark course, free wireshark training, free wireshark course, getting started with wireshark, wireshark for beginners, network troubleshooting, wireshark tutorial, wireshark training, wireshark tips, tcp/ip, tcp vs udp, network+ tcp, tcp, packet capture device, packet capture, ring buffer, tshark, dumpcap

Id: eGm_jSXkzXI

Channel Id: undefined

Length: 10min 16sec (616 seconds)

Published: Fri Sep 23 2022