Bruhhhhh, Im relearning my packet skills and I was trying to find you last night. Said screw it went to bed, "ill google it tomorrow". And who tf shows up on my home feed. Thank you for all the knowledge Chris.
I had been kicking around the idea of how to do this with a pi, but didn't know if it would be possible essentially because the issue that you resolved with the netgear switch. I'll have to pick one up and give this a try. Thanks for putting your time into content like this. It is greatly appreciated.
That Netgear switch looks nice and portable. My favorite tap switch is the MikroTik CSS106-5G-1S due to its flexibility. For example it has port isolation so you can partition into two "independent" groups. I use 1-2 in one group and 3-4-5 in the second, and use port three as the "mirror/span" port with the capture device. Then you can mirror ingress on ports 1,2,4,5 to port 3 (I know, easy to overrun the mirror port and have packets dropped). The advantage of this it you can then put a router or other device (firewall, nat, vpn, tagging/untagging of vlans, etc.) and you can see what is going into the device under test as well as what comes out the other side. So you can see how packets are transformed, and look at latencies. Also, MikroTik has very extensive port counters, with counts of unicast, multicast and broadcast per port, as well as histograms of packet sizes sent/recieved for each port (64,65-127,128-255,256-511,512-1023,1024-1518,1519-max). The last one I bought on Amazon was in 2018 and the price was under $40, but now it is $49. It is also not as portable as the Netgear. If you are only mirroring a single port, the Netgear should be fine and is significantly cheaper.
So when the world went into work from home chaos I built one of these almost identical to this. Mine has a POE hat, usb enclosure for a evo, and rather than a switch I picked up a qualcomm 1gig tap. Its perfect for WFH calls where I would have to run in to packet capture something, just throw it inline on the problem PC in the data closet and leave it there. Head home and remote into it. Great little solution. Great content as always Chris! Looking forward to the suricata video.
Years ago we used a Debian pc to capture the traffic over a 10gbit link. To save a capture sometimes took 30 minutes... LOL... The good old memories. Recently I used RPi to create a remote monitoring system for my customers. Zabbix on cloud and RPi deployed at customer site. Very handy tools!!
Great work Chris! I want to try this soon. Will this also capture traffic between two devices communicating directly not going to WAN? Say my laptop is an HTTP server and my phone is connecting to it using laptop private IP and both the phone and laptop is connected to the eero wireless AP. I’m not sure if the frames will leave the Access point in this case (through the yellow cable) to be captured
Hey Hussein! In that case no - at that vantage point, we wouldn’t see the wireless traffic because the eero won’t forward those packets out the wired interface. It would only do that if it has a reason to send the traffic out.
Love your content Chris, I'm still new to networking but I love watching content like this to see what's out there and absorb what information my newbie brain can handle 😄 your TCP and UDP deep dives with David Bombal were very interesting and informative even to someone like myself. Keep up the great work 😊
Thank you so much for this video. I have got to try this one to solve my intermittent WiFi issue. I'll couple my pi4 with Dualcomm ETAP to do something similar to this.
Had to use a Profishark tap for my solution. Managed switches with a mac-adres that isn't registered on our company's network will make the main switch port go into shutdown mode. Was an oopsie moment when I tried to analyze a network problem on an industrial line and suddenly everything went down :p
Great content Chris, I appreciate you showing how accessible this solution is. You mentioned Suricata in one of the comments, what are your thoughts on Suricata vs Snort?
Another good solution is a barebone PC with two ethernet ports. you can bridge the ports in linux and just can plug in the PC between your LAN and the device you want to examine.
I've recently looked into SPAN and TAP solutions. Does this setup turn your Pi into a hardware TAP simply because it doesn't affect the system or more like an Adhoc SPAN setup? Thanks.
Adding hdmi_group=2 hdmi_mode=82 To the /boot/config.txt appears to have fixed it. As mentioned on a video titled Fix VNC raspberry pi slow (Can read more in the description)
I know you explained it and I watched multiple times but I dont understand how and why you connected the pi, the switch and the "pf sense" the way that you did.
Chris, this is a great video. Now that you have had the appliance running, how many times have you looked at the data, and how useful was it? With such a high percentage of data now being encrypted, is is still worth while to store the complete packet vs using the -s aka --snapshot-length to limit the capture to something less? Then you would still have src and dst addresses and protocols in use. While writing this, I wondered if there is a way to have only non-encrypted protocols stored with the full contents, but the encrypted protocols truncated. Or do you force clients to use forged certificates, so you can decode after the fact? And I doubt that would help with malicious hosts (iot, etc.) Have you thought of setting up the wifi on the RPi as an access point, so you could selectively monitor IoT devices you wonder about. (My Amazon Echo often triggers even when I don't use the "Echo" wake word, I have an Echo Gen 1 that if I say "backup" without the wake word, it will respond "nothing is currently playing". And it often lights up when I ask the google home a question. I'm close to disconnecting the Echo devices since Amazon's latest changes to prime music that "got lost in the shuffle". No more prime for me. Sorry for the tangent/rant about Amazon prime music.
Hey Chris, What is better - Dualcomm ETAP-2003 Tap or a switch with port mirroring? I have a Dualcomm ETAP-2003 (bought at work for my laptop) and wonder if I’ve made the wrong choice. Thanks
Yeah you can Graham. The ETAP-2003 blocks traffic on the monitor port going back to the network (the ETAP-2003R model allows it) so if you have the ETAP-2003 model then you will need to enable the capture on the PI first and then connect it to the network you wish to capture from.
Another good video from Chris Greer (: Addition to this great video, you can considerably increase the device's performance with pf_ring, which, I bet you already know about (:
I watched the Video again to see how you got 2 Network interface on a regular Raspberri Pi. Felt stupid after I realized I completely forgot the Wireless interface.😅
Hey Chris, you're a really good teacher, i love your content ! I don't use youtube as much these days, but it would be awesome to see you on the Odysee video platform! Ask David Bombal, he posts regularly on it! Hope to see you there, and thanks for your awesome content :-)
Excellent configuration and a cost-effective solution!!
Bruhhhhh, Im relearning my packet skills and I was trying to find you last night. Said screw it went to bed, "ill google it tomorrow". And who tf shows up on my home feed. Thank you for all the knowledge Chris.
That was made to look surprisingly easy as well as decent pricing.
I loved this one , can't wait for the suricate one you mentioned :D
Hi, Chris!
For when the follow-up? I'm dying here! 😀
I had been kicking around the idea of how to do this with a pi, but didn't know if it would be possible essentially because the issue that you resolved with the netgear switch. I'll have to pick one up and give this a try. Thanks for putting your time into content like this. It is greatly appreciated.
That little switch is worth it!
That Netgear switch looks nice and portable. My favorite tap switch is the MikroTik CSS106-5G-1S due to its flexibility. For example it has port isolation so you can partition into two "independent" groups. I use 1-2 in one group and 3-4-5 in the second, and use port three as the "mirror/span" port with the capture device. Then you can mirror ingress on ports 1,2,4,5 to port 3 (I know, easy to overrun the mirror port and have packets dropped). The advantage of this it you can then put a router or other device (firewall, nat, vpn, tagging/untagging of vlans, etc.) and you can see what is going into the device under test as well as what comes out the other side. So you can see how packets are transformed, and look at latencies. Also, MikroTik has very extensive port counters, with counts of unicast, multicast and broadcast per port, as well as histograms of packet sizes sent/recieved for each port (64,65-127,128-255,256-511,512-1023,1024-1518,1519-max). The last one I bought on Amazon was in 2018 and the price was under $40, but now it is $49. It is also not as portable as the Netgear. If you are only mirroring a single port, the Netgear should be fine and is significantly cheaper.
Looking forward for that monitoring video :) awesome work Chris!
So when the world went into work from home chaos I built one of these almost identical to this. Mine has a POE hat, usb enclosure for a evo, and rather than a switch I picked up a qualcomm 1gig tap. Its perfect for WFH calls where I would have to run in to packet capture something, just throw it inline on the problem PC in the data closet and leave it there. Head home and remote into it. Great little solution.
Great content as always Chris! Looking forward to the suricata video.
Fantastic Eric! It really is a sweet little box. I'm having a good time using it to monitor.
Wow cool. I know dumpcap since 30 sec. and i love it. I see some opertunities on my way. Many Thanks for your great Videos.
Years ago we used a Debian pc to capture the traffic over a 10gbit link. To save a capture sometimes took 30 minutes... LOL... The good old memories. Recently I used RPi to create a remote monitoring system for my customers. Zabbix on cloud and RPi deployed at customer site. Very handy tools!!
Great work Chris! I want to try this soon.
Will this also capture traffic between two devices communicating directly not going to WAN? Say my laptop is an HTTP server and my phone is connecting to it using laptop private IP and both the phone and laptop is connected to the eero wireless AP.
I’m not sure if the frames will leave the Access point in this case (through the yellow cable) to be captured
Hey Hussein! In that case no - at that vantage point, we wouldn’t see the wireless traffic because the eero won’t forward those packets out the wired interface. It would only do that if it has a reason to send the traffic out.
Love your content Chris, Would like to check if there is any content around EDNS pcap.
Hey Chris, thanks for the video ! I did not know about the dumpcap command, good finding.
Glad you liked the video
Very interesting and achievable, thank you
Love your content Chris, I'm still new to networking but I love watching content like this to see what's out there and absorb what information my newbie brain can handle 😄 your TCP and UDP deep dives with David Bombal were very interesting and informative even to someone like myself. Keep up the great work 😊
Great, I am not alone xD. I almost have no clue what he is talking about. Just got him in recommended.
Thank you Chris great Video!
Thank you so much for this video. I have got to try this one to solve my intermittent WiFi issue. I'll couple my pi4 with Dualcomm ETAP to do something similar to this.
Thank you Chris! Sharing with my network.
Thanks for sharing!
Had to use a Profishark tap for my solution.
Managed switches with a mac-adres that isn't registered on our company's network will make the main switch port go into shutdown mode.
Was an oopsie moment when I tried to analyze a network problem on an industrial line and suddenly everything went down :p
Incredible 🔥
Great content Chris, I appreciate you showing how accessible this solution is. You mentioned Suricata in one of the comments, what are your thoughts on Suricata vs Snort?
thanks dude
Another good solution is a barebone PC with two ethernet ports. you can bridge the ports in linux and just can plug in the PC between your LAN and the device you want to examine.
i do my probe capture with Raspberry it's top :-) thank you for idea
How did you configure the switch to monitor on port 5??
I can add tools metrology as ntopng community version for graphics
I've recently looked into SPAN and TAP solutions. Does this setup turn your Pi into a hardware TAP simply because it doesn't affect the system or more like an Adhoc SPAN setup? Thanks.
Hey, no it doesn’t. The switch performs the span function and passes the traffic to the pi
Love it 👍
What settings did you make for the rpi Ethernet port so that it's not sending data from it's self out the mirror port?
Good stuff!
Thanks!
How do you get your VNC to be so quick and smooth. Its as slow as slow came be for me. I'm say right next to the Pi.
Adding
hdmi_group=2
hdmi_mode=82
To the /boot/config.txt appears to have fixed it. As mentioned on a video titled Fix VNC raspberry pi slow (Can read more in the description)
I know you explained it and I watched multiple times but I dont understand how and why you connected the pi, the switch and the "pf sense" the way that you did.
Is it possible to use VLAN as a mirroring target? So that you could use the Pi as a server and have a VLAN interface on it for packet captures?
Chris, this is a great video. Now that you have had the appliance running, how many times have you looked at the data, and how useful was it? With such a high percentage of data now being encrypted, is is still worth while to store the complete packet vs using the -s aka --snapshot-length to limit the capture to something less? Then you would still have src and dst addresses and protocols in use. While writing this, I wondered if there is a way to have only non-encrypted protocols stored with the full contents, but the encrypted protocols truncated. Or do you force clients to use forged certificates, so you can decode after the fact? And I doubt that would help with malicious hosts (iot, etc.) Have you thought of setting up the wifi on the RPi as an access point, so you could selectively monitor IoT devices you wonder about. (My Amazon Echo often triggers even when I don't use the "Echo" wake word, I have an Echo Gen 1 that if I say "backup" without the wake word, it will respond "nothing is currently playing". And it often lights up when I ask the google home a question. I'm close to disconnecting the Echo devices since Amazon's latest changes to prime music that "got lost in the shuffle". No more prime for me. Sorry for the tangent/rant about Amazon prime music.
Perhaps show how to move that job into background etc. &
Hey Chris,
What is better - Dualcomm ETAP-2003 Tap or a switch with port mirroring? I have a Dualcomm ETAP-2003 (bought at work for my laptop) and wonder if I’ve made the wrong choice. Thanks
Yeah you can Graham. The ETAP-2003 blocks traffic on the monitor port going back to the network (the ETAP-2003R model allows it) so if you have the ETAP-2003 model then you will need to enable the capture on the PI first and then connect it to the network you wish to capture from.
Another good video from Chris Greer (:
Addition to this great video, you can considerably increase the device's performance with pf_ring, which, I bet you already know about (:
Ooh nice, great tip yasin! Thank you.
I watched the Video again to see how you got 2 Network interface on a regular Raspberri Pi. Felt stupid after I realized I completely forgot the Wireless interface.😅
It’s ok! I felt stupid the entire time I was setting the whole thing up.
Hey Chris, you're a really good teacher, i love your content !
I don't use youtube as much these days, but it would be awesome to see you on the Odysee video platform!
Ask David Bombal, he posts regularly on it!
Hope to see you there, and thanks for your awesome content :-)
This may also be an option if you don’t take the SSD route… th-cam.com/video/LKDC-Wjukk0/w-d-xo.html
this video teached me nothing. it basically ended when the content began.
Nice one man 🔥🔥
Thanks! It's been fun to tinker with it. Now to get Suricata working...