Packet Sniffing using the Raspberry Pi

In this post i intend to detail how i setup the raspberry pi to perform packet sniffing between two network devices. I made a YouTube video in which i explain how it works and below you will find both the shell script and python script i used to setup the bridge and dump the packets respectively.

The network was setup like this:

diagram showing the network layout. from right to left. computer, raspberry pi, laptop

The raspberry pi is placed in the middle and any data traveling between each device is captured by it. A second USB to Ethernet adapter is used to provide the second interface. The adapter i used is a USB to Fast Ethernet 10100 Mbps Network LAN Adapter Vista Linux 27723.

When the Raspberry pi starts it loads two scripts. The first is this shell script below:

ifconfig eth0 0.0.0.0
ifconfig eth1 0.0.0.0
brctl addbr bridge0
brctl addif bridge0 eth0
brctl addif bridge0 eth1
dhclient bridge0
ifconfig bridge0 up

This script removed the IP address from eth0 and eth1. It then creates a bridge called bridge0. Adds the interfaces to bridge0 and starts the bridge.

##Edit## The shell script now also assigns a network address to the bridge interface to allow for network connectivity. (dhclient bridge0)

The second script that starts after the one above is this python script below. It implements the Python Dropbox Uploader package which can be downloaded here.

import subprocess
from dbupload import upload_file #Used for Dropbox uploading
from datetime import datetime # Used the genreate the filename
count = 0 #Counts the number of files that have been dumped
while True:
    count = count + 1
    fileName = str(datetime.now().day) + "-" + str(datetime.now().month) + "-" + str(datetime.now().year) + " AT " + str(datetime.now().hour) + "-" + str(datetime.now().minute)
    tcpDumpProcess = subprocess.Popen(["tcpdump", "-Z", "root", "-w", fileName, "-i", "bridge0", "-G", "60", "-W", "1"]) #Sets up the TCPDump command
    tcpDumpProcess.communicate() #Runs the TCPDump command
    print "Currently dumping file number " + str(count) + "."
    upload_file(fileName,"/",fileName, "YOUR_EMAIL","YOUR_PASSWORD") #Uploads the dump file to dropbox
    print "File uploaded Successfully"

This can obviously be done without using python and running the TCPDump command from command line. My intention was to integrate Dropbox uploading to the process but failed due to the inability to gain an internet connection from the raspberry pi when configured with a software bridge.
An internet connection can be configured on the Raspberry Pi simply by adding network settings to the bridge interface. in my case i used DHCP to automatically do this by adding dhclient bridge0 to the shell script.

With both these files saves onto the raspberry pi and executed from the rc.local file at startup it will allow the raspberry pi to automatically capture network traffic between two devices.

13 thoughts on “Packet Sniffing using the Raspberry Pi

  1. Phillip King-Wilson

    James,

    I am in the business area and not computer science and was interested in your packet sniffing with the Raspberry Pi since I am looking to go to the US next year to do cyber threat research. I have a research outline if you need it, but essentially, do you think it is possible to use the Raspberry as a passive network tap and dump the inbound traffic to a hard drive or SD card without dropping too many packets?

     
  2. James Woolley

    Hello,

    I’m pretty sure it is possible yes. I’m my video this is what I did. The TCPDUMP command dumps the data as it passes through. It could be set to dump to an external drive even which will give you more storage space.

    The only problem with my method. although it is passive is it only captures the data between the two devices. The best bet is to find a network cable on the network which carries traffic from multiple devices. Like links between switches and routers. I’m not sure how the raspberry pi will handle high bandwidth data. It may drop some packets, it may not :) Im quite certain there are rules in TCPDump to only capture traffic from a certain address if your only interested in capturing inbound traffic.

     
  3. Phillip King-Wilson

    Thanks James. I think I will crack on and try this and get back to you with the results…. I think the whole usage possibilities of Pi are great and now it is done, there will surely be other companies making similar low-cost products for us to play with!!

    Best wishes and thanks.

    phillip.

     
  4. fleck

    Can you tell me if that usb to ethernet adapter is the Kontron DM9601. It looks identical to mine which is giving me some trouble and now I read it might not work but if yours does I’ll persevere.

     
  5. James Woolley

    The Kontron DM9601 looks pretty much identical to my one. My guess is they are the same, just branded differently. Mine however worked no problem. Simple plug in and it worked. Try running the lsusb command and see if the Raspi is seeing it properly.

     
  6. fleck

    Thanks, lsusb sees it ok but I can’t get the interface up. This install is behaving weirdly anyway so I’m flashing the card and we’ll see. Thanks

     
  7. Rob Werk

    James, thank you for creating this video and sharing your scripts. I’m currently looking into creating a BT sniffer using a BT dongle(or 2). I would like to see packets sent from my phone to my car radio and vice versa. Have you attempted something similar? Or know if it’s possible to do with the Raspberry PI?

     
  8. James Woolley

    Ive never done any work with Bluetooth before. But if the USB dongle works on the RasPi i cant think of any other reason why it wouldn’t work. I have heard nothing but good things about the Ubertooth device. It might be something worth looking into.

     
  9. Kets

    how can i set this up to sniff say my vonage adapter SIP invites ? I have a Cisco 8 port switch gigabit SG100D-08 which has my vonae ata device on it as well as other PC’s. I want to sniff the SIP INVITES and extract the caller id

     

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Powered by sweetCaptcha