Had to use a Profishark tap for my solution. Managed switches with a mac-adres that isn't registered on our company's network will make the main switch port go into shutdown mode. Was an oopsie moment when I tried to analyze a network problem on an industrial line and suddenly everything went down :p
Great work Chris! I want to try this soon. Will this also capture traffic between two devices communicating directly not going to WAN? Say my laptop is an HTTP server and my phone is connecting to it using laptop private IP and both the phone and laptop is connected to the eero wireless AP. I’m not sure if the frames will leave the Access point in this case (through the yellow cable) to be captured
Hey Hussein! In that case no - at that vantage point, we wouldn’t see the wireless traffic because the eero won’t forward those packets out the wired interface. It would only do that if it has a reason to send the traffic out.
Bruhhhhh, Im relearning my packet skills and I was trying to find you last night. Said screw it went to bed, "ill google it tomorrow". And who tf shows up on my home feed. Thank you for all the knowledge Chris.
Adding hdmi_group=2 hdmi_mode=82 To the /boot/config.txt appears to have fixed it. As mentioned on a video titled Fix VNC raspberry pi slow (Can read more in the description)
Another good video from Chris Greer (: Addition to this great video, you can considerably increase the device's performance with pf_ring, which, I bet you already know about (:
Love your content Chris, I'm still new to networking but I love watching content like this to see what's out there and absorb what information my newbie brain can handle 😄 your TCP and UDP deep dives with David Bombal were very interesting and informative even to someone like myself. Keep up the great work 😊
I've recently looked into SPAN and TAP solutions. Does this setup turn your Pi into a hardware TAP simply because it doesn't affect the system or more like an Adhoc SPAN setup? Thanks.
Years ago we used a Debian pc to capture the traffic over a 10gbit link. To save a capture sometimes took 30 minutes... LOL... The good old memories. Recently I used RPi to create a remote monitoring system for my customers. Zabbix on cloud and RPi deployed at customer site. Very handy tools!!
Chris, this is a great video. Now that you have had the appliance running, how many times have you looked at the data, and how useful was it? With such a high percentage of data now being encrypted, is is still worth while to store the complete packet vs using the -s aka --snapshot-length to limit the capture to something less? Then you would still have src and dst addresses and protocols in use. While writing this, I wondered if there is a way to have only non-encrypted protocols stored with the full contents, but the encrypted protocols truncated. Or do you force clients to use forged certificates, so you can decode after the fact? And I doubt that would help with malicious hosts (iot, etc.) Have you thought of setting up the wifi on the RPi as an access point, so you could selectively monitor IoT devices you wonder about. (My Amazon Echo often triggers even when I don't use the "Echo" wake word, I have an Echo Gen 1 that if I say "backup" without the wake word, it will respond "nothing is currently playing". And it often lights up when I ask the google home a question. I'm close to disconnecting the Echo devices since Amazon's latest changes to prime music that "got lost in the shuffle". No more prime for me. Sorry for the tangent/rant about Amazon prime music.
Hey Chris, you're a really good teacher, i love your content ! I don't use youtube as much these days, but it would be awesome to see you on the Odysee video platform! Ask David Bombal, he posts regularly on it! Hope to see you there, and thanks for your awesome content :-)
Thank you so much for this video. I have got to try this one to solve my intermittent WiFi issue. I'll couple my pi4 with Dualcomm ETAP to do something similar to this.
I know you explained it and I watched multiple times but I dont understand how and why you connected the pi, the switch and the "pf sense" the way that you did.
Another good solution is a barebone PC with two ethernet ports. you can bridge the ports in linux and just can plug in the PC between your LAN and the device you want to examine.
Great content Chris, I appreciate you showing how accessible this solution is. You mentioned Suricata in one of the comments, what are your thoughts on Suricata vs Snort?
I watched the Video again to see how you got 2 Network interface on a regular Raspberri Pi. Felt stupid after I realized I completely forgot the Wireless interface.😅
Hey Chris, What is better - Dualcomm ETAP-2003 Tap or a switch with port mirroring? I have a Dualcomm ETAP-2003 (bought at work for my laptop) and wonder if I’ve made the wrong choice. Thanks
Yeah you can Graham. The ETAP-2003 blocks traffic on the monitor port going back to the network (the ETAP-2003R model allows it) so if you have the ETAP-2003 model then you will need to enable the capture on the PI first and then connect it to the network you wish to capture from.
So when the world went into work from home chaos I built one of these almost identical to this. Mine has a POE hat, usb enclosure for a evo, and rather than a switch I picked up a qualcomm 1gig tap. Its perfect for WFH calls where I would have to run in to packet capture something, just throw it inline on the problem PC in the data closet and leave it there. Head home and remote into it. Great little solution. Great content as always Chris! Looking forward to the suricata video.
I had been kicking around the idea of how to do this with a pi, but didn't know if it would be possible essentially because the issue that you resolved with the netgear switch. I'll have to pick one up and give this a try. Thanks for putting your time into content like this. It is greatly appreciated.
That Netgear switch looks nice and portable. My favorite tap switch is the MikroTik CSS106-5G-1S due to its flexibility. For example it has port isolation so you can partition into two "independent" groups. I use 1-2 in one group and 3-4-5 in the second, and use port three as the "mirror/span" port with the capture device. Then you can mirror ingress on ports 1,2,4,5 to port 3 (I know, easy to overrun the mirror port and have packets dropped). The advantage of this it you can then put a router or other device (firewall, nat, vpn, tagging/untagging of vlans, etc.) and you can see what is going into the device under test as well as what comes out the other side. So you can see how packets are transformed, and look at latencies. Also, MikroTik has very extensive port counters, with counts of unicast, multicast and broadcast per port, as well as histograms of packet sizes sent/recieved for each port (64,65-127,128-255,256-511,512-1023,1024-1518,1519-max). The last one I bought on Amazon was in 2018 and the price was under $40, but now it is $49. It is also not as portable as the Netgear. If you are only mirroring a single port, the Netgear should be fine and is significantly cheaper.
Had to use a Profishark tap for my solution.
Managed switches with a mac-adres that isn't registered on our company's network will make the main switch port go into shutdown mode.
Was an oopsie moment when I tried to analyze a network problem on an industrial line and suddenly everything went down :p
Hi, Chris!
For when the follow-up? I'm dying here! 😀
Great work Chris! I want to try this soon.
Will this also capture traffic between two devices communicating directly not going to WAN? Say my laptop is an HTTP server and my phone is connecting to it using laptop private IP and both the phone and laptop is connected to the eero wireless AP.
I’m not sure if the frames will leave the Access point in this case (through the yellow cable) to be captured
Hey Hussein! In that case no - at that vantage point, we wouldn’t see the wireless traffic because the eero won’t forward those packets out the wired interface. It would only do that if it has a reason to send the traffic out.
this video teached me nothing. it basically ended when the content began.
This may also be an option if you don’t take the SSD route… ua-cam.com/video/LKDC-Wjukk0/v-deo.html
What settings did you make for the rpi Ethernet port so that it's not sending data from it's self out the mirror port?
Bruhhhhh, Im relearning my packet skills and I was trying to find you last night. Said screw it went to bed, "ill google it tomorrow". And who tf shows up on my home feed. Thank you for all the knowledge Chris.
I can add tools metrology as ntopng community version for graphics
How did you configure the switch to monitor on port 5??
How do you get your VNC to be so quick and smooth. Its as slow as slow came be for me. I'm say right next to the Pi.
Adding
hdmi_group=2
hdmi_mode=82
To the /boot/config.txt appears to have fixed it. As mentioned on a video titled Fix VNC raspberry pi slow (Can read more in the description)
That was made to look surprisingly easy as well as decent pricing.
Another good video from Chris Greer (:
Addition to this great video, you can considerably increase the device's performance with pf_ring, which, I bet you already know about (:
Ooh nice, great tip yasin! Thank you.
Love your content Chris, I'm still new to networking but I love watching content like this to see what's out there and absorb what information my newbie brain can handle 😄 your TCP and UDP deep dives with David Bombal were very interesting and informative even to someone like myself. Keep up the great work 😊
Great, I am not alone xD. I almost have no clue what he is talking about. Just got him in recommended.
I've recently looked into SPAN and TAP solutions. Does this setup turn your Pi into a hardware TAP simply because it doesn't affect the system or more like an Adhoc SPAN setup? Thanks.
Hey, no it doesn’t. The switch performs the span function and passes the traffic to the pi
Wow cool. I know dumpcap since 30 sec. and i love it. I see some opertunities on my way. Many Thanks for your great Videos.
Years ago we used a Debian pc to capture the traffic over a 10gbit link. To save a capture sometimes took 30 minutes... LOL... The good old memories. Recently I used RPi to create a remote monitoring system for my customers. Zabbix on cloud and RPi deployed at customer site. Very handy tools!!
Love your content Chris, Would like to check if there is any content around EDNS pcap.
Is it possible to use VLAN as a mirroring target? So that you could use the Pi as a server and have a VLAN interface on it for packet captures?
Chris, this is a great video. Now that you have had the appliance running, how many times have you looked at the data, and how useful was it? With such a high percentage of data now being encrypted, is is still worth while to store the complete packet vs using the -s aka --snapshot-length to limit the capture to something less? Then you would still have src and dst addresses and protocols in use. While writing this, I wondered if there is a way to have only non-encrypted protocols stored with the full contents, but the encrypted protocols truncated. Or do you force clients to use forged certificates, so you can decode after the fact? And I doubt that would help with malicious hosts (iot, etc.) Have you thought of setting up the wifi on the RPi as an access point, so you could selectively monitor IoT devices you wonder about. (My Amazon Echo often triggers even when I don't use the "Echo" wake word, I have an Echo Gen 1 that if I say "backup" without the wake word, it will respond "nothing is currently playing". And it often lights up when I ask the google home a question. I'm close to disconnecting the Echo devices since Amazon's latest changes to prime music that "got lost in the shuffle". No more prime for me. Sorry for the tangent/rant about Amazon prime music.
Hey Chris, you're a really good teacher, i love your content !
I don't use youtube as much these days, but it would be awesome to see you on the Odysee video platform!
Ask David Bombal, he posts regularly on it!
Hope to see you there, and thanks for your awesome content :-)
Thank you so much for this video. I have got to try this one to solve my intermittent WiFi issue. I'll couple my pi4 with Dualcomm ETAP to do something similar to this.
I know you explained it and I watched multiple times but I dont understand how and why you connected the pi, the switch and the "pf sense" the way that you did.
Another good solution is a barebone PC with two ethernet ports. you can bridge the ports in linux and just can plug in the PC between your LAN and the device you want to examine.
Great content Chris, I appreciate you showing how accessible this solution is. You mentioned Suricata in one of the comments, what are your thoughts on Suricata vs Snort?
i do my probe capture with Raspberry it's top :-) thank you for idea
Excellent configuration and a cost-effective solution!!
Perhaps show how to move that job into background etc. &
Looking forward for that monitoring video :) awesome work Chris!
I loved this one , can't wait for the suricate one you mentioned :D
Very interesting and achievable, thank you
I watched the Video again to see how you got 2 Network interface on a regular Raspberri Pi. Felt stupid after I realized I completely forgot the Wireless interface.😅
It’s ok! I felt stupid the entire time I was setting the whole thing up.
Hey Chris,
What is better - Dualcomm ETAP-2003 Tap or a switch with port mirroring? I have a Dualcomm ETAP-2003 (bought at work for my laptop) and wonder if I’ve made the wrong choice. Thanks
Yeah you can Graham. The ETAP-2003 blocks traffic on the monitor port going back to the network (the ETAP-2003R model allows it) so if you have the ETAP-2003 model then you will need to enable the capture on the PI first and then connect it to the network you wish to capture from.
Thank you Chris great Video!
So when the world went into work from home chaos I built one of these almost identical to this. Mine has a POE hat, usb enclosure for a evo, and rather than a switch I picked up a qualcomm 1gig tap. Its perfect for WFH calls where I would have to run in to packet capture something, just throw it inline on the problem PC in the data closet and leave it there. Head home and remote into it. Great little solution.
Great content as always Chris! Looking forward to the suricata video.
Fantastic Eric! It really is a sweet little box. I'm having a good time using it to monitor.
Hey Chris, thanks for the video ! I did not know about the dumpcap command, good finding.
Glad you liked the video
Thank you Chris! Sharing with my network.
Thanks for sharing!
Incredible 🔥
thanks dude
I had been kicking around the idea of how to do this with a pi, but didn't know if it would be possible essentially because the issue that you resolved with the netgear switch. I'll have to pick one up and give this a try. Thanks for putting your time into content like this. It is greatly appreciated.
That little switch is worth it!
That Netgear switch looks nice and portable. My favorite tap switch is the MikroTik CSS106-5G-1S due to its flexibility. For example it has port isolation so you can partition into two "independent" groups. I use 1-2 in one group and 3-4-5 in the second, and use port three as the "mirror/span" port with the capture device. Then you can mirror ingress on ports 1,2,4,5 to port 3 (I know, easy to overrun the mirror port and have packets dropped). The advantage of this it you can then put a router or other device (firewall, nat, vpn, tagging/untagging of vlans, etc.) and you can see what is going into the device under test as well as what comes out the other side. So you can see how packets are transformed, and look at latencies. Also, MikroTik has very extensive port counters, with counts of unicast, multicast and broadcast per port, as well as histograms of packet sizes sent/recieved for each port (64,65-127,128-255,256-511,512-1023,1024-1518,1519-max). The last one I bought on Amazon was in 2018 and the price was under $40, but now it is $49. It is also not as portable as the Netgear. If you are only mirroring a single port, the Netgear should be fine and is significantly cheaper.
Love it 👍
Good stuff!
Thanks!
Nice one man 🔥🔥
Thanks! It's been fun to tinker with it. Now to get Suricata working...