Raspberry Pi Packet Capture
Hands up, who has a Raspberry PI?
Betting that’s quite a few hands. It’s a fantastic bit of hardware and software.
Hands up, who wants to burn an SD Card to get full Packet Capture and an awesome Layer 2 - 4 plus GeoIP network monitoring tool and an IDS?
Yes, we at FMADIO have built exactly that, and it’s FREE!
FMADIO-MINI Raspberry Pi Packet Capture
Introducing FMADIO MINI Raspberry Pi Packet capture.
It’s a free tool for full packet capture that runs on Raspberry PI 4 and a few Pi Derivatives. It can do:
500Mbps to 800Mbps worth of capture to a V30 SDCard (less so for V10 SD Cards)
Runs FMADIO Realtime Network Analyzer “PCAP2JSON”
Runs Suricata 6.0 IDS
Can even push PCAPs to Amazon S3 if you really want
Installation Instructions for Raspberry PI Packet Capture
1) Download the SD Card from our website.
https://firmware.fmad.io/fmadiopi.html
2) Burn the image on to 64GB SD Card.
It requires at least 64GB (where else do you store PCAPs?). We recommend using a V30 SD Card as a minimum.
3) Boot the system.
It will reboot a few times as it automatically resizes the partitions and runs thru various setup options.
4) Using DHCP on the management interface, it should have acquired an IP Address.
5) Capture interface uses the USB Ethernet port. We recommend using the USB3 (Blue Connector) for maximum performance.
6) Login over SSH
username: fmadiopassword: fmad-secret7) Change the Password
fmadio@fmadio-mini-80342838c119:~$ sudo passwd fmadio New password: Retype new password: passwd: password updated successfully fmadio@fmadio-mini-80342838c119:~$
8) Change hostname
fmadio@fmadio-mini-80342838c119:~$ sudo hostnamectl set-hostname fmadio-mini-coffee fmadio@fmadio-mini-80342838c119:~$
9) Checkout the PCAP Files
/mnt/store0/capture/cap0/System generates a new directory each day
Actual PCAP Files
And within each day, it splits by 1 Minute.
Pi Packet Capture
It’s as simple as that. Plug it in, turn it on, and 24/7 full packet capture!
Probably the harder part is how to feed data to the system. Use either a mirror port, SPAN port, or your own bridged network SPAN.
In the next post, we will show to connect this to the (FREE) FMADIO AWS Network Monitoring Center, to get full Layer 2, 3, 4 network monitoring system running in the cloud (shown below).
R4S Pi Derivative
A Quick Note on the R4S (Pi Derivative)
We use this SKU a lot as it’s fully self-contained (2 x 1G capture ports). Just add an SD Card, easily sourced from Amazon and friends.
About the Port mapping
WAN (White cable) - Management port
LAN (Blue cable) - Capture port
Other than that, this thing gets a bit toasty. Yet even in hot summer weather, it’s not overheated yet. The entire metal case is a huge aluminum heatsink.
Using FMADIO MINI Raspberry Pi Packet Capture
Packet Capture does not have to be expensive. FMADIO 100G 40G 10G 25G Packet Capture Sniffers are very cost-effective. Adding in a Raspberry Pi Packet Capture Appliance for those sub 1Gbps circuits adds another tool in your toolbelt for network troubleshooting and monitoring.
