How often have you looked for a secondary device to keep it connected to a network for packet analysis and troubleshooting? Sounds familiar? Yes, we all have the same problems! Let’s utilize a Raspberry Pi 4 and an external disk drive to make a DIY plug-and-play Network Tap.
How it works
Plug the network cable and the power cord to the Network Tap to power it on. The device will boot up and automatically start capturing packets in promiscuous mode mode. When you finish with the capture, push the power button to initiate the safe shutdown procedure, and when the activity led turns off and the power led is steady red, you can remove the device. Unplug the external drive and plug it into your PC in order to view the captures.
The Real Time Clock (RTC) is used to store the time even when the Network Tap is not used in order to correctly timestamp the captures. In the specific configuration, we use the I2C0 bus on GPIO Pins 0 and 1 as per documentation.
Bill of Materials
- Raspberry PI 4 Model B
- Micro SD Card and Power Supply (as per documentation)
- Joy-it Aluminium Case
- Kingston SA400S37/240G
- Startech USB312SAT3CB – USB 3.1 to 2.5" SATA Hard Drive Adapter
- Tiny RTC I2C Module DS1307 Real Time Clock
- Tactile Push Button 12 x 12 mm
Schematic
Operating System – Versions
Raspberry PI Imager v.1.7.4
Raspberry PI OS Lite (64bit)
Release: 10/10/2023
Preparation
1) Using the official Raspberry PI Imager tool, prepare a new microSD Card with Raspberry PI OS Lite (64bit)
2) Re-plug the SD card to your computer to appear as a USB Removable Storage.
3) Edit /boot/config.txt
in the boot partition of the SD Card and append:
# enable uart (this is optional, just in case we need to access the device using the serial port)
enable_uart=1
# Deactivate unused radios (also optional, it reduces power consumption)
dtoverlay=disable-bt
dtoverlay=disable-wifi
# Activate the soft shutdown button overlay
dtoverlay=gpio-shutdown
# Enable i2c0 bus overlay
dtparam=i2c0=on
# Set the i2c0 bus as RTC using ds1307
dtoverlay=i2c-rtc,ds1307,i2c0
4) Save the file and safely remove your microSD Card.
5) Place your microSD card back into the Raspberry PI and plug the power cable. Establish a terminal connection to your Raspberry either using SSH or Serial Console.
6) After establishing the connection and logging in, update your repositories and distribution using the commands :
sudo apt update
sudo apt upgrade -y
External Disk preparation
This step is not mandatory; you can use an existing disk with any partition type as long as you know how to mount it to your personal computer and get the data from the drive. I've chosen to format an existing drive to FAT32 so it can be compatible with both Windows and Linux devices. Just keep in mind that with FAT32, your partition cannot exceed 2TB, and the size of any single file cannot exceed 4GB.
I used the Startech USB312SAT3CB to connect a Kingston SA400S37/240G SATA disk to the Raspberry, but you can use any USB to SATA as long as it works with the Raspberry. An excellent reference to make your choice both for disk drive and converter or an external USB Drive is James A. Chamber's Blog.
1) To format your drive, plug it to your Raspberry and find the device's name (Here is /dev/sda)
lsblk
2) Wipe the current drive's configuration and all data. (WARNING: This will remove all the existing data from your disk drive)
sudo wipefs --all /dev/sda
3) Then using gparted create a new MS-Dos Disk label and a new primary partition
sudo parted /dev/sda
At the gparted console type:
mklabel msdos
mkpart primary fat32 0% 100%
quit
4) Create a new filesystem:
sudo mkfs.vfat -I /dev/sda1
5) Reboot your device to renew drive's IDs.
sudo reboot
Auto mount the disk on boot
1) Make the mounting point, /mnt/external
sudo mkdir /mnt/external
2) Find your external disk's partition UUID.
blkid
3) Edit /etc/fstab (`sudo nano /etc/fstab`) and add the proper configation:
PARTUUID=[TYPE_YOUR_PARTITION'S_ID_HERE] /mnt/external vfat defaults,auto,users,rw,nofail,umask=000 0 0
4) Reload mount points to mount the disk
sudo mount -av
Configure Network Tap
1) Install tcpdump, the software which will be used to capture packets.
sudo apt install -y tcpdump
2) Create the file and set appropriate permissions for the script responsible for setting the interface in promiscuous mode:
sudo mkdir /etc/novamostra
sudo touch /etc/novamostra/ethCapture.sh
sudo chmod +x /etc/novamostra/ethCapture.sh
3) Edit the file using `sudo nano /etc/novamostra/ethCapture.sh` and append the following commands:
#!/bin/bash
ifconfig eth0 0.0.0.0 up
ifconfig eth0 promisc
tcpdump -i eth0 -C 1000 -w /mnt/external/$(date '+%Y%m%d%H%M%S').pcap
4) Create the service file to launch the script after network initialization.
sudo nano /etc/systemd/system/ethCapture.service
5) Append the following content:
[Unit]
Description=Ethernet Mode
Wants=network-online.target
After=network.target network-online.target
[Service]
Type=oneshot
ExecStart=/etc/novamostra/ethCapture.sh
TimeoutSec=0
[Install]
WantedBy=multi-user.target
6) Enable the service which will run the script:
sudo systemctl enable ethCapture.service
Network Tap Usage
The Network Tap is now ready. On the next boot, it will automatically set the interface in promiscuous mode and start capturing packets which will will be stored on the external disk (mounted on /mnt/external). The device would no longer be accessible through the network, you can instead use the serial console by plugging RX and TX on GPIOs 9 and 10, respectively. To access the captured files, Power off the device using the button and plug the external drive to any computer. The files are stored in the pcap file format and will be split when they reach 1GB.
The default usage of this device is to configure a SPAN\MIRROR port on a switch\router and get a mirror of all the traffic flow.
Code
The full code is available on github