In my previous post I described how to utilize a Raspberry Pi and capture the traffic from a network device’s SPAN port. In this post, you will find out how to create a proper Network Tap which directly intercepts a network device’s traffic. This is actually a hardware variance of the Man in the Middle Attack (MiTM) which eliminates the requirement for network speed degradation of the Passive Taps.
How it works
Plug Network Tap v2 between the device you want to monitor and your network equipment and power the device. Network Tap will boot up and set a network bridge between the two Network Interfaces capturing all incoming and outgoing traffic. When you finish with the capture, push the power button to initiate the safe shutdown procedure, and when the activity led turns off and the power led is steady red, you can remove the device. Unplug the external drive and plug it into your PC in order to view the captures.
The Real Time Clock (RTC) is used to store the time even when the Network Tap v2 is not powered, in order to correctly timestamp the captures. In the specific configuration, we use the I2C0 bus on GPIO Pins 0 and 1 as per documentation.
Bill of Materials
- Raspberry PI 4 Model B
- Micro SD Card and Power Supply (as per documentation)
- Joy-it Aluminium Case
- Kingston SA400S37/240G
- Startech USB312SAT3CB – USB 3.1 to 2.5" SATA Hard Drive Adapter
- Tiny RTC I2C Module DS1307 Real Time Clock
- Tactile Push Button 12 x 12 mm
- USB to ethernet adapter (TP-Link UE300)
Schematic
Operating System – Versions
Raspberry PI Imager v.1.7.4
Raspberry PI OS Lite (64bit)
Release: 10/10/2023
Preparation
1) Using the official Raspberry PI Imager tool, prepare a new microSD Card with Raspberry PI OS Lite (64bit)
2) Re-plug the SD card to your computer to appear as a USB Removable Storage.
3) Edit /boot/config.txt
in the boot partition of the SD Card and append:
# enable uart (this is optional, just in case we need to access the device using the serial port)
enable_uart=1
# Deactivate unused radios (also optional, it reduces power consumption)
dtoverlay=disable-bt
dtoverlay=disable-wifi
# Activate the soft shutdown button overlay
dtoverlay=gpio-shutdown
# Enable i2c0 bus overlay
dtparam=i2c0=on
# Set the i2c0 bus as RTC using ds1307
dtoverlay=i2c-rtc,ds1307,i2c0
4) Save the file and safely remove your microSD Card.
5) Place your microSD card back into the Raspberry PI and plug the power cable. Establish a terminal connection to your Raspberry either using SSH or Serial Console.
6) After establishing the connection and logging in, update your repositories and distribution using the commands :
sudo apt update
sudo apt upgrade -y
External Disk preparation
This step is not mandatory; you can use an existing disk with any partition type as long as you know how to mount it to your personal computer and get the data from the drive. I've chosen to format an existing drive to FAT32 so it can be compatible with both Windows and Linux devices. Just keep in mind that with FAT32, your partition cannot exceed 2TB, and the size of any single file cannot exceed 4GB.
I used the Startech USB312SAT3CB to connect a Kingston SA400S37/240G SATA disk to the Raspberry, but you can use any USB to SATA as long as it works with the Raspberry. An excellent reference to make your choice both for disk drive and converter or an external USB Drive is James A. Chamber's Blog.
1) To format your drive, plug it to your Raspberry and find the device's name (Here is /dev/sda)
lsblk
2) Wipe the current drive's configuration and all data. (WARNING: This will remove all the existing data from your disk drive)
sudo wipefs --all /dev/sda
3) Then using gparted create a new MS-Dos Disk label and a new primary partition
sudo parted /dev/sda
At the gparted console type:
mklabel msdos
mkpart primary fat32 0% 100%
quit
4) Create a new filesystem:
sudo mkfs.vfat -I /dev/sda1
5) Reboot your device to renew drive's IDs.
sudo reboot
Auto mount the disk on boot
1) Make the mounting point, /mnt/external
sudo mkdir /mnt/external
2) Find your external disk's partition UUID.
blkid
3) Edit /etc/fstab and add the proper configation:
PARTUUID=[TYPE_YOUR_PARTITION'S_ID_HERE] /mnt/external vfat defaults,auto,users,rw,nofail,umask=000 0 0
4) Reload mount points to mount the disk
sudo mount -av
Configure Network Tap
1) Install tcpdump, the software which will be used to capture packets, and bridge-utils the package which will be used to bridge network interfaces.
sudo apt install -y tcpdump bridge-utils
2) Create the file and set appropriate permissions for the script responsible for setting the bridge interface and starting the capture:
sudo touch /etc/novamostra/ethCapture.sh
sudo chmod +x /etc/novamostra/ethCapture.sh
3) Edit the file using `sudo nano /etc/novamostra/ethCapture.sh` and append the following commands:
#!/bin/bash
ifconfig eth0 0.0.0.0 up
ifconfig eth1 0.0.0.0 up
brctl addbr br0
brctl addif br0 eth0 eth1
ifconfig br0 up
tcpdump -i br0 -C 1000 -w /mnt/external/$(date '+%Y%m%d%H%M%S').pcap
4) Create the service file, which will launch the script after network initialization.
sudo nano /etc/systemd/system/ethCapture.service
5) Append the following content:
[Unit]
Description=Ethernet Mode
Wants=network-online.target
After=network.target network-online.target
[Service]
Type=oneshot
ExecStart=/etc/novamostra/ethCapture.sh
TimeoutSec=0
[Install]
WantedBy=multi-user.target
6) Enable the service which will run the script:
sudo systemctl enable ethCapture.service
Network Tap Usage
The Network Tap is now ready. On the next boot, it will automatically configure the bridge interface, start capturing all incoming and outgoing traffic and store it on the external disk (mounted on /mnt/external). The device would no longer be accessible through the network, you can instead use the serial console by plugging RX and TX on GPIOs 9 and 10, respectively. To access the captured files, Power off the device using the button and plug the external drive to any computer. The files are stored in the pcap file format and will be split when they reach 1GB.
Code
The full code is available on github