Record network traffic with the Raspberry Pi (tcpdump)

A Raspberry Pi configured as man-in-the-middle should record the network traffic. For example, to find errors in a network communication. The data traffic should be written to a file for later evaluation with Wireshark.
task
- Record traffic via man-in-the-middle.
- Evaluate the file with Wireshark.
Solution with tcpdump
This solution requires that you have a Raspberry Pi configured to a man-in-the-middle. In principle one can solve this task also with other configurations.
Basically, one should note that when recording traffic very large amounts of data may be incurred. Therefore, you should first think about what and how much you want to record.
A first attempt should be limited to a maximum number of packages so you can see what awaits you:
sudo tcpdump -c 10
Or with the restriction to a specific port:
sudo tcpdump -i wlan0
If you want to capture the data, you can write them in Pcap format in a file:
sudo tcpdump -i wlan0 -p -w tcpdump.pcap
Normally, only the first 68 bytes of all packets are recorded. If this is not enough, you can use the parameter “-s …” to expand the package size or to record completely with “-s0”. A good value is “-s 96” (bytes).
If you want to record everything, then you should take into account that if someone is currently performing a download, the 2 GB is large, then that the data all land in the file. This can quickly clog the memory, which you do not necessarily want.
So that the recorded file does not become infinitely large, one can limit the file size to a manageable size:
tcpdump -n -i eth0 -s 96 -C 100 -W 15 -w tcpdump.pcap
Overview of parameters:
- -n … no DNS resolution (costs time)
- -i … interface (eg eth0 or wlan0)
- -s … Recorded Package Info (96 is enough for the TCP / IP headers)
- -C … max. Size of the file (in MByte)
- -W … number of create files
- -w … filename
Additionally there is the possibility to limit the data output of “tcpdump” with filters.
Note: The tcpdump network tool is intended to display or record traffic. For example, to understand processes in a network, to analyze networks, to search for errors, but also to record data. So you can do both good and bad with “tcpdump”. It is recommended to use “tcpdump” responsibly.
To evaluate the recorded data we recommend the network tool Wireshark.
Leave a Reply