During real penetration testing exercises, we found that running raw tcpdump captures or using tools such as Wireshark consume a lot of processing power and sometimes crash the Raspberry Pi or render it useless. For this reason, the best practice is to avoid using such tools in real environments unless you tune what is captured to reduce the overhead on the Raspberry Pi. Here are some steps to capture network traffic using tcpdump in a controlled manner.
Tcpdump is a very useful tool and knowing what you are doing with the utility will help you to get the most out of the tool on the Raspberry Pi. The following section will provide a few tuning pointers but it is not intended to be a tcpdump tutorial.
The first thing to consider is how to narrow down what tcpdump is looking for. You can do this in a few ways. The first way is to specify the host keyword. The host keyword will look for traffic specified by a hostname or IP address. It can be done in the following manner:
tcpdump host www.drchaos.com
Or, we can do it using the IP address in the following manner:
tcpdump host 8.8.8.8
You can also specify the source IP address, destination IP address, or both the source and the destination. In the following example, we have defined both the source and the destination:
Tcpdump src 1.1.1.1 dst 2.2.2.2
If needed, you don't have to be this specific and can limit the search to only the source or the destination.
You may have a need to look at all the traffic belonging to a particular network's subnet. To do this, use the net command in tcpdump. You should, however, keep in mind a few things before doing this. On a busy network, your Raspberry Pi will most likely not be able to keep up with this traffic capture. It is not only limited by the processing power, but also by the 100 MB network interface. If you exceed the capabilities of the Raspberry Pi, the best-case scenario is that it will drop traffic and not capture what you expected. The worst-case scenario could mean crashing the system.
The following commands are used to look at all the traffic belonging to a particular network's subnet:
tcpdump net 10.0.1.0/24 tcpdump icmp
You can search for specific protocols as shown in the following example:
tcpdump port 80,21
Although it is called tcpdump, you can specify Transmission Control Protocol (TCP), User Datagram Protocol (UDP), and Internet Control Message Protocol (ICMP) protocols.
You can specify specific port numbers to monitor. You can also specify whether this is going to be a source port or a destination port. You can see from the following example that we combined several options:
tcpdump src port 1099 and udp icmp and src port 20
You should write your findings to a file that can be analyzed later. To write your findings to a file, use the –w option followed by the name of the file in which you are going to save them. It is good practice to use .cap as a file extension:
tcpdump -s 10994 port 80 -w my_capture_file.cap
You can read the file directly from tcpdump using the –r option as shown in the following command:
tcpdump -r my_capture_file.cap
However, we recommend that you remotely transfer the file to an FTP, SCP, HTTPS or any other type of server.