Thursday, June 23, 2016

Make a Portable Packet-Sniffing Linux Box for the Raspberry Pi with tcpdump



I got one of these small TFT screens for christmas one year, finally putting it to use :)

First things first, put the screen on before powerup, don't try it while Pi is powered on.

I initially wanted Kali linux, as the UI looked better for it, but was unable to get it to work on an older RasPi.  So if you just want to download an image, here's a download link here:  https://learn.adafruit.com/adafruit-pitft-28-inch-resistive-touchscreen-display-raspberry-pi/easy-install

I HIGHLY recommend you start with the Jessie Lite version, there's still screen sizing issues even on the "pre-configured" "Full" image.  The screen sizes are off and it's really annoying to resize them anytime you open up any window.  I don't think I'm ever going to use the "startx" GUI that much for this device, too frustrating.  With the Lite version, it's not installed so you have more space on your SD card to install other programs or store data.

So get a 8GB SD card, clear out a single partition for it, and for some reason I was having issues with the Unix "dd" program on another Linux box, so Win32Disk Imager worked like a charm.  Boot up your Pi (takes a few seconds), hopefully you start seeing text scrolling.  Default username is "pi" and default password is "raspberry".  I'd atleast change the password with the "passwd" command.  Now in the initial console, I like it b/c the text doesn't go off the screen, just gets wrapped to next line.  Messing with screen resizing and the like doesn't sound like a lot of fun to me, so glad it's been taken care of within this image.

So there's a multitude of projects you can do, just search them out.  First thing is I want to change the keyboard from UK format to US format.  The quotation marks and the @ symbol are swapped.  This is done typing into shell prompt:

sudo vi /etc/default/keyboard

Push "i" to "insert" text.

Change XKBLAYOUT="uk" to XKBLAYOUT="us"

Then save by hitting ESC, you should see a colon at the bottom, then type "wq"

Then reboot by typing "sudo reboot" in the shell prompt.

Next thing is I want to use that dongle I've talked about earlier so it's not going to waste ( http://integratedmosfet.blogspot.com/2014/12/making-d-link-fr300-wifi-usb-dongle.html ), I want to automatically execute a script to add itself to a file so it'll power on.

One way to do this is found here:  http://raspberrypi.stackexchange.com/questions/8734/execute-script-on-start-up

Do the following: 

sudo nano /etc/init.d/scriptname

Write your script (don't forget #!/bin/sh).  Mine was this: 

#!/bin/sh

sudo modprobe r8712u
echo -n "07d1 3304 > /sys/bus/usb/drivers/r8712u/new_id

Then save it (ctrl-X, "Y", then enter to return to shell prompt)

Next make the script executable:

sudo chmod 755 /etc/init.d/superscript

Then register script to be run at startup:

sudo update-rc.d superscript defaults

Then reboot.  This worked for me (executes before logging in even), and I know my script executed b/c my dongle started blinking.  Now I don't have to type that script on *every* boot!  Very handy.

My Pi kept going to sleep on me, this was annoying, let's stop that.  If you always want your Pi to stay on, type:

nano ~/.bashrc

Then at the end of the file, add:

setterm -blank 0 -powerdown 0

Then ctrl + x to exit, and 'y' to save, then enter.

Next, let's set up internet, this is the easiest here:  https://learn.adafruit.com/adafruits-raspberry-pi-lesson-3-network-setup/setting-up-wifi-with-occidentalis

Just need to modify the interfaces file a bit, mostly putting in your SSID and router password.

sudo nano /etc/network/interfaces

This is what you'll need to get it working, if you for some reason have a hidden SSID, check out that linked page.  Just make sure this is what's in that file:

auto lo

iface lo inet loopback
iface eth0 inet dhcp

allow-hotplug wlan0
auto wlan0

iface wlan0 inet dhcp
    wpa-ssid "your SSID here"
    wpa-psk "your password here"

And that's it!  Save it and reboot again.

Next one cool program to try out is "wavemon".  This allows you to scan for any wifi networks in your area.  Just type "sudo apt-get install -y wavemon"

Then you need to do "sudo wavemon" to launch it.  First page is some info on your network.  Press F3 on keyboard to see the networks.  And F10 to exit.  Pretty neat, but you can't leave this running constantly which is what I want, for some reason my Pi was freezing up (I suspect a memory leak but didn't investigate).

Now for the program that this tutorial is based on, tcpdump.  This is a great program (man-page here: http://www.tcpdump.org/tcpdump_man.html ), a command-line packet sniffer.  All I personally wanted was to continuously display the packets being traversing on my network, since this is a small separate device I'll have on my desk just running all the time.  To really analyze your traffic you'd need to save all the packets for a given period of time, and analyze them later.

So, this was a piece of cake too.  Install tcpdump:

sudo apt-get install tcpdump

Once installed, just run:

sudo tcpdump

And it starts sniffing.  So far I've let this run continuously for months and it hasn't locked up the Pi.  Already I've seen my mobile phone traffic, our Apple devices, and our Xbox.  I can observe devices connecting in real-time to our network, which is nice.

*UPDATE*

First I added a wireless USB keyboard.  Most any of these keyboards, if they're standard USB keyboards should work with the raspberry pi.  I'm very pleased with it.  Since I'm using Jessie Lite, I only have command line (which is OK since a GUI on a 2.8 inch screen is not that great, and there's constant resizing issues) so the only I/O I really need is internet and a keyboard.  This makes for a very nice fun toy.

After running for around a week, and stopping, turns out around 3400 packets were dropped by the kernel and 1200 by the "interface".  I don't want any packets dropped (this is wireless so this is always possible, so I would at least be hardwired into the router if I was more serious, and probably also potentially using a device like a "LAN-tap" and store everything on terabyte hard-disks.

One concerned mentioned on the tcpdump FAQ page was connections seemingly leaking memory as address space size was increasing over time.  The developers call it "state accumulation" rather than a memory leak.  So we add "-S" to the tcpdump command.

http://www.tcpdump.org/faq.html

Also, others had this issue and suggested expanding the default buffer size to 4MB instead of 2MB. 

http://unix.stackexchange.com/questions/144794/why-would-the-kernel-drop-packets

http://serverfault.com/questions/421789/lots-of-dropped-packages-when-tcpdumping-on-busy-interface

So the latest command I'm running is:

sudo tcpdump -B 4096 -S