Recently I had a need for a small portable device to preform long term BACnet captures and figured the Raspi might be well suited. Using the raspi network tap described below you can capture months of traffic, remotely access Wireshark and download the captured traffic. I decided on a passive tap but any switch or hub could be used depending on your needs.
Material used
- RaspberryPi3 $39.00
- Power adapter $8.88
- Power adapter $8.88
- SD Card $12.49
- Case $6.99
- Current Raspbian Stretch with Desktop Based on Kernel version 4.9 Released 11-29-2017
- 2x USB Ethernet Adapter $23.98
- Passive network tap $68.95
- Optional active tap
$160.29 total cost per unit in my setup, cost was not a huge concern. This could be done for half by making a passive tap and sourcing cheaper parts.
Update, I decided to roll my own tap. Its available at the bottom of this post.
Install Raspbian and update
Download the current version of Raspbian and install it to the SD card. On Windows I use Win32DiskImager to copy the image to the card. Connect Ethernet, keyboard, mouse and a monitor and boot it from the SD card. It should load right into the desktop with the pi user account. Open up a terminal window and update.
sudo apt-get update sudo apt-get dist-upgrade
Install VNC
In a terminal window, get and install realVNC.
sudo apt-get install realvnc-vnc-server realvnc-vnc-viewer
sudo raspi-config
Under localization options set the timezone.
Under advance options expand the filesystem.
Set the resolution. If your planing on using the pi headless, VNC will have a very small desktop once the monitor is removed. The largest option is best. Make sure whatever setting you choose is compatible with your monitor.
Under interface options enable VNC server.
If you want to check the DHCP address assigned to the raspi use the following in the terminal.
ifconfig
Exit the config menu and reboot the device.
sudo reboot
At this point you should be able to disconnect the keyboard, mouse and monitor and access the pi over VNC. On Windows I use RealVNC. VNC into the pi using the default user account – pi/raspberry.
Install Wireshark
Open a terminal window install and setup Wireshark.
sudo apt-get install wireshark
Part of the install will ask a few questions.
Choose the default – NO and then create a new user group.
sudo groupadd wireshark
Add your user to this group, “pi” is default.
sudo usermod -a -G wireshark pi
Change the group ownership of dumpcap.
sudo chgrp wireshark /usr/bin/dumpcap
Allow the group to execute the directory.
sudo chmod 750 /usr/bin/dumpcap
Give setcap the capabilities.
sudo setcap cap_net_raw,cap_net_admin=eip /usr/bin/dumpcap
Reboot the Raspi to apply the settings.
sudo reboot
Determine your capture plan
Create on bash script per network interface you plan on using. There are several options depending on how you want to capture. A dedicated interface for the capture and a secondary for remote access is recommended. You will need a network tap or switch that supports mirroring or span ports for most networks such as this. These duplicate traffic on multiple ports to a single mirror port. Connecting the Raspi to a mirror port allows you capture all the traffic. Most cases these ports are one way, so they cannot be used to remotely access your Pi. Passive taps are another option for traffic capture. These can be homemade for a few bucks or purchased online. These do not require any power but separate monitoring interfaces are needed to capture the transmit and receive streams separately. You can combine the capture files later if desired. Passive taps steal some of the signal from the monitored cable. As such, Gigabit links will downgrade to 100mb and cable runs pushing the distance limits may not work. These taps are totally transparent to the monitored network. Connecting the Throwing Star with “OUT” to the monitored device, TX is traffic transmitted from the OUT port, RX is traffic received from the IN port.
Auto start Wireshark
Create a folder for the captures and a bash script for each capture interface to start Wireshark at boot up. In a terminal window:
mkdir /home/pi/Desktop/captures leafpad WSTXcapture.sh
Contents of the script:
#!/bin/bash
#Set the nic to promisc mode
sudo ip link set eth1 promisc on#Fire up WS, rotate the logs every 24hrs
wireshark -i eth1 -k -b duration:86400 -w /home/pi/Desktop/captures/WS_TX
Save the file and close the editor Edit the LX autostart file to add the above script. This is located in /home/pi/.config/lxsession/LXDE-pi. In a terminal window:
sudo leafpad /home/pi/.config/lxsession/LXDE-pi/autostart
Add a line for each script you created above preceded with @
@bash /home/pi/WSTXcapture.sh @bash /home/pi/WSRXcapture.sh
At this point the Pi is ready to go. Reboot and should launch Wireshark and start capturing.
Additional tips
Its best to use a capture filter with Wireshark to limit things to the traffic of interest. This results in smaller capture files and reduces the chance of capturing sensitive traffic. To see all the Wireshark command line options use the following:
wireshark -h
For capture filters, add them to the capture bash file created above. To monitor only BACnet traffic use:
wireshark -i eth1 -k -f 'udp port 47808’ -b duration:86400 -w /home/pi/Desktop/captures/WS_TX
Below is an example to capture multiple protocols.
wireshark -i eth1 -k -f 'udp port 47808 or udp portrange 67-68 or udp port 53' -b duration:86400 -w /home/pi/Desktop/captures/WS_TX captures/WS_TX
This will include BACnet, DHCP and DNS traffic. Adding BACnet specific coloring rules helps when reviewing. Optigo has videos on using Wireshark with BACnet. See the resources section of this site. Here is a link to Optigo’s Gdrive coloring rules. See here for some basic information on securing the Raspi. You can retrieve captures with VNC, FTP, SCP, or Samba. Information is available online covering this setup.
8-10-18 Update
After using several of these Raspi network taps in the field, I thought it was time for a quick update.
Construction
First lesson was the construction of the setup. Originally, I used 3M Dual Lock Velcro to attach the USB nics and the GSG tap to the case. Normally this Velcro has very good adhesion to just about anything and this was no exception. As always, the weakest link is the point of failure. In this case it was the stickers on the bottom of the Ableconn USB to Ethernet adapters. Both stickers peeled right off in short order, leaving the adapters flopping in the breeze. I sanded the bottoms with emery cloth and used a 5 minute epoxy to glue them to the case. This held extremely well, in fact I destroyed the USB adapters when I tried to remove them for the second upgrade.
Custom tap replacing the GSG Throwing Star
Second area for improvement was the GSG throwing star and the unwieldy cable management issue it created. With the patch cords leaving in four different directions, it was a pain to fit in the typical 6-8” deep control panel. Being there is little too a passive tap, I created my own. This custom tap eliminates two of the patch cords and has the remaining cables exiting in the same direction as the onboard Raspi Ethernet port. This slides into the adapters and has just two female ports for the IN / OUT connections of the cable to be monitored.
To glue the USB adapters, I found it best to have a 10” piece of masking tape ready. Spread the epoxy on the bottom taking care not to get to close to the front end with the RJ45. Put the masking tape on the back side of the case leaving enough to wrap over the top to hold the adapters in place. Stick the adapters on the top of the Raspi case with one hand, while carefully installing the tap with the other. Wrap masking tape around the adapters once your happy with the position of everything. When the epoxy starts to set, remove the tap so it doesn’t get permanently glued in place.
Custom Taps for Sale
To recover the cost of these, I made a handful of extra to offer here. I will ship these USPS Priority mail in a small flat rate box, for $30 + shipping anywhere in United States. Any orders outside of the US will be canceled and refunded. Sorry international shipping costs more than these are worth. Current stock will ship next business day. If you’re interested, get one before they are gone with buy now link below.
Future upgrades
Not sure I will ever get to this, but it would be nice to add MS/TP capture to this setup. Shouldn’t be too difficult but I have other projects that need attention.
Resources
https://www.raspberrypi.org/documentation/raspbian/updating.md
https://www.raspberrypi.org/documentation/remote-access/vnc/
http://donsthinktank.blogspot.com/2015/07/wireshark-raspberry-pi.html
https://www.raspberrypi.org/documentation/configuration/security.md
https://www.raspberrypi.org/documentation/remote-access/ftp.md
https://www.raspberrypi.org/documentation/remote-access/ssh/scp.md
