Building and configuring a “reasonably well hidden” network monitor using a Raspberry Pi (PI)
Sometimes a log of broadcast activity on a network can be helpful.
The requirements can be quite modest: date, time, MAC address and possibly IP address.
Of course every time you connect something to a network, you run the risk of adding to the traffic.
ie. Your monitoring device may attempt an update, sync or unintentionally attract the attention of other systems…etc
So there are two situations we need to consider.
We do not want:
1 – Any traffic to leave the system
2 – It to respond to any external traffic.
So a nice “benign” device would be preferable, where “benign” means it doesn’t interact with the network in any way).
A generic computer would be ideal as it has all the support facilities (drives, etc) to keep the project simple.
Unfortunately such computers can be “network noisy” which “should” rule them out, but perhaps we can change that?
ie. If the networking can be suitably “nobbled” it may just suit the purpose.
In this project we will attempt this on a Raspberry Pi (PI).
Why a PI?, they are cheap, readily available, have plenty of support and straight forward to operate.
(Some Instructions for other distributions are at the end)
Setting up the pi
(Basic shell scripts to do this are also provided – see later)
Use the latest recommended/default O/S.
Install it on an SD card using the PI’s installer application (its very simple).
Once it boots (first time) follow the instructions and complete all the housekeeping (kbd / time / etc).
Its not a bad idea to do an update/upgrade before continuing:
sudo apt update
sudo apt full-upgrade
(this will take a while)
Check the recommended software is as required (most of the time its fine straight out of the box).
Get all the necessary tools before we clobber the network!
(this can be done with the gui tool, but using the shell it is easier)
We need to make changes to the config so need the tools to do this:
sudo apt-get -y install sysv-rc-conf
This project will use Wireshark to observe the traffic:
sudo apt-get -y install wireshark
(if prompted enable all users to collect packets, this project is well outside any security norm!)
MC – because sometimes things are easier in command line:
sudo apt-get -y install mc
Test Wireshark.
If no interfaces are visible (Ethernet or WiFi) when launched, close it and run it from within a shell by typing:
sudo wireshark
You should now be able to observe network packets on the desired interface.
(as noted above running Wireshark as “root” is a security risk, however this will reduce when there is no usable network!)
If you have time check out systemctl to get the hang of it.
systemctl list-units:
shows all the run time processes etc loaded/running/active
systemctl list-units –all
shows all, even those not active as you can see its rather central to our plan.
Checking the network activity
(this may be a bit tricky for some with limited facilities)
Run wireshark on the PI (use sudo if necessary)
sudo wireshark
Select the interface (Ethernet – eth0)
Using another computer on the same network, run a “slow comprehensive scan” using Nmap.
Observe the results on the PI in Wireshark.
Its interesting so see just how much traffic can be coaxed out of a computer.
This is what we are going to stop, Wireshark is one way to verify our progress.
Turning things off
Now its time to make our PI go grey (completely dark is not possible without rather more work, including inside the switch)
We could make these changes permanent, however for this project a reboot will restore most of the PI to normal.
Typing “sudo” all the time is rather tedious and error prone, so lets open a “root shell” to avoid this. From that point on we can drop the “sudo” at the front.
Open a “root shell” by typing:
sudo bash
note the prompt has gone from “$” (standard user) to “#” (root or superuser).
Disabling ipv6.
This will require some typing and file operations (to restore ipv6 you must reverse this – see later)
Using our “root shell” type:
echo “blacklist ipv6” > /etc/modprobe.d/blacklist-ipv6.conf
echo “blacklist brcmfmac” >> /etc/modprobe.d/blacklist-ipv6.conf
echo “blacklist brcmutil” >> /etc/modprobe.d/blacklist-ipv6.conf
echo “blacklist btbcm” >> /etc/modprobe.d/blacklist-ipv6.conf
echo “blacklist hci_uart” >> /etc/modprobe.d/blacklist-ipv6.conf
cat blacklist-ipv6.conf
You should see the above lines printed.
if not type:
nano /etc/modprobe.d/blacklist-ipv6.conf
and edit the file to include the above lines (except the “cat” command).
The editor’s commands are at the bottom of the screen.
Finally reboot:
sudo reboot
After the reboot type:
sudo ifconfig
All ipv6 addresses should be gone.
To re enable ipv6: rename to the file created above to “.conf.no-ipv6”, move it to another directory or delete it if you never wish to do this again.
Hiding the PI from ipv4 outside requests.
Type the following (still inside our “root shell”):
ifconfig wlan0 down
This disables the wireless lan (may be already)
ifconfig eth0 up
It should be already
ifconfig eth0 222.222.222.222 netmask 255.255.255.255
We are trying to “hide” the PI at an IPV4 uncommon address.
Somewhere that is easy to track and not part of any network.
Staying withing the Class C range is probably simplest?
The most common Class C addresses usually start with 192.
222 is very near the top of Class C and hopefully unused.
# ifconfig eth0 -arp
Turn off arp so it cannot answer any ipv4 requests.
Its worth noting that disabling ARP really just “inconveniences” external computers.
If they already have the IP4/MAC mapping they may continue to use it until the mapping is dropped (refreshed).
Alternatively, a program designed to operate without ARP (because it has the mapping stored elsewhere) can just create the necessary packets (a later project).
At this point the PI is not available via IPV6 and does not respond to arp queries, so is quite well concealed.
We now need to stop the PI initiating outbound traffic. eg NTP.
This is where Wireshark is useful, run it and look for any entries where:
source or destination addresses match the one above.
Note the the protocol and port so you can work out what service is being a nuisance and must be stopped.
Typically the following need to be prevented from “calling home”.
Continuing the use of the “root shell”, type:
systemctl stop bluetooth.service
systemctl stop dhcpcd.service
systemctl stop avahi-daemon.service
systemctl stop systemd-timesyncd.service
sudo systemctl stop avahi-daemon.socket
The commands above will only stop the service from running until a reboot, system update or similar.
You can make the changes more permanent (survive a reboot) by substituting “disable” for “stop”.
Doing so make “break a few things” in particular the PI’s time.
The PI relies on NTP to set its clock, so without a time service its clock must be maintained by the user or another external (battery backup time?) device.
Traffic.
We have finally created a “reasonably concealed” broadcast/multicast traffic monitor.
Now its time to plug it into the network and look at traffic.
You probably don’t want to capture vast quantities of data, rather some interesting / useful packets.
Before we commence we need to keep the limitations of the PI and its environment in mind.
The PI is small and has limited resources, so anything we can do to reduce its load is worth considering.
Fortunately Wireshark has a few ways to assist us, namely a “Display Filter” and a “Capture Filter”.
For anyone interested in the details of the filter:
https://en.wikipedia.org/wiki/Berkeley_Packet_Filter
Display Filer:
As the name suggests it will filter all the packets and only display those that match (or fail to match) a particular set of rules.
It is useful when you want to capture everything, but selectively observe a subset of same.
The critical point it that all the packets are received and stored by Wireshark.
Capture Filter:
Once again the name gives us a hint of what to expect.
Unlike the above, this filter is applied to the inbound stream with packets being accepted/rejected BEFORE Wireshark receives them.
ie. Wireshark only sees the subset.
This can potentially reduce the load on the PI and Wireshark dramatically.
Although capturing everything and playing with a display filter is ok on a notebook/desktop, on a PI we will used the Capture Filter until we get some idea of traffic flows.
A few filters to try:
eth.type == 0x806
This will only show ARP packets.
Very useful for seeing who is on the network and obtaining MAC/IP/DATE/TIME.
ip.addr == nnn.nnn.nnn.nnn
shows only traffic for nnn.nnn.nnn.nnn
!(ip.addr == nnn.nnn.nnn.nnn)
Shows all traffic except nnn.nnn.nnn.nnn
Its possible to join the rules with “and”, “or”.
In Wireshark: to use a DISPLAY filter simply type it into the “filter Bar” just below the Menus and press .
To cancel a filter press the small [X] at the right hand end of the filter bar.
In Wireshark: to use a CAPTURE filter it must be added before the capturing commences.
Due to different Wireshark versions…its a bit tricky to give specific details
Scripts:
Before you download them, a question:
Q: Is running a script that requires “root” privileges from a web site a good idea?
A: No! Its better to check and type the commands one at a time.
So if you do download the scripts, please verify the commands are only those shown in the text above!
Other Distributions:
For Slackware the procedure is almost identical to the above apart from:
- Use modprobe to disable IPV6 (each time it is booted):
modprobe -r ipv6
or to persist it:
echo “blacklist ipv6” > /etc/modprobe.d/blacklist-ipv6.conf
and then reboot (or do the modprobe command above on this first instance) - Rather than using systemctl simply kill all extraneous network things in rc.d.
You can be quite brutal as its only monitoring a network.
Remove “x” from network entries in rc.d:
rc.inet1
rc.inet2
rc.inetd
rc.sshd
and anything else vaguely network related.
A simple way to remember what you did is to append “__x” to the filename.
- You can place some extra bits in:
/etc/rc.d/rc.local
to do the items that must be performed each boot (if if you want to avoid typing)