Remote Packet Capture with Dualcomm ETAP-PI Network TAP Appliance
Dualcomm’s ETAP-PI Network TAP Appliance integrates a Raspberry Pi processor module and a network TAP module into a single device. Although it can be used locally as a standalone network TAP, more preferably, it can be used to capture packets and monitor data traffic of a remote network. More information about ETAP-PI can be found at here (bit.ly/38AZLc0).
A typical use case scenario would be that if you are an IT consultant who manage and maintain networks of your clients and you get a call from one of your clients reporting an issue of their network. Instead of traveling to your client's place to investigate the issue onsite, you can instruct your client to deploy an ETAP-PI device in a location of interest in their network, and then you run Wireshark, a popular free and open-source software for packet protocol analysis, on a computer in your office or home. The ETAP-PI device captures packets of your client's network and delivers the captured packets to Wireshark remotely over the Internet. After using Wireshark to view and analyze the packets, you quickly identify the root cause of the issue.
This article describes in detail how to set up an ETAP-PI device to remotely capture packets with Wireshark.
Connect to ETAP-PI via SSH Connection
First, connect a computer and an ETAP-PI device to a Local Area Network (LAN) as shown in Figure 1. For testing purpose, the ETAP-PI device may further connect as an inline tapping device to an end device such as an IP phone to capture packets to and from the IP phone.
As shown in Figure 1, the IP addresses of all the connected devices need to be in the same subnet, meaning that the IP addresses use the same subnet mask. For example, the IP address of the computer is 192.168.1.16, the IP address of the ETAP-PI is 192.168.1.8, and the IP address of the IP phone is 192.168.12, which use the subnet mask of 255.255.255.0. These IP addresses are also called private IP addresses and they may be manually assigned (static IP address) or automatically assigned by a DHCP server in the network (dynamic IP address).
Then, log into the ETAP-PI device via a SSH connection from the computer. If the computer is a Windows computer, you can use a SSH application like Putty or open a Command Prompt window and run the SSH command as shown in Figure 2. For computers running other different OS, the command syntax may be different.
The default login username and password are:
|username = pi|
|password = raspberry|
The SSH command format is:
Install TCPDUMP on ETAP-PI
After log into the ETAP-PI device, run the following command to install TCPDUMP onto the Raspberry Pi inside the ETAP-PI device. TCPDUMP is a data-network packet analyzer software that runs under a command line interface. Figure 3 is a screen snapshot after TCPDUMP is installed successfully.
|sudo apt-get update|
|sudo apt-get install tcpdump|
Download and Install Wireshark on Computer
Download Wireshark from www.wireshark.org, and follow the setup wizard to install Wireshark onto the computer (192.168.1.16) in Figure 1. During the installation, the component "Sshdump and Ciscodump" must be selected as shown in Figure 4.
Configure Wireshark for SSH Remote Access
On the Welcome Window after lunching Wireshark from the computer, click the configuration icon “Remote SSH Capture” as shown in Figure 5 and a configuration window pops up as shown in Figure 6. The configuration window has three panels including “Server”, “Authentication” and “Capture” that must be configured one by one.
Under the “Server” panel, the “Remote SSH server address” is the IP address or hostname of the ETPA-PI device, and the “Remote SSH server port” is a TCP port needed for establishing an SSH connection.
If the computer and ETAP-PI are connected to a LAN of the same subnet as shown in Figure 1, the “Remote SSH server address” is the private IP address of ETAP-PI, which is 192.168.1.8, and the "Remote SSH server port" is the standard SSH port 22.
If the computer instead needs to access the ETAP-PI device over the Internet, the private IP of the ETAP-PI device and the standard SSH port number can not be used directly with Wireshark, and they need to be translated to a public IP address and an associated port number. This will be described separately later in this article.
Under the “Authentication” panel as shown in Figure 7, the “Remote SSH server username” and the “Remote SSH server password” are the login username and password for the Raspberry Pi inside the ETAP-PI device. The default username is “pi”, and the default password is “raspberry”.
Under the “Capture” panel, populate the parameters as shown in Figure 8. The “Remote interface” is “eth0” which is the wired Ethernet interface of the Raspberry Pi inside the ETAP-PI device. It is necessary to add “not port 22” for the “Remote capture filter” to remove the SSH packets when Wireshark displays captured packets. Also, check the box of “Use sudo on the remote machine” and the box of "Save parameter(s) on capture start". However, you need to enter the password under the "Authentication" panel every time you start capture packets.
Start Capturing Packets
After the configuration settings are done, click the “Start” button on the Wireshark configuration window to start capturing packets. If all set up and configurations as described above are done correctly, the ETAP-PI device will capture packets to and from the IP phone, and Wireshark running on the computer will receive the captured packets from the ETAP-PI via the SSH connection and continuously displays the captured packets in Wireshark’s main window as shown in Figure 9. As can be seen, the packets being displayed don’t include any SSH packets that are already eliminated by the setting of "Remote capture filter" in Figure 8. Click the “Stop” button will stop capturing and displaying packets.
Translate Private IP Address
This additional step is needed when a computer running Wireshark remotely accesses an ETAP-PI device over the Internet as shown in Figure 10. In such a case, the private IP address of the ETAP-PI (192.168.1.8) and the SSH port number 20 can not be used directly with Wireshark and they must be translated to a public IP address and the SSH port number 20 also will be mapped to a different TCP port number.
There are different approaches such as dynamic DNS and etc. to accomplish such IP address/port number translation. In this article, a on-demand connection service called Remote.it is described and used to translate the private IP address of the ETAP-PI device and the SSH port number 20 to a public IP address and an associated TCP port number.
You need to sign up an account with Remote.it, and follow its installation guide (bit.ly/3yrygvD) to add an ETAP-PI device into the account. You can add multiple ETAP-PI devices in a single account. A nice thing about Remote.it is that it offers a free personal plan for your to try it out that allows you to add up to five devices. Figure 11 shows an Remote.it account with three ETAP-PI devices.
To connect an ETAP-PI device, simply click on the device name to open a connection page as shown in Figure 12.
Click the CONNECT button in Figure 12, a SSH connection will be quickly established between the computer and the ETAP-PI device and a pair of public IP addresses and the associated TCP port number will be provided as shown in Figure 13.
Populate the public IP address and the associated TCP port number in the “Server” configuration panel as shown in Figure 14. Once this is done, you are ready to use Wireshark to start receiving and displaying packets in real time over the Internet that are captured and delivered remotely by the ETAP-PI device.
Although this article describes remote packet capture using Wireshark with an ETAP-PI device, other network traffic analysis and monitoring software may also be applicable for use with an remote ETAP-PI device over the Internet.