In a previous blog post (Multicast Testing Tool), I emphasized using Raspberry PI's to mimic datacenter endpoints. However, these versatile PI's have potential beyond that, as this article delves into transforming them into devices for capturing network traffic.
As network engineers, we frequently find ourselves immersed in the depths of troubleshooting peculiar network problems, dedicating a considerable portion of our time. To enhance our understanding and pinpoint the root causes of these issues, comprehending the specific types of packets transmitted or received by a device is an invaluable asset in our repertoire.
If I were presenting this topic in a classroom, I would ask: "Who of you had difficulties capturing packets in a remote location because of no technical staff available on-site to capture the packets for you or limited time available for you to go on-site and capture the traffic yourself" and probably a lot of engineers would raise there hand.
Recently I was down the rabbit hole troubleshooting some weird network behavior, and I couldn't go on-site, nor were there any technical people on-site experienced with Tcpdump and or Wireshark, so I thought, how could I capture packets from and to all front-end ports from this network device?
In comes the Raspberry PI running Ubuntu, and I thought, how can I automatically start a tcpdump when the Raspberry PI has network connectivity?
Create a bash script that checks if the interface is UP, and the gateway is reachable through ICMP; once both checks are successful, start a tcpdump.
Creating the bash script
The bash script monitors an Ethernet interface's status and a gateway's reachability (specified by its IPv4 address). The script uses tcpdump to capture network traffic on the specified interface and save it to a capture file. The script will continuously run in an infinite loop, periodically checking the interface and gateway status and managing the tcpdump process accordingly.
Make sure to make the script executable by changing the permission of the file by adding the executable flag x to the script's permission.
Automatically start the script on boot
To ensure that the script is automatically started when the Raspberry Pi boots up, you can use the systemd service manager, it is responsible for initializing and managing the system and handles various tasks during the boot process, service management, logging, and more.
The first step is to create a service file using your favorite editor (:D)
and add the following lines to it :
Close and save the file, next we need to make sure the service is enabled and started
systemctl enable tcpdump_monitor
systemctl start tcpdump_monitor
Now the service should be up and running and can be verified by running the following command and checking the logs of the service
systemctl status tcpdump_monitor
journalctl -u tcpdump_monitor.service
Take away
This blog post discusses using Raspberry PI's to capture network traffic for troubleshooting purposes and doing so that a service is running in the background checking the network connectivity of an interface and its gateway and starts a tcpdump once both checks are successfully completed.
I hope this blog post might prove useful for network engineers who require having a packet capture done on a remote site but lack the time and technical staff to go onsite to do the capture themselves.
Happy reading!