I needed to scan a network with wireshark to check for malicious traffic. I took my RPi turned into a router with a DHCP server and installed wireshark to check all the network traffic.
Step 1: Static IP address
See my previous article for the setup.
Step 2: Install and configure DHCP server
In this case I’ve chosen the ISC as DHCP server. To install:
sudo apt-get install isc-dhcp-server
For the configuration, please edit /etc/dhcp/dhcpd.conf and add the following:
subnet 192.168.100.0 netmask 255.255.255.0 {
range 192.168.100.20 192.168.100.39;
option broadcast-address 192.168.100.255;
option routers 192.168.100.1; option domain-name-servers 8.8.8.8;
}
Now we need to tell the daemon some specifics, please edit /etc/default/isc-dhcp-server and uncomment the following:
DHCPD_CONF=/etc/dhcp/dhcpd.conf DHCPD_PID=/var/run/dhcpd.pid INTERFACES="eth0"
And add “eth0” to the interfaces list, this tells the daemon on which interface he needs to react on.
Before you run the DHCP server please stop the DHCP server on your rputer. Now you can start the daemon on your RPi with: sudo service isc-dhcp-server start
If you run into any problems please use systemctl status isc-dhcp-server.service to check the output.
You can use cat /var/lib/dhcp/dhcpd.leases to check out the leases.
Step 3: Turn your RPi into a router
Your RPi is now able to respond to DHCP requests, but now we need to be able to forward the traffic.
sudo bash -c 'echo 1 > /proc/sys/net/ipv4/ip_forward'
Please edit /etc/sysctl.conf and uncomment out the line that says net.ipv4.ip_forward = 1
Last step is to enable NATTING via IPtables:
sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
Excellent, your RPi is now a router in your network and forwarding the traffic.
Step 4: Wireshark
I want to see all network traffic and for this purpose I installed wireshark. The RPi2 is fast enough to use the GUI of wireshark. For this purpose I installed tightvncserver and wireshark.
sudo apt-get install tightvncserver sudo apt-get install wireshark
Now with a VNC client you can connect to your RPi and start wireshark in a terminal. You can use not (port 5901) as capture filter which does not capture the VNC traffic.
