Years ago we used a Debian pc to capture the traffic over a 10gbit link. To save a capture sometimes took 30 minutes... LOL... The good old memories. Recently I used RPi to create a remote monitoring system for my customers. Zabbix on cloud and RPi deployed at customer site. Very handy tools!!

Bruhhhhh, Im relearning my packet skills and I was trying to find you last night. Said screw it went to bed, "ill google it tomorrow". And who tf shows up on my home feed. Thank you for all the knowledge Chris.

Excellent configuration and a cost-effective solution!!

So when the world went into work from home chaos I built one of these almost identical to this. Mine has a POE hat, usb enclosure for a evo, and rather than a switch I picked up a qualcomm 1gig tap. Its perfect for WFH calls where I would have to run in to packet capture something, just throw it inline on the problem PC in the data closet and leave it there. Head home and remote into it. Great little solution. Great content as always Chris! Looking forward to the suricata video.

Wow cool. I know dumpcap since 30 sec. and i love it. I see some opertunities on my way. Many Thanks for your great Videos.

Had to use a Profishark tap for my solution. Managed switches with a mac-adres that isn't registered on our company's network will make the main switch port go into shutdown mode. Was an oopsie moment when I tried to analyze a network problem on an industrial line and suddenly everything went down :p

That was made to look surprisingly easy as well as decent pricing.

I had been kicking around the idea of how to do this with a pi, but didn't know if it would be possible essentially because the issue that you resolved with the netgear switch. I'll have to pick one up and give this a try. Thanks for putting your time into content like this. It is greatly appreciated.

Nice one man 🔥🔥

Looking forward for that monitoring video :) awesome work Chris!

I loved this one , can't wait for the suricate one you mentioned :D

Hi, Chris! For when the follow-up? I'm dying here! 😀

Great work Chris! I want to try this soon. Will this also capture traffic between two devices communicating directly not going to WAN? Say my laptop is an HTTP server and my phone is connecting to it using laptop private IP and both the phone and laptop is connected to the eero wireless AP. I’m not sure if the frames will leave the Access point in this case (through the yellow cable) to be captured

Hey Chris, thanks for the video ! I did not know about the dumpcap command, good finding.

How did you configure the switch to monitor on port 5??

Very interesting and achievable, thank you

Love your content Chris, I'm still new to networking but I love watching content like this to see what's out there and absorb what information my newbie brain can handle 😄 your TCP and UDP deep dives with David Bombal were very interesting and informative even to someone like myself. Keep up the great work 😊

Thank you Chris great Video!

Thank you so much for this video. I have got to try this one to solve my intermittent WiFi issue. I'll couple my pi4 with Dualcomm ETAP to do something similar to this.

Love your content Chris, Would like to check if there is any content around EDNS pcap.

What settings did you make for the rpi Ethernet port so that it's not sending data from it's self out the mirror port?

Thank you Chris! Sharing with my network.

Hey Chris, I'm looking to use a raspberry pi 5 to setup in a similar way. I want to be able to take it to locations I'm doing security assessments for plug it in at the location, gather the packets to a file that is saved to a usb, and then go back and get it and be able to inspect the files. I would also like to be able to grab wifi and ethernet traffic. Can a variation of the methods you show in this video produce a device like that for me and if so do you have any recommendations for that?

Incredible 🔥

I can add tools metrology as ntopng community version for graphics

How do you get your VNC to be so quick and smooth. Its as slow as slow came be for me. I'm say right next to the Pi.

Another good solution is a barebone PC with two ethernet ports. you can bridge the ports in linux and just can plug in the PC between your LAN and the device you want to examine.

Is it possible to use VLAN as a mirroring target? So that you could use the Pi as a server and have a VLAN interface on it for packet captures?

Love it 👍

I've recently looked into SPAN and TAP solutions. Does this setup turn your Pi into a hardware TAP simply because it doesn't affect the system or more like an Adhoc SPAN setup? Thanks.

thanks dude

Good stuff!

Great content Chris, I appreciate you showing how accessible this solution is. You mentioned Suricata in one of the comments, what are your thoughts on Suricata vs Snort?

i do my probe capture with Raspberry it's top :-) thank you for idea

Perhaps show how to move that job into background etc. &

I know you explained it and I watched multiple times but I dont understand how and why you connected the pi, the switch and the "pf sense" the way that you did.

Hey Chris, What is better - Dualcomm ETAP-2003 Tap or a switch with port mirroring? I have a Dualcomm ETAP-2003 (bought at work for my laptop) and wonder if I’ve made the wrong choice. Thanks

Chris, this is a great video. Now that you have had the appliance running, how many times have you looked at the data, and how useful was it? With such a high percentage of data now being encrypted, is is still worth while to store the complete packet vs using the -s aka --snapshot-length to limit the capture to something less? Then you would still have src and dst addresses and protocols in use. While writing this, I wondered if there is a way to have only non-encrypted protocols stored with the full contents, but the encrypted protocols truncated. Or do you force clients to use forged certificates, so you can decode after the fact? And I doubt that would help with malicious hosts (iot, etc.) Have you thought of setting up the wifi on the RPi as an access point, so you could selectively monitor IoT devices you wonder about. (My Amazon Echo often triggers even when I don't use the "Echo" wake word, I have an Echo Gen 1 that if I say "backup" without the wake word, it will respond "nothing is currently playing". And it often lights up when I ask the google home a question. I'm close to disconnecting the Echo devices since Amazon's latest changes to prime music that "got lost in the shuffle". No more prime for me. Sorry for the tangent/rant about Amazon prime music.

Another good video from Chris Greer (: Addition to this great video, you can considerably increase the device's performance with pf_ring, which, I bet you already know about (:

I watched the Video again to see how you got 2 Network interface on a regular Raspberri Pi. Felt stupid after I realized I completely forgot the Wireless interface.😅

Hey Chris, you're a really good teacher, i love your content ! I don't use youtube as much these days, but it would be awesome to see you on the Odysee video platform! Ask David Bombal, he posts regularly on it! Hope to see you there, and thanks for your awesome content :-)

This may also be an option if you don’t take the SSD route… kzbin.info/www/bejne/gnyndGCNn9qeoZI

You shouldn't have to spend $250 for.... > "Published 2 years ago" Yeah okay, fair enough. STILL a steal, though, compared to some of these enterprise network appliances.

this video teached me nothing. it basically ended when the content began.