At a conference, Laura Chappel talked about a wall she had with lights that turn on when certain packets pass her network. I recalled it and said, why not make it and write about it?
To begin, we need to first install the latest version of Raspberry Pi OS on the SD card of our pi. You can follow the instructions on this site, which has an installer that will do the heavy lifting for you.
Before disconnecting the sd card, don't forget to add a blank file called "ssh" on the boot partition.
Windows: Open Command Prompt and change directory to the sd card's boot partition; then type type nul > ssh
MacOS and Linux: Open the Terminal, change directory to the boot partition and type touch ssh
With your sdcard ready, insert it into your Pi and boot the device. When it is up, find it on the network and ssh into it. As always, your first steps should be to change password (passwd) and then update (sudo apt update && sudo apt full-upgrade -y).
Our last step is to connect the SharkTapUSB device to the Pi, verify it is recognized before moving forward. Connect the SharkTapUSB to USB3, with one end connected to the LAN side of the router and the other to the rest of the network.
A simple way to check is by running lsusb
The SharkTapUSB is recognized without drivers; you should reboot the device after connecting it so that it appears as a wired ethernet device.
The SharkTapUSB is seen as a NIC called "eth1"
Differences in Speedtests before and after adding the SharkTapUSB were not found; as it should! 😀
With the Pi ready for work, we will now install what we need for this project. On the Pi, we will install the necessary programs and copy the repository for the program. Run the following commands on the Pi:
sudo apt install git tshark -y
When installing Tshark, you will br prompted to allow non-superusers to capture packets; select yes to continue.
Next, we will download Termshark for troubleshooting. Termshark can be downloaded from this page. Right click and copy the link for the "armv6" file:
In the Pi's terminal, we will type
wget -O https://github.com/gcla/termshark/releases/download/v2.2.0/termshark_2.2.0_linux_armv6.tar.gz
to download the file directly on the pi. Please ensure you are using the latest link as the one I have here is an example. You can unzip the file with the command:
tar -zxvf termshark_2.2.0_linux_armv6.tar.gz
It will make a folder with all the files necessary to run termshark there. This will will be useful to check out the trace files without having to copy out the files somewhere else. Here is an example of Termshark in use during my livestream as I was figuring out why I kept getting HTTP messages. Turns out, my Chromecast was sending these packets!
Next we will download the repository that has the programs to make this work:
git clone https://github.com/infosecirvin/packetwall.git
NOTE:The location where you will unzip and execute the files is where the program will save the trace files. If you have a small sd card, you may want to connect the pi to a NAS or attach an external USB drive, copying the files from this repository there. (For those interested, you can use this site to connect your pi to a NAS.)
Above is a picture of the program. Essentially, it will run tshark in the background, saving packets in a ring buffer of 2 files every 10 seconds. In 10 second intervals, the program will filter through the trace files created by Tshark to find any packets that meet the display filters listed in the "-Y" argument. If none exist, it will write a "0" on a file; if any were found, those packets will be saved for your further analysis and a "1" will be written on a file. This will repeat until you stop the program.
You can easily add more rules by copying the sample lines and changing the rule number variable (rule2 & r2), the display filter (add your filter in the single quotes after -Y in lines 20 and 25), and change the output file (-w on line 25).
Now to build the light system! We will use this page to understand what pins we can use on the Pi. For my single rule example, I will use pin 12.
Remember to put a 220 Ohm resistor at the negative end of the LED. You don't want to burn them out.
Here is a simple LED circuit for your reference
Here is a reference on the right way to insert the LED
I have chosen to use starter code from this GitHub repository to make the lights turn on.
The top of the program (lines 1-37) are all functions that we will use to turn off and on lights. Be sure to make changes and add more colors as you add more rules to the previous file, such as under lines 7, 36, 49, and 51.
After you make your own rules and select what colors you want to light up when, its all a matter of making the two programs executable and then running them to see your network sensor light up!
chmod +x program.sh
chmod +x light.sh
Once they are ready, run them with: ./program.sh && ./lights.sh and see it in action. Feel free to modify the code to your environment!