Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


ForumsLAN (ethernet/Wifi/routers/Bluetooth)Wire shark (via tcpdump on raspberry pi) on an NVR
davidcole

6037 posts

Uber Geek

Trusted

#303049 12-Jan-2023 22:20
Send private message

I’m trying to wire shark the network traffic from my nvr to capture the apple push notifications that go out to port 8888 (I think I could get the ip address as well)

So I have a raspberry pi attached to the nvr lan side (where the cameras are attached). I have tcpdump on that. But the capture only seems to pick up udp traffic and I can’t see anything other than that.

Any possible suggestions? I’m not sure if I have promiscuous mode on, or if I should be able to capture this traffic in this method.




Previously known as psycik

Home Assistant: Gigabyte AMD A8 Brix, Home Assistant with Aeotech ZWave Controller, Raspberry PI, Wemos D1 Mini, Zwave, Shelly Humidity and Temperature sensors
Media:Chromecast v2, ATV4 4k, ATV4, HDHomeRun Dual
Server Host Plex Server 3x3TB, 4x4TB using MergerFS, Samsung 850 evo 512 GB SSD, Proxmox Server with 1xW10, 2xUbuntu 22.04 LTS, Backblaze Backups, usenetprime.com fastmail.com Sharesies Trakt.TV Sharesight 

Create new topic
richms
28192 posts

Uber Geek

Trusted
Lifetime subscriber

  #3020672 12-Jan-2023 22:31
Send private message

Are you using a switch and expecting to see unicast destined to the internet on the pi?




Richard rich.ms



davidcole

6037 posts

Uber Geek

Trusted

  #3020723 12-Jan-2023 23:20
Send private message

richms:

 

Are you using a switch and expecting to see unicast destined to the internet on the pi?

 

 

 

 

using the switch built into the nvr and yes.




Previously known as psycik

Home Assistant: Gigabyte AMD A8 Brix, Home Assistant with Aeotech ZWave Controller, Raspberry PI, Wemos D1 Mini, Zwave, Shelly Humidity and Temperature sensors
Media:Chromecast v2, ATV4 4k, ATV4, HDHomeRun Dual
Server Host Plex Server 3x3TB, 4x4TB using MergerFS, Samsung 850 evo 512 GB SSD, Proxmox Server with 1xW10, 2xUbuntu 22.04 LTS, Backblaze Backups, usenetprime.com fastmail.com Sharesies Trakt.TV Sharesight 

fe31nz
1232 posts

Uber Geek


  #3020727 13-Jan-2023 01:51
Send private message

Switches work by checking the MAC addresses of the packets against a list of MAC addresses that they can see on each port.  Only packets matching the MAC address list for a port are visible on that port.  So if you want to see the packets for a different MAC address, they will not be visible.  You will also see all packets that use the broadcast MAC address (all F's) as that matches on all ports.

 

To do what you want, the options are:

 

1) Run Wireshark (or tshark or tcpdump) actually on one of the devices that are sending/receiving the packets (the NVR in your case).

 

2) Use a switch that has a port mirroring function to mirror the traffic to the port your RPi is connected to.

 

3) Use an Ethernet hub instead of a switch so that all ports see all traffic (but there are no 1 Gbit/s Ethernet hubs that I know of).

 

4) Use a device that has two Ethernet ports and put it inline between a device and its switch port.  Then run software on it that copies all the traffic between its two ports without modifying it, and also stores a copy for you to look at.  Router software can do this.  If you have a spare router of the level of an EdgeRouter or Mikrotik, it could probably be used to do this.  But it would have to be set to not offload the packets as that makes them invisible to tshark on the router.  And that slows down the speed of routing dreadfully, so it would probably do only around 300-500 Mbit/s unless it had a particularly good CPU.  I believe that it is possible to buy a hardware device with 3 Ethernet ports that works like this and mirrors the traffic to the third port, but it is specialised kit and probably hard to come by off the shelf in NZ.  If you are using an RPi 4, then you could add a USB 3 Ethernet port to provide the second port to do this with.

 

The normal option is to use a switch with a mirror port, but such switches are a bit more expensive than most home switches.  I use a Ubiquiti EdgeSwitch 24 Lite that is a full commercial grade switch, so that I have features like mirror ports.

 

In your specific case, are the packets going out to the Internet?  If so they will be going through your router, so what router do you have?  If it is a good one, you may be able to run tshark or tcpdump on it, but you would need to disable hardware offloading to see all packets.  I do this sort of thing fairly often with my EdgeRouters.  FritzBoxes have an option to capture traffic on a hidden web page - that works very well too.



davidcole

6037 posts

Uber Geek

Trusted

  #3020737 13-Jan-2023 08:22
Send private message

I dont have a hub to introduce behind the nvr to watch all the traffic. And I guess the push notification I want to see the payload off will probably be encrypted anyway.

Might be why I shelved doing this a few months ago.




Previously known as psycik

Home Assistant: Gigabyte AMD A8 Brix, Home Assistant with Aeotech ZWave Controller, Raspberry PI, Wemos D1 Mini, Zwave, Shelly Humidity and Temperature sensors
Media:Chromecast v2, ATV4 4k, ATV4, HDHomeRun Dual
Server Host Plex Server 3x3TB, 4x4TB using MergerFS, Samsung 850 evo 512 GB SSD, Proxmox Server with 1xW10, 2xUbuntu 22.04 LTS, Backblaze Backups, usenetprime.com fastmail.com Sharesies Trakt.TV Sharesight 

Mehrts
1063 posts

Uber Geek

Trusted

  #3020776 13-Jan-2023 10:27
Send private message

You can make a DIY network tap.

Basically it provides an extra port that is directly wired between an input and output jack that you can use for wireshark snooping. It's literally "tapped" into the wiring. You could do the same thing by making a "Y" splitter type cable with RJ-45 connectors on each end.

You'll just have to ensure that your device running wireshark is set to some form of promiscuous mode, or something that won't try and be active/grab an IP address etc as it'll cause issues. You want this device to only listen to traffic inbound.

dt

dt
1152 posts

Uber Geek
Inactive user


  #3020806 13-Jan-2023 11:59
Send private message

Mehrts:

 

You can make a DIY network tap.

 

 

 

 

Thats awesome! 

BarTender
3606 posts

Uber Geek

ID Verified
Trusted
Lifetime subscriber

  #3020825 13-Jan-2023 13:02
Send private message

Hey.. Feel free to email me, I can sort you out a switch that supports port mirroring or personally I find using a router with OpenWRT far easier to take tcpdump traces on when the traffic is routed through the router. Typically you will struggle to find switches that properly support port mirroring or broadcast, or having an old style 10/100 hub that is a hub not a switch is what you need.

 

But a OpenWRT router like the white box that was used for speed tests, then flashing stock OpenWRT onto it, then plugging in a USB stick and mounting that, and capturing traffic that is routed that way just works every single time. Then you can pull the pcap off the router, or unmount the USB stick and put it into your desktop and use Wireshark to check out the traffic.

 
 
 
 

Trade NZ and US shares and funds with Sharesies (affiliate link).
fe31nz
1232 posts

Uber Geek


  #3021167 14-Jan-2023 00:35
Send private message

Mehrts:

 

You can make a DIY network tap.

 

 

Unfortunately that tap is only 10/100 Mbit/s - these days you need 1 Gbit/s - more pairs of wires to tap into.  And tapping in like that without active components is problematic - it may or may not work, and is much less likely to work at 1 Gbit/s.  Which is why there are professional taps for those who really need them.  Just not off the shelf in NZ and not so cheap.

Create new topic





News and reviews »

Air New Zealand Starts AI adoption with OpenAI
Posted 24-Jul-2025 16:00

eero Pro 7 Review
Posted 23-Jul-2025 12:07

BeeStation Plus Review
Posted 21-Jul-2025 14:21

eero Unveils New Wi-Fi 7 Products in New Zealand
Posted 21-Jul-2025 00:01

WiZ Introduces HDMI Sync Box and other Light Devices
Posted 20-Jul-2025 17:32

RedShield Enhances DDoS and Bot Attack Protection
Posted 20-Jul-2025 17:26

Seagate Ships 30TB Drives
Posted 17-Jul-2025 11:24

Oclean AirPump A10 Water Flosser Review
Posted 13-Jul-2025 11:05

Samsung Galaxy Z Fold7: Raising the Bar for Smartphones
Posted 10-Jul-2025 02:01

Samsung Galaxy Z Flip7 Brings New Edge-To-Edge FlexWindow
Posted 10-Jul-2025 02:01

Epson Launches New AM-C550Z WorkForce Enterprise printer
Posted 9-Jul-2025 18:22

Samsung Releases Smart Monitor M9
Posted 9-Jul-2025 17:46

Nearly Half of Older Kiwis Still Write their Passwords on Paper
Posted 9-Jul-2025 08:42

D-Link 4G+ Cat6 Wi-Fi 6 DWR-933M Mobile Hotspot Review
Posted 1-Jul-2025 11:34

Oppo A5 Series Launches With New Levels of Durability
Posted 30-Jun-2025 10:15








Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Updates »

Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.







RSS feeds
Main feed
Forums feed
Copyright
©2002-2025 Geekzone®
Site features
Geekzone BI dashboard
Geekzone Badges
Geekzone Status Page

 

Affiliate links
Samsung
AliExpress
Wise
Sharesies
GoodSync
Site Information
Subscribe to Geekzone
Privacy Statement
Forum Usage Guidelines (FUG)
Advertising
Trademark and copyright