Wire shark (via tcpdump on raspberry pi) on an NVR

Forums › LAN (ethernet/Wifi/routers/Bluetooth) › Wire shark (via tcpdump on raspberry pi) on an NVR

davidcole

6099 posts

Uber Geek
+1 received by user: 1465

Trusted

#303049 12-Jan-2023 22:20

I’m trying to wire shark the network traffic from my nvr to capture the apple push notifications that go out to port 8888 (I think I could get the ip address as well)

So I have a raspberry pi attached to the nvr lan side (where the cameras are attached). I have tcpdump on that. But the capture only seems to pick up udp traffic and I can’t see anything other than that.

Any possible suggestions? I’m not sure if I have promiscuous mode on, or if I should be able to capture this traffic in this method.

Previously known as psycik

Home Assistant: Gigabyte AMD A8 Brix, Home Assistant with Aeotech ZWave Controller, Raspberry PI, Wemos D1 Mini, Zwave, Shelly Humidity and Temperature sensors
Media:Chromecast v2, ATV4 4k, ATV4, HDHomeRun Dual
Server Host Plex Server 3x3TB, 4x4TB using MergerFS, Samsung 850 evo 512 GB SSD, Proxmox Server with 1xW10, 2xUbuntu 22.04 LTS, Backblaze Backups, usenetprime.com fastmail.com Sharesies Trakt.TV Sharesight

richms

29097 posts

Uber Geek
+1 received by user: 10205

Trusted

Lifetime subscriber

#3020672 12-Jan-2023 22:31

Are you using a switch and expecting to see unicast destined to the internet on the pi?

Richard rich.ms

davidcole

6099 posts

Uber Geek
+1 received by user: 1465

Trusted

#3020723 12-Jan-2023 23:20

richms:

Are you using a switch and expecting to see unicast destined to the internet on the pi?

using the switch built into the nvr and yes.

fe31nz

1294 posts

Uber Geek
+1 received by user: 423

#3020727 13-Jan-2023 01:51

Switches work by checking the MAC addresses of the packets against a list of MAC addresses that they can see on each port. Only packets matching the MAC address list for a port are visible on that port. So if you want to see the packets for a different MAC address, they will not be visible. You will also see all packets that use the broadcast MAC address (all F's) as that matches on all ports.

To do what you want, the options are:

1) Run Wireshark (or tshark or tcpdump) actually on one of the devices that are sending/receiving the packets (the NVR in your case).

2) Use a switch that has a port mirroring function to mirror the traffic to the port your RPi is connected to.

3) Use an Ethernet hub instead of a switch so that all ports see all traffic (but there are no 1 Gbit/s Ethernet hubs that I know of).

4) Use a device that has two Ethernet ports and put it inline between a device and its switch port. Then run software on it that copies all the traffic between its two ports without modifying it, and also stores a copy for you to look at. Router software can do this. If you have a spare router of the level of an EdgeRouter or Mikrotik, it could probably be used to do this. But it would have to be set to not offload the packets as that makes them invisible to tshark on the router. And that slows down the speed of routing dreadfully, so it would probably do only around 300-500 Mbit/s unless it had a particularly good CPU. I believe that it is possible to buy a hardware device with 3 Ethernet ports that works like this and mirrors the traffic to the third port, but it is specialised kit and probably hard to come by off the shelf in NZ. If you are using an RPi 4, then you could add a USB 3 Ethernet port to provide the second port to do this with.

The normal option is to use a switch with a mirror port, but such switches are a bit more expensive than most home switches. I use a Ubiquiti EdgeSwitch 24 Lite that is a full commercial grade switch, so that I have features like mirror ports.

In your specific case, are the packets going out to the Internet? If so they will be going through your router, so what router do you have? If it is a good one, you may be able to run tshark or tcpdump on it, but you would need to disable hardware offloading to see all packets. I do this sort of thing fairly often with my EdgeRouters. FritzBoxes have an option to capture traffic on a hidden web page - that works very well too.

davidcole

6099 posts

Uber Geek
+1 received by user: 1465

Trusted

#3020737 13-Jan-2023 08:22

I dont have a hub to introduce behind the nvr to watch all the traffic. And I guess the push notification I want to see the payload off will probably be encrypted anyway.

Might be why I shelved doing this a few months ago.

Mehrts

1112 posts

Uber Geek
+1 received by user: 984

Trusted

#3020776 13-Jan-2023 10:27

You can make a DIY network tap.

Basically it provides an extra port that is directly wired between an input and output jack that you can use for wireshark snooping. It's literally "tapped" into the wiring. You could do the same thing by making a "Y" splitter type cable with RJ-45 connectors on each end.

You'll just have to ensure that your device running wireshark is set to some form of promiscuous mode, or something that won't try and be active/grab an IP address etc as it'll cause issues. You want this device to only listen to traffic inbound.

dt

1152 posts

Uber Geek
+1 received by user: 371
Inactive user

#3020806 13-Jan-2023 11:59

Mehrts:

You can make a DIY network tap.

Thats awesome!

HP

Shop now for HP laptops and other devices (affiliate link).

BarTender

3629 posts

Uber Geek
+1 received by user: 2572

ID Verified

Trusted

Lifetime subscriber

#3020825 13-Jan-2023 13:02

Hey.. Feel free to email me, I can sort you out a switch that supports port mirroring or personally I find using a router with OpenWRT far easier to take tcpdump traces on when the traffic is routed through the router. Typically you will struggle to find switches that properly support port mirroring or broadcast, or having an old style 10/100 hub that is a hub not a switch is what you need.

But a OpenWRT router like the white box that was used for speed tests, then flashing stock OpenWRT onto it, then plugging in a USB stick and mounting that, and capturing traffic that is routed that way just works every single time. Then you can pull the pcap off the router, or unmount the USB stick and put it into your desktop and use Wireshark to check out the traffic.

fe31nz

1294 posts

Uber Geek
+1 received by user: 423

#3021167 14-Jan-2023 00:35

Mehrts:

You can make a DIY network tap.

Unfortunately that tap is only 10/100 Mbit/s - these days you need 1 Gbit/s - more pairs of wires to tap into. And tapping in like that without active components is problematic - it may or may not work, and is much less likely to work at 1 Gbit/s. Which is why there are professional taps for those who really need them. Just not off the shelf in NZ and not so cheap.