During real penetration testing exercises, we found that running raw tcpdump
captures or using tools such as Wireshark consume a lot of processing power and sometimes crash the Raspberry Pi or render it useless. For this reason, the best practice is to avoid using such tools in real environments unless you tune what is captured to reduce the overhead on the Raspberry Pi. Here are some steps to capture network traffic using tcpdump
in a controlled manner.
Tcpdump is a very useful tool and knowing what you are doing with the utility will help you to get the most out of the tool on the Raspberry Pi. The following section will provide a few tuning pointers but it is not intended to be a tcpdump tutorial.
The first thing to consider is how to narrow down what tcpdump is looking for. You can do this in a few ways. The first way is to specify the host
keyword. The host
keyword will look for traffic specified by a hostname or IP address. It can be done in the following...