PiRogue Tool Suite
Capture the network traffic with PiRogue VPN

Requirements

  • your PiRogue VPN is up and running
  • one or more devices are connected to it
Learn how to capture network traffic

This guide will help you deepen your understanding of capturing network traffic.

... in 3 steps

#pirogue #vpn #network_traffic

Get the name of the isolated network interface

A PiRogue, regardless of its operating mode, has 2 network interfaces. One to get access to the Internet named external interface and one named isolated interface to connect the devices to. The name of these 2 interface can be found in the system configuration of PiRogue.

The name of the isolated network interface can be found with the command below by looking at the ISOLATED_INTERFACE property:

Get the name of the isolated network interface
pirogue-admin-client system get-configuration
How to get the isolated network interface

In this example, the name of the isolated network interface is wg0.

pi@pirogue ➜ # Example of getting the isolated network interface
pi@pirogue ➜ pirogue-admin-client system get-configuration
DASHBOARD_PASSWORD: [redacted]
ENABLE_DHCP: 'True'
ENABLE_PUBLIC_ACCESS: 'True'
EXTERNAL_ADDRESS: [redacted]
EXTERNAL_INTERFACE: ens2
EXTERNAL_NETWORKS: [redacted]/32
ISOLATED_ADDRESS: 10.8.0.1
ISOLATED_INTERFACE: wg0  <-- isolated interface
ISOLATED_NETWORK: 10.8.0.0/24
PUBLIC_CONTACT_EMAIL: [redacted]
PUBLIC_DOMAIN_NAME: [redacted]
PUBLIC_EXTERNAL_ADDRESS: [redacted]
SYSTEM_HOSTNAME: pirogue-vpn-1
SYSTEM_OPERATING_MODE: wireguard
WIFI_COUNTRY_CODE: FR
WIFI_PASSPHRASE: [redacted]
WIFI_SSID: PiRogue1
pi@pirogue ➜ |

Identify Wireguard peers

The Wireguard peers configured on your PiRogue are not named, a peer is identified by its ID only. If you want to associate a peer to an individual, you have to store this information separately, ideally not on your PiRogue. We suggest you keep track of the peers the following way:

DatePeer IDPeer IP addressIndividual
2024-10-23210.8.0.2John
2024-10-23310.8.0.3Lea
2024-10-27610.8.0.9Camilla
How to find the IP address of a peer

The IP address of a peer is specified in the configuration of each peer, it corresponds to the Address. It’s specified using CIDR notation, ignore the value after the /.

In this example, we want to get the IP address of peer 2.

pi@pirogue ➜ # Example of getting the IP address of peer 2
pi@pirogue ➜ pirogue-admin-client vpn get-peer-config 2
[Interface]
Address = 10.8.0.2/24  <--- IP address of peer 2
PrivateKey = WLzm+auxiGXJJDf/74TsS4hnAU4mViJxR8XfpJUviW0=
DNS = 10.8.0.1

[Peer]
EndPoint = 51.159.150.9:51820
PublicKey = dQzDsS2BQPjNjI2PG4hGAQX7AQ2xhFZnuMvV2beLj30=
AllowedIPs = 0.0.0.0/0
PersistentKeepAlive = 20
pi@pirogue ➜ |

Capture the network traffic

With PiRogue, it’s easy to capture the network traffic of all devices at once or the network traffic of a single device.

Capture the whole network traffic

Simply use tcpdump and specify the name of the isolated interface:

Capture the whole network traffic
tcpdump -i [isolated interface] -w [PCAP file]

In the command above, replace

  • [isolated interface] with the name of the isolated interface
  • [PCAP file] with the name of the file that will contain the network traffic

Press Ctrl+C to stop the capture.

Capture the network traffic of a single device

Use tcpdump, specify the name of the isolated interface and the IP address of the device:

Capture the network traffic of a device
tcpdump -i [isolated interface] host [device IP address] -w [PCAP file]

In the command above, replace:

  • [isolated interface] with the name of the isolated interface
  • [device IP address] with the IP address of the device whose traffic you want to capture
  • [PCAP file] with the name of the file that will contain the network traffic

Press Ctrl+C to stop the capture.

How to capture the network traffic of a device

In this example, the name of the isolated network interface is wg0, 10.8.0.2 is the IP address of the device and the network traffic will be saved in the file /tmp/traffic.pcap.

pi@pirogue ➜ # Example of getting the isolated network interface
pi@pirogue ➜ tcpdump -i wg0 host 10.8.0.2 -w /tmp/traffic.pcap
tcpdump: listening on wg0, link-type RAW (Raw IP), snapshot length 262144 bytes
^C476 packets captured
476 packets received by filter
0 packets dropped by kernel
pi@pirogue ➜ |

The PCAP file can be opened with Wireshark.

Edit this page on GitHub
Prev
Verify PiRogue self-signed certificate
Next
Install Colander Companion on mobile/tablet