PiRogue Tool Suite

Beginner guide - How to capture and analyze device's network traffic

By Defensive Lab Agency, licensed under

Creative Commons Attribution-ShareAlike 4.0 International

To begin, let’s explain first what we are doing here:

We will be using the PiRogue as a network router. A network router is a device that facilitates communication between the internet and the devices in your home that connect to the internet. As its name implies, it “routes” traffic between devices and other networks, such as the internet. The PiRogue functions similarly to your ISP’s router, allowing you to connect from one network to another by plugging it into the router using an Ethernet cable.

Since the PiRogue is intended for analyzing potentially compromised devices, it helps us separate those devices from the rest of our network. To achieve this, we will create a separate network in our lab, home, or hotel room. When we connect a potentially compromised device to the PiRogue’s Wi-Fi network, that device will not be able to see all the other devices connected to your network. This is important because when a device is compromised, there is a chance that any malicious software running on it will attempt to move and infect other devices connected to the same network. Therefore, we need to isolate the potentially compromised device from the rest of our network infrastructure and keep it away from other devices.

By creating a dedicated network to analyze a specific device, we can intercept network traffic solely from that device. This eliminates the noise caused by other devices communicating on the network and allows us to capture the network traffic from the device we want to analyze. We want to ensure that we capture the entire network traffic on this specific network, which is the WiFi network created by the PiRogue, without any interference from other devices.

In this guide, we assume that we have a dedicated Wi-Fi network provided by the PiRogue and a potentially compromised device.

When we want to analyze a potentially compromised device, we are uncertain about its activities, and further investigation, such as forensic analysis, may be challenging. After approximately three days, you can take your network traffic file and open it with Wireshark to start examining it for anything unusual or suspicious. For example, if you are a journalist located in Colombia and your device is communicating with a server located in Russia or India, it may raise concerns. Based on the profile of the person carrying this device, you will be able to mitigate risks and distinguish between legitimate network traffic and any suspicious traffic. Analyzing three days’ worth of network traffic can be overwhelming due to the significant amount of communication with various servers on the internet. Therefore, we need to filter out all non-legitimate traffic and look for anything that appears strange. The PiRogue comes prepackaged with a tool called Suricata, a well-known tool. Suricata uses detection rules provided by security companies like ProofPoint, which are text files containing rules for detecting specific threats. The PiRogue updates these rules daily and utilizes them to feed Suricata for enhanced threat detection.

Note

Please note that Suricata is designed to detect threats that are already known. However, it’s important to understand that the absence of alerts does not guarantee that no malicious activity has occurred.

However, it is important to acknowledge that relying solely on a conclusion generated by a tool may not be entirely reliable, particularly if we suspect that the device itself has been compromised. In such cases, it becomes crucial to consider the context in which we are operating and evaluate our threat model. As a result, conducting network analysis becomes essential.

In the upcoming section, we will delve into the topic of analyzing network traffic using dedicated tools with PiRogue. If you find yourself less confident or experienced in performing the subsequent steps of network analysis, don’t hesitate to seek assistance. Below is a list of organizations that can offer support:

A quick refresher on networking concepts

Let’s dive into the fundamental building blocks of networking. In this section, we’ll explore key concepts like DNS and TCP, and get acquainted with the OSI model.

DNS (Domain Name System) acts as a translator, converting human-readable domain names into machine-readable IP addresses. For instance, when you type “pts-project.org” in your browser, DNS translates it into the corresponding IP address.

TCP (Transmission Control Protocol) is a reliable communication protocol that ensures data is delivered correctly and in the right order. It establishes a connection between two devices, breaks data into segments, and re-transmits lost segments if necessary.

The OSI model (Open Systems Interconnection) is a conceptual framework that divides networking into seven layers, each handling specific tasks:

  • Application layer: Handles user interactions and applications.
  • Presentation layer: Encodes and decodes data for transmission.
  • Session layer: Manages communication sessions between devices.
  • Transport layer: Ensures reliable data delivery (e.g., TCP).
  • Network layer: Routes data packets across networks.
  • Data link layer: Handles data transfer between nodes on the same network.
  • Physical layer: Transmits raw data bits over a physical medium.

Understanding these fundamental concepts will provide a solid foundation for analysis of network traffic.

Start the capture

Before connecting the mobile device to the PiRogue Wi-Fi network, apply the following steps:

  • Enable airplane mode
  • Disable mobile data and use Wi-Fi only
  • Disable VPN if possible

To begin capturing the network traffic, we need to connect the device to the PiRogue. If this is your first time connecting to the PiRogue, please refer to the first guide for instructions.

Throughout this period, we will be using the tool tcpdump to capture the network traffic. After a duration of 3 days, we will retrieve the file containing all the captured network traffic. This file is typically named a PCAP file, which can be opened with tools like Wireshark.

Save the entire network traffic into a single file
sudo tcpdump -i wlan0 -w $(date +%Y%m%d%H%M)_capture.pcap

Now turn on the Wi-Fi connection of the device and connect to the PiRogue network. Next on your computer, open the PiRogue’s dashboard by going to http://<PiRogue IP address>:3000 with your Web browser. Use the dashboard to get an overview of the network flow and potential alerts.

Let it run for a few days (3 days) while keeping using the device.

Why a few days? This is because malware and spyware often employ evasive tactics and strive to conceal their activities. Some of them communicate with remote servers only once or twice a day. By extending the duration of the capture, you enhance the likelihood of capturing relevant information.

Stop the capture and get the PCAP file

To stop the capture, press Ctrl + C on your keyboard. Then, retrieve the PCAP file from the PiRogue and save it on your computer by running the following command:

Copy the PCAP file from the PiRogue to the computer
scp pi@<PiRogue IP address>:~/example.pcap .

Analyzing captured traffic with wireshark

Wireshark allows you to open and analyze data captured in PCAP (Packet Capture) files. Here’s how to use it:

  1. Open the PCAP File:

    • Launch Wireshark.
    • Go to File > Open.
    • Select your PCAP file (e.g., example.pcap).

  2. Explore the Capture: Wireshark displays captured packets with information like Time, Source, Destination, Protocol, Length, and Info.

  3. Filter Packets: Use the filter bar to focus on specific traffic:

    • Protocol: Filter by protocol (e.g., “tcp”, “udp”).
    • IP Address: Filter by source or destination IP address (e.g., “ip.addr == 192.168.2.1”).
    • Port: Filter by source or destination port number (e.g., “tcp.port == 8080”).
    • Keyword: Filter by keywords in the packet data (e.g., “http”).

  4. Analyze Packet Details: Double-click any packet to view its information in detail:

    • Packet Bytes: Raw bytes of the captured data.
    • Packet Details: Summary of packet information.
    • Protocol Header: Detailed information specific to the protocol used.

  5. Follow Conversation Flow: Right-click on a packet and select Follow > TCP Stream to view the entire conversation between two devices.

Identifying anomalies and seeking expert help

Defining “strange or shady things” in network traffic depends heavily on your specific circumstances. It can encompass a wide range of activities, from suspicious behavior and unfamiliar IP addresses to potential malicious attacks. To effectively identify anomalies, it’s crucial to carefully consider your context and threat model.

Caution

We strongly advise individuals in vulnerable situations, including journalists, human rights defenders, activists targeted by governments, and victims of gender-based violence, to seek professional assistance with subsequent stages of network analysis.

For assistance, especially if you’re in a vulnerable situation, consider seeking support from network analysis experts. These organizations can analyze your PCAP file and provide the necessary guidance

Going further

If you want to go further in network traffic analysis, you can check the following external resources:

and online courses:

Edit this page on GitHub
Prev
Beginner guide - How to setup a PiRogue
Next
Beginner guide - How to handle a potentially malicious mobile app