Beginner guide - How to capture and analyze device's network traffic

Posted by Esther Onfroy ‐ 8 min read

To begin, let’s explain first what we are doing here:

We will be using the PiRogue as a network router. A network router is a device that facilitates communication between the internet and the devices in your home that connect to the internet. As its name implies, it “routes” traffic between devices and other networks, such as the internet. The PiRogue functions similarly to your ISP’s router, allowing you to connect from one network to another by plugging it into the router using an Ethernet cable.

Since the PiRogue is intended for analyzing potentially compromised devices, it helps us separate those devices from the rest of our network. To achieve this, we will create a separate network in our lab, home, or hotel room. When we connect a potentially compromised device to the PiRogue’s Wi-Fi network, that device will not be able to see all the other devices connected to your network. This is important because when a device is compromised, there is a chance that any malicious software running on it will attempt to move and infect other devices connected to the same network. Therefore, we need to isolate the potentially compromised device from the rest of our network infrastructure and keep it away from other devices.

By creating a dedicated network to analyze a specific device, we can intercept network traffic solely from that device. This eliminates the noise caused by other devices communicating on the network and allows us to capture the network traffic from the device we want to analyze. We want to ensure that we capture the entire network traffic on this specific network, which is the WiFi network created by the PiRogue, without any interference from other devices.

In this guide, we assume that we have a dedicated Wi-Fi network provided by the PiRogue and a potentially compromised device.

When we want to analyze a potentially compromised device, we are uncertain about its activities, and further investigation, such as forensic analysis, may be challenging. After approximately three days, you can take your network traffic file and open it with Wireshark to start examining it for anything unusual or suspicious. For example, if you are a journalist located in Colombia and your device is communicating with a server located in Russia or India, it may raise concerns. Based on the profile of the person carrying this device, you will be able to mitigate risks and distinguish between legitimate network traffic and any suspicious traffic. Analyzing three days’ worth of network traffic can be overwhelming due to the significant amount of communication with various servers on the internet. Therefore, we need to filter out all non-legitimate traffic and look for anything that appears strange. The PiRogue comes prepackaged with a tool called Suricata, a well-known tool. Suricata uses detection rules provided by security companies like ProofPoint, which are text files containing rules for detecting specific threats. The PiRogue updates these rules daily and utilizes them to feed Suricata for enhanced threat detection.

However, it is important to acknowledge that relying solely on a conclusion generated by a tool may not be entirely reliable, particularly if we suspect that the device itself has been compromised. In such cases, it becomes crucial to consider the context in which we are operating and evaluate our threat model. As a result, conducting network analysis becomes essential.

In the upcoming section, we will delve into the topic of analyzing network traffic using dedicated tools with PiRogue. If you find yourself less confident or experienced in performing the subsequent steps of network analysis, don’t hesitate to seek assistance. Below is a list of organizations that can offer support:

Start the capture

Before connecting the mobile device to the PiRogue Wi-Fi network, apply the following steps:

  • enable airplane mode
  • disable mobile data and use Wi-Fi only
  • disable VPN if possible

To begin capturing the network traffic, we need to connect the device to the PiRogue. If this is your first time connecting to the PiRogue, please refer to the first guide for instructions.

Throughout this period, we will be using the tool tcpdump to capture the network traffic. After a duration of 3 days, we will retrieve the file containing all the captured network traffic. This file is typically named a PCAP file, which can be opened with tools like Wireshark.

Save the entire network traffic into a single file:

Command LineFunction
sudo tcpdump -i wlan0 -w example.pcapSave the entire network traffic into a single file

Now turn on the Wi-Fi connection of the device and connect to the PiRogue network. Next on your computer, open the PiRogue’s dashboard by going to http://<PiRogue IP address>:3000 with your Web browser. Use the dashboard to get an overview of the network flow and potential alerts.

Let it run for a few days (3 days) while keeping using the device.

Why a few days? This is because malware and spyware often employ evasive tactics and strive to conceal their activities. Some of them communicate with remote servers only once or twice a day. By extending the duration of the capture, you enhance the likelihood of capturing relevant information.

Stop the capture and get the PCAP file

To stop the capture, press Ctrl + C on your keyboard. Then, retrieve the PCAP file from the PiRogue and save it on your computer by running the following command:

scp pi@<PiRogue IP address>:~/example.pcap .

Get insights with the dashboard

Your PiRogue exposes a Grafana dashboard showing in realtime the ongoing network connections, security alerts and few other information. Checkout the cheatsheet to get default user and password of the dashboard.

Open your dashboard →

Depending on your network configuration, this link above may not work. If so, check how to get the IP address of your PiRogue in the previous section.

The default dashboard is composed of different panels, we will go through the main ones.

General statistics

The general statistics panel of the PiRogue's dashboard

This panel displays various information:

  1. the number of different devices that have been connected to the PiRogue’s Wi-Fi network during the selected period of time
  2. the number of security alerts that have occurred during the selected period of time
  3. the amount of network traffic exchanged between connected devices and the Internet during the selected period of time
  4. the number of network flows that have occurred during the selected period of time
  5. the number of different domains that have been contacted during the selected period of time

World map

The world map panel of the PiRogue's dashboard

This panel displays the location of the different servers the connected devices have been communicating with during the selected period of time.

List of flows

The flows panel of the PiRogue's dashboard

This panel displays the different network flows that have occurred during the selected period of time:

  1. the time at which the flow as started
  2. the category of traffic that has been identified by NFStream
  3. the type of application that has generating this flow
  4. the domain name of the contacted server
  5. the IP address of the source of the flow
  6. the IP address of the destination of the flow
  7. the country where the remote server is located at
  8. the amount of network traffic associated to this flow

List of security alerts

The alert panel of the PiRogue's dashboard

This panel displays the different security alerts generated by Suricata that have occurred during the selected period of time:

  1. the time of the alert. If you click on it, you will get the details of the selected alert)
  2. the severity of the alert
  3. the type of threat associated to the alert
  4. the name of the rule corresponding to the alert
  5. the IP address of the source of the flow associated to the alert
  6. the IP address of the destination of the flow associated to the alert

See the captured traffic

Finally, on your computer, you can open the PCAP file with Wireshark:

wireshark example.pcap

Now that we have the PCAP file containing the network traffic captured over the past few days and have opened it in Wireshark, it is time to search for any anomalies or “strange things”.

The definition of “strange or shady things” is highly context-dependent and relies on factors such as your profile, situation, and threat model. It can encompass anything from suspicious behavior and shady IP addresses to potential malicious attacks. Understanding the context and threat model is crucial in determining what should be examined or further analyzed.

To assist in this process, we recommend seeking support from experts who possess the necessary experience and knowledge to identify unusual patterns in network traffic. You can share the PCAP file with these organizations, as they are capable of providing the required support.

Going further

If you want to go further in network traffic analysis, you can check the following external resources:

and online courses: