PiRogue Tool Suite

Beginner guide - How to capture and analyze device's network traffic

By Defensive Lab Agency, licensed under

Creative Commons Attribution-ShareAlike 4.0 International

To begin, let’s explain first what we are doing here:

We will be using the PiRogue as a network router. A network router is a device that facilitates communication between the internet and the devices in your home that connect to the internet. As its name implies, it “routes” traffic between devices and other networks, such as the internet. The PiRogue functions similarly to your ISP’s router, allowing you to connect from one network to another by plugging it into the router using an Ethernet cable.

Since the PiRogue is intended for analyzing potentially compromised devices, it helps us separate those devices from the rest of our network. To achieve this, we will create a separate network in our lab, home, or hotel room. When we connect a potentially compromised device to the PiRogue’s Wi-Fi network, that device will not be able to see all the other devices connected to your network. This is important because when a device is compromised, there is a chance that any malicious software running on it will attempt to move and infect other devices connected to the same network. Therefore, we need to isolate the potentially compromised device from the rest of our network infrastructure and keep it away from other devices.

By creating a dedicated network to analyze a specific device, we can intercept network traffic solely from that device. This eliminates the noise caused by other devices communicating on the network and allows us to capture the network traffic from the device we want to analyze. We want to ensure that we capture the entire network traffic on this specific network, which is the WiFi network created by the PiRogue, without any interference from other devices.

In this guide, we assume that we have a dedicated Wi-Fi network provided by the PiRogue and a potentially compromised device.

When we want to analyze a potentially compromised device, we are uncertain about its activities, and further investigation, such as forensic analysis, may be challenging. After approximately three days, you can take your network traffic file and open it with Wireshark to start examining it for anything unusual or suspicious. For example, if you are a journalist located in Colombia and your device is communicating with a server located in Russia or India, it may raise concerns. Based on the profile of the person carrying this device, you will be able to mitigate risks and distinguish between legitimate network traffic and any suspicious traffic. Analyzing three days’ worth of network traffic can be overwhelming due to the significant amount of communication with various servers on the internet. Therefore, we need to filter out all non-legitimate traffic and look for anything that appears strange. The PiRogue comes prepackaged with a tool called Suricata, a well-known tool. Suricata uses detection rules provided by security companies like ProofPoint, which are text files containing rules for detecting specific threats. The PiRogue updates these rules daily and utilizes them to feed Suricata for enhanced threat detection.

Note

Please note that Suricata is designed to detect threats that are already known. However, it’s important to understand that the absence of alerts does not guarantee that no malicious activity has occurred.

However, it is important to acknowledge that relying solely on a conclusion generated by a tool may not be entirely reliable, particularly if we suspect that the device itself has been compromised. In such cases, it becomes crucial to consider the context in which we are operating and evaluate our threat model. As a result, conducting network analysis becomes essential.

In the upcoming section, we will delve into the topic of analyzing network traffic using dedicated tools with PiRogue. If you find yourself less confident or experienced in performing the subsequent steps of network analysis, don’t hesitate to seek assistance. Below is a list of organizations that can offer support:

A quick refresher on networking concepts

Let’s dive into the fundamental building blocks of networking. In this section, we’ll explore key concepts like DNS and TCP, and get acquainted with the OSI model.

DNS (Domain Name System) acts as a translator, converting human-readable domain names into machine-readable IP addresses. For instance, when you type “pts-project.org” in your browser, DNS translates it into the corresponding IP address.

TCP (Transmission Control Protocol) is a reliable communication protocol that ensures data is delivered correctly and in the right order. It establishes a connection between two devices, breaks data into segments, and re-transmits lost segments if necessary.

The OSI model (Open Systems Interconnection) is a conceptual framework that divides networking into seven layers, each handling specific tasks:

  • Application layer: Handles user interactions and applications.
  • Presentation layer: Encodes and decodes data for transmission.
  • Session layer: Manages communication sessions between devices.
  • Transport layer: Ensures reliable data delivery (e.g., TCP).
  • Network layer: Routes data packets across networks.
  • Data link layer: Handles data transfer between nodes on the same network.
  • Physical layer: Transmits raw data bits over a physical medium.

Understanding these fundamental concepts will provide a solid foundation for analysis of network traffic.

Start the capture

Before connecting the mobile device to the PiRogue Wi-Fi network, apply the following steps:

  • Enable airplane mode
  • Disable mobile data and use Wi-Fi only
  • Disable VPN if possible

To begin capturing the network traffic, we need to connect the device to the PiRogue. If this is your first time connecting to the PiRogue, please refer to the first guide for instructions.

Throughout this period, we will be using the tool tcpdump to capture the network traffic. After a duration of 3 days, we will retrieve the file containing all the captured network traffic. This file is typically named a PCAP file, which can be opened with tools like Wireshark.

Save the entire network traffic into a single file
sudo tcpdump -i wlan0 -w $(date +%Y%m%d%H%M)_capture.pcap

Now turn on the Wi-Fi connection of the device and connect to the PiRogue network. Next on your computer, open the PiRogue’s dashboard by going to http://<PiRogue IP address>:3000 with your Web browser. Use the dashboard to get an overview of the network flow and potential alerts.

Let it run for a few days (3 days) while keeping using the device.

Why a few days? This is because malware and spyware often employ evasive tactics and strive to conceal their activities. Some of them communicate with remote servers only once or twice a day. By extending the duration of the capture, you enhance the likelihood of capturing relevant information.

Stop the capture and get the PCAP file

To stop the capture, press Ctrl + C on your keyboard. Then, retrieve the PCAP file from the PiRogue and save it on your computer by running the following command:

Copy the PCAP file from the PiRogue to the computer
scp pi@<PiRogue IP address>:~/example.pcap .

Get insights with the dashboard

Your PiRogue exposes a Grafana dashboard showing in realtime the ongoing network connections, security alerts and few other information. Checkout the cheatsheet to get default user and password of the dashboard.

Open your dashboard →

Depending on your network configuration, this link above may not work. If so, check how to get the IP address of your PiRogue in the previous section.

The default dashboard is composed of different panels, we will go through the main ones.

Data retention

The PiRogue keeps 5 days of history, data older than 5 days is automatically deleted.

General statistics

The general statistics panel of the PiRogue's dashboard

This panel displays various information:

  1. the number of different devices that have been connected to the PiRogue’s Wi-Fi network during the selected period of time
  2. the number of security alerts that have occurred during the selected period of time
  3. the amount of network traffic exchanged between connected devices and the Internet during the selected period of time
  4. the number of network flows that have occurred during the selected period of time
  5. the number of different domains that have been contacted during the selected period of time

World map

The world map panel of the PiRogue's dashboard

This panel displays the location of the different servers the connected devices have been communicating with during the selected period of time.

List of flows

The flows panel of the PiRogue's dashboard

This panel displays the different network flows that have occurred during the selected period of time:

  1. the time at which the flow as started
  2. the category of traffic that has been identified by NFStream
  3. the type of application that has generating this flow
  4. the domain name of the contacted server
  5. the IP address of the source of the flow
  6. the IP address of the destination of the flow
  7. the country where the remote server is located at
  8. the amount of network traffic associated to this flow

List of security alerts

The alert panel of the PiRogue's dashboard

This panel displays the different security alerts generated by Suricata that have occurred during the selected period of time:

  1. the time of the alert. If you click on it, you will get the details of the selected alert)
  2. the severity of the alert
  3. the type of threat associated to the alert
  4. the name of the rule corresponding to the alert
  5. the IP address of the source of the flow associated to the alert
  6. the IP address of the destination of the flow associated to the alert

Analyzing captured traffic with wireshark

Wireshark allows you to open and analyze data captured in PCAP (Packet Capture) files. Here’s how to use it:

  1. Open the PCAP File:

    • Launch Wireshark.
    • Go to File > Open.
    • Select your PCAP file (e.g., example.pcap).

  2. Explore the Capture: Wireshark displays captured packets with information like Time, Source, Destination, Protocol, Length, and Info.

  3. Filter Packets: Use the filter bar to focus on specific traffic:

    • Protocol: Filter by protocol (e.g., “tcp”, “udp”).
    • IP Address: Filter by source or destination IP address (e.g., “ip.addr == 192.168.2.1”).
    • Port: Filter by source or destination port number (e.g., “tcp.port == 8080”).
    • Keyword: Filter by keywords in the packet data (e.g., “http”).

  4. Analyze Packet Details: Double-click any packet to view its information in detail:

    • Packet Bytes: Raw bytes of the captured data.
    • Packet Details: Summary of packet information.
    • Protocol Header: Detailed information specific to the protocol used.

  5. Follow Conversation Flow: Right-click on a packet and select Follow > TCP Stream to view the entire conversation between two devices.

Identifying anomalies and seeking expert help

Defining “strange or shady things” in network traffic depends heavily on your specific circumstances. It can encompass a wide range of activities, from suspicious behavior and unfamiliar IP addresses to potential malicious attacks. To effectively identify anomalies, it’s crucial to carefully consider your context and threat model.

Caution

We strongly advise individuals in vulnerable situations, including journalists, human rights defenders, activists targeted by governments, and victims of gender-based violence, to seek professional assistance with subsequent stages of network analysis.

For assistance, especially if you’re in a vulnerable situation, consider seeking support from network analysis experts. These organizations can analyze your PCAP file and provide the necessary guidance

Going further

If you want to go further in network traffic analysis, you can check the following external resources:

and online courses:

Edit this page on GitHub
Prev
Beginner guide - How to setup a PiRogue
Next
Beginner guide - How to handle a potentially malicious mobile app