When two industry Giants work together and TEST for you - The Customer (by Tim O'Neill)
The Physical Side Of Networking (By Tony Fortunato)

Mike's Pi Project: Part 1 (by Mike Pennachi)

Mike's Pi Project : Part 1

While teaching a class at Interop in Las Vegas a couple of years ago, I was talking about how I had used a number of DLink DIR-601 routers with OPEN-WRT to troubleshoot some problems.  One of the students asked why I wasn’t using the Raspberry Pi.  When I got back to the office, I started to find a place where I could buy the Raspberry Pi.  I bought 5 of them and they sat in the boxes for a while.  Now that I am putting effort into making them useful, I thought I would document these efforts to share with others.  I am far from a Linux expert.  If while reading this you know of a better way to accomplish the same task, please let me know!

I hope you find this Pi application useful.


The purpose of this project is to explore the use of the Raspberry Pi as a network monitoring and troubleshooting tool.  The Raspberry Pi is an inexpensive ($35) computer that can be used for a variety of tasks.  Often times it is necessary to capture all of the network traffic to and from a device for troubleshooting purposes.  In this step by step document, I will go through how to turn the Raspberry Pi into a capture to disk appliance. 


Final PIGot Raspberry Pi ?

Building the Raspberry Pi


1)      Purchase a Raspberry Pi.  I have found a good source for the Raspberry Pi is http://www.newark.com/.  They usually have a good supply of boards and charge only $35 for the Model-B assembled board.  You will need to get a USB power supply, a case, and a SD card to complete the setup.

2)      You can purchase preloaded SD cards that contain the Raspberry Pi OS already installed.  While I did purchase these when I first started working with the Pi, I found it was easier and cheaper to install the OS on my own SD cards.

3)      If you do want to download the Raspbian image and install it yourself, go to http://www.raspberrypi.org/downloads and go down to the Raw Images.  Download the Win32DiskImager and the current Raspbian image .zip file.  Put the SD card in the SD slot of your computer and run the Disk Imager.

Pic 1

 4)      For some of the projects, we will be running the Raspberry Pi as a bridge.  This will allow us to tap inline between a device and the rest of the network.  The purpose here will be to either capture packets between the device and the network or configure the Raspberry Pi to act as a WAN emulator.  Since the Model-B Raspberry  Pi only has one Ethernet Interface, I am using a USB Ethernet Adapter.   Since I had some Linksys USB200M adapters laying around, I used them.  The Raspbian OS recognizes the device and seems to work well with this adapter.


 5)      During the initial startup of the Raspberry Pi, you can select whether you want to start up using the Desktop GUI or the command line interface.   For the purpose of network monitoring and troubleshooting, I chose to use the command line interface.

6)      Now that we have the Raspberry Pi setup, we can begin configuring it to use as a network monitoring and troubleshooting device.


 7)      Since many of the projects I am going to do involve using the Raspberry Pi as an inline device, we will begin by configuring the network interfaces to startup in bridge mode and get a DHCP address.  We will make changes to the /etc/network/interfaces file to:

  1. Create a bridge called br0
  2. Add eth0 and eth1 to this bridge
  3. Configure the bridge to get a DHCP address

 cd /etc/network

sudo nano interfaces

 Replace the contents of the interfaces file with the following:

auto br0
iface br0 inet dhcp
bridge_ports eth0 eth1
pre-up ifconfig eth0 up
pre-up ifconfig eth1 up
pre-up brctl addbr br0
pre-up brctl addif br0 eth0
pre-up brctl addif br0 eth1

post-down ifconfig eth0 down
post-down ifconfig eth1 down
post-down brctl delif br0 eth0
post-down brctl delif br0 eth1

post-down brctl delbr br0

8)      With the bridge in place, it does not matter which of the two interfaces is plugged into the switch and which is used to connect to the monitored device.  Running ifconfig on the Pi should show something similar to this:

br0       Link encap:Ethernet  HWaddr 00:1d:7e:01:04:95

          inet addr:  Bcast:  Mask:

          inet6 addr: fe80::21d:7eff:fe01:495/64 Scope:Link

          inet6 addr: 2001:470:1f05:55d:21d:7eff:fe01:495/64 Scope:Global


          RX packets:503 errors:0 dropped:1 overruns:0 frame:0

          TX packets:93 errors:0 dropped:0 overruns:0 carrier:0

          collisions:0 txqueuelen:0

          RX bytes:34935 (34.1 KiB)  TX bytes:10903 (10.6 KiB)


eth0      Link encap:Ethernet  HWaddr b8:27:eb:e3:ea:42

          inet6 addr: fe80::ba27:ebff:fee3:ea42/64 Scope:Link


          RX packets:606 errors:0 dropped:3 overruns:0 frame:0

          TX packets:99 errors:0 dropped:0 overruns:0 carrier:0

          collisions:0 txqueuelen:1000

          RX bytes:69415 (67.7 KiB)  TX bytes:12427 (12.1 KiB)


eth1      Link encap:Ethernet  HWaddr 00:1d:7e:01:04:95

          inet6 addr: fe80::21d:7eff:fe01:495/64 Scope:Link


          RX packets:0 errors:0 dropped:0 overruns:0 frame:0

          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0

          collisions:0 txqueuelen:1000

          RX bytes:0 (0.0 B)  TX bytes:34677 (33.8 KiB)


9)      Our first project will be to turn the Pi into an in-line packet capturing device.  To do this, we must first install the command line version of Wireshark, tshark.

sudo apt-get install tshark

10)   I like to keep all of my tracefiles in a common location, so that it is easier to find them in the future.  To do this, I will create a directory under /usr called tracefiles.

cd /usr
sudo mkdir tracefiles

11)   Now it is time to capture.  The command below will cause the Pi to capture all of the packets seen on the bridge interface and write them to a ring buffer.  Over the years, I have found that a file size of 30-50 megabytes seems to work well.  The number of files you save will depend on the size of the SD card you have installed in the Raspberry Pi.  For this example I am going to save 60, 50 megabyte files.  This will save  the last 3 Gigabytes of data to go between the monitored device and the rest of the network.

sudo tshark –i br0 –b files:60 –b filesize:50000 –w /usr/tracefiles/capture.pcap

Each of the 60 files will begin with the prefix capture and have a .pcap extension.  As the files are created, a sequence number and time stamp will be added.


 12)   The last step is getting the trace files off of the Raspberry Pi.  There are a number of ways to do this, however for this project I decided to setup an SMB client on the Raspberry Pi.  This allows me to map to a CIFS share on a NAS drive.  It is important to remember, that if you are capturing while you are transferring the files, that transfer will be captured by the Raspberry Pi.  It is a good idea to either stop capturing packets while doing the transfer or setup a capture filter to exclude the traffic to and from the Raspberry Pi’s IP address.

 To install the SMB client:

 sudo apt-get install smbclient

 To map the drive, create a directory under the home drive for the pi user:

 cd /home/pi

mkdir sambashare

sudo mount –t cifs user=changeme,password=changeme //IP Address of NAS/sharename /home/pi/sambashare

 Copy the trace files to the share:

 cp /usr/tracefiles/*.pcap /home/pi/sambashare

 There are many ways to automate some of these tasks.  A cron job could be setup to upload the files on a schedule and delete them off of the Raspberry Pi.  There are scripts available to run tshark as a daemon and add it to the startup.  This would create a capture to disk device that will start automatically each time it is booted.

In the next segment Part 2, I will go through the steps to build a WAN emulator using this same basic setup.

Mike is also working on the more in this series of articles for posting here on Lovemytool.com -

Part 2 – Connecting to the Pi remotely.  I have been able to setup a Log Me In Hamachi VPN on the Pi, so that I can connect to it from anywhere in the world.

Part 3 – Turning the Pi into a WAN emulator

Part 4 – Using the Pi as a remote network monitoring node.  In this segment, I load Iperf and SmokePing on the Pi.  The Pi can then be put out in a wiring closet and used as a remote throughput endpoint and monitoring device.

Look for these articles to appear in the following months!

Mike-Headshot-20percentMike Pennacchi is owner of Network Protocol Specialists, a network analysis and training company based in Seattle, Washington. His company specializes in analyzing network performance problems for companies throughout the United States. He has taught at Interop since 1997 and has received the event's Instructor Award as highest ranking instructor several of those years. Mike brings his experience as a network analyst into the classroom and assists students in understanding how to fix problems in their own networks.

Oldcommguy comment - Mike is a very long time friend and in my opinion one of the top 10 professional network Guru's and trainers.