High speed low cost home LAN monitor and capture setup

[Willie Trombone]

I'm going to set up a low cost packet capture and monitoring system on my home lan and wondered if anyone else has done this and what you've used.

I'll consider a SOHO device or low cost business level device but I'm thinking I'd rather DIY - it's more fun. Also, I don't want the device to interrupt or slow down traffic in any way.

Right now I have a B618 LTE router and use the WIfi on it so I'll have to turn that off and replace the WiFi function with something else - possibly a Mikrotik or Ubiquiti device.

My thinking is to have a tap just before the router. Obviously the device capturing / storing packets has to support the same Gigabit per second speed of the of the router. I'm not really interested in device to device comms - mostly internet in and out.

I'm also looking at software for monitoring and alerting - preferably something FOSS. Anyone have something good to recommend? This is mostly an educational exercise but also a security one.

 

[PsyWulf]

I'm going to set up a low cost packet capture and monitoring system on my home lan and wondered if anyone else has done this and what you've used.

I'll consider a SOHO device or low cost business level device but I'm thinking I'd rather DIY - it's more fun. Also, I don't want the device to interrupt or slow down traffic in any way.

Right now I have a B618 LTE router and use the WIfi on it so I'll have to turn that off and replace the WiFi function with something else - possibly a Mikrotik or Ubiquiti device.

My thinking is to have a tap just before the router. Obviously the device capturing / storing packets has to support the same Gigabit per second speed of the of the router. I'm not really interested in device to device comms - mostly internet in and out.

I'm also looking at software for monitoring and alerting - preferably something FOSS. Anyone have something good to recommend? This is mostly an educational exercise but also a security one.

Right path,put the Mikrotik between the LAN and WAN,set up port replication to a tertiary port,slap a Raspberry PI in as a network tap on the replicated port,USB network adapter bridged to the LAN to access your tap information

Also no real need for Gigabit,you won't be getting gigabit internet for a while on LTE

 

[HavocXphere]

Ignoring the obvious "Why?" yeah you'll have to split it into two devices if you want device to device filtered out. Else you could tap straight into the wifi via promiscuous mode from near any *nix device.

I'm also looking at software for monitoring and alerting - preferably something FOSS.

Not sure how this would be different from a FW like Smoothwall/iptables etc? Doesn't capture the traffic to disk but seems more conducive to monitoring & alerting.

Obviously the device capturing / storing packets has to support the same Gigabit per second speed of the of the router.

Lowest common denominator will be the max throughput of the LTE link so that's what you need as a minimum

Plus you'd need a high speed device with lots of storage if you really want to store all this...:wtf:

 

[Willie Trombone]

Right path,put the Mikrotik between the LAN and WAN,set up port replication to a tertiary port,slap a Raspberry PI in as a network tap on the replicated port,USB network adapter bridged to the LAN to access your tap information

Also no real need for Gigabit,you won't be getting gigabit internet for a while on LTE

Sure - definitely 100Mbps is the max I'm getting on my LTE, but I assumed there may also be some buffering on the outbound traffic side. As long as the tap / pi can handle all the traffic and not drop anything, it's cool. I may have a 1Gbps USB adapter connect to the Mikrotik instead - I should get more than 200Mbps on the tap at least that way which should be plenty.

 

[Willie Trombone]

Ignoring the obvious "Why?" yeah you'll have to split it into two devices if you want device to device filtered out. Else you could tap straight into the wifi via promiscuous mode from near any *nix device.

I have 4 other WiFi devices and a LAN so that won't work, hence I have to disable the router's WiFi.

Not sure how this would be different from a FW like Smoothwall/iptables etc? Doesn't capture the traffic to disk but seems more conducive to monitoring & alerting.

I want something more sophisticated for DPI. I like both of those but I want to capture packets for ad-hoc inspection in retrospect if necessary.

Lowest common denominator will be the max throughput of the LTE link so that's what you need as a minimum

Plus you'd need a high speed device with lots of storage if you really want to store all this...:wtf:

Well, It'll rotate - can't be much more than my camera system which stores a week on a 500Gb drive.

 

[PsyWulf]

Sure - definitely 100Mbps is the max I'm getting on my LTE, but I assumed there may also be some buffering on the outbound traffic side. As long as the tap / pi can handle all the traffic and not drop anything, it's cool. I may have a 1Gbps USB adapter connect to the Mikrotik instead - I should get more than 200Mbps on the tap at least that way which should be plenty.

As a play project,the pi suffices on 100mbps for older gen 2/3,as do the older MT RBxxx units with 100mbps ports

If you start requiring 1gbps on the tap and monitoring side your costs increase by orders of magnitude:
The Mikrotik and pi need to be high(er) spec to keep up with demand significantly or you'll be bottlenecking

 

[Willie Trombone]

As a play project,the pi suffices on 100mbps for older gen 2/3,as do the older MT RBxxx units with 100mbps ports

If you start requiring 1gbps on the tap and monitoring side your costs increase by orders of magnitude:
The Mikrotik and pi need to be high(er) spec to keep up with demand significantly or you'll be bottlenecking

I have a 3B lying around (Pi). Just need to decide on the Mikrotik. What about a passive tap, AKA throwing star instead of a Mikrotik device? Looks just fine - no repeating at all. Obviously limited to 100Mbps. I will have to switch the router LAN to 100Mbps.

 

[PsyWulf]

I have a 3B lying around (Pi). Just need to decide on the Mikrotik. What about a passive tap, AKA throwing star instead of a Mikrotik device? Looks just fine - no repeating at all. Obviously limited to 100Mbps. I will have to switch the router LAN to 100Mbps.

Nifty little device,should do the job as a pure tap
(Can pick up a Mikrotik between R300 and R900 that has a whole bunch of other possible uses ofc)

 

[Willie Trombone]

Nifty little device,should do the job as a pure tap
(Can pick up a Mikrotik between R300 and R900 that has a whole bunch of other possible uses ofc)

Yeah, and it should work if I ever need to do the same thing on a faster connection with another device capturing in future I guess. I'll have a look around. Thanks!