Home network traffic analysis with a Raspberry Pi 3 and Ntop

I had the Raspberry Pi laying around for some time without doing any major function and so was the NetGear switch [1]. So, I decided to do a weekend project to implement traffic analysis on my home network.

I have a PPPoE connection to my ISP that connects to my home router [2]. The router provides both wire and wifi connectivity. As with most people I have very few devices that connect to the router over an Ethernet cable, most devices are wifi capable. This makes traffic monitoring a bit of a problem on the LAN side.

To get around the problem I decided to put the traffic monitor on the WAN side of the router.

The following figure shows the connectivity.

Slide1

Tapping the WAN side with port mirroring

The NetGear GS105E switch provides the capability of port mirroring. I used this to mirror traffic arriving through the router and the ISP connection. The mirrored traffic is passed on to the Raspberry Pi. All traffic monitoring happens on the Pi.

Screenshot from 2018-02-11 01:26:51

Monitoring tools

Once the traffic is available on the mirrored port, I was able to run traffic monitors like wireshark, tshark and tcpdump on the mirror port to analyze all the traffic between the router and ISP. These tools give a live view of the packets going through my home network.

To monitor traffic over long time I used Ntop [3]. It can aggregate and produce nice traffic analysis summary. I used the Rasbian [4] image for the pi and Ntopng can be easily installed from their repository using apt.

Accessing the Monitoring result

As the Gigabit port of the Pi is used to receive mirrored traffic, the monitoring dashboard is accessed over the wlan0 interface. This will keep the monitored traffic separate from the monitoring traffic.

ntop

 

Adding NtopNG to Grafana

Now the monitoring data from ntopng can can be exported to Grafana. A detailed process can be found at

https://www.ntop.org/ntopng/ntopng-grafana-integration-the-beauty-of-data-visualizazion/

Ntop can even be run from a docker container

https://hub.docker.com/r/ntop/ntopng

 

Refs:

[1] https://www.netgear.com/support/product/GS105Ev2.aspx

[2] https://www.amazon.in/3G-4G-LTE-Router-Multi-WAN/dp/B00N0W4FTM

[3] https://www.ntop.org/products/traffic-analysis/ntop/

[4] https://www.raspberrypi.org/downloads/raspbian/

 

Published by

Chandan Dutta Chowdhury

Software Engineer

8 thoughts on “Home network traffic analysis with a Raspberry Pi 3 and Ntop”

  1. Thanks for the post. The NetGear GS105E was exactly what I needed and a lot less expensive then a network tap. I am using the same approach on my network, with the addition of a second node between the firewall and the WAP. (Had to add another device.) The Pi’s are holding up nicely with very little load and power consumption. Fun stuff! Cheers!

  2. Interesting post. Have wanted to do something similar for a while. My traffic is about 50/50 wireless/Ethernet, but I did not want to split my router from Wi-Fi to tap the traffic there.

    Had considered taking the approach you have taken, but I thought the ISP PPPoE link was encrypted. Is this not the case?

    Thanks

      1. Thanks for the feedback Chandon. Travelling at the moment, but will give it a try when I back home.

  3. I know this is an older post, but I do have a question. Is your router performing NAT? If so, wouldn’t all of the network data captured between the modem and router show as a single IP address (your public IP)? I’m looking to set up something similar, as my network was recently taken over by a bot of sorts, but since my router, not my modem, is responsible for NAT, I do not believe this would be a viable solution.

    1. Yes in my original setup my router (router + modem) use to do NAT and this means I could see all traffic from my home network to internet as coming form one IP (router IP on the ISP side). But for me this shortcoming was not much of a problem as I was more interested to know the destination of my internet traffic.

      If you are interested to know about the source of the internet traffic on you LAN side you have to monitor it before the NAT.

      Now I have a separate ubiquiti router https://dl.ubnt.com/guides/edgemax/EdgeRouter_ER-X_QSG.pdf (without wifi, which connects to the ISP and does the NAT) while my wifi and wired LAN router just uplinks my home network to the ubiquiti router connected to ISP.

      I have not implemented external monitoring in this setup yet as the ubuquiti router’s dashboard already provides some monitoring capability. But now it is possible for me to view both side of the traffic if I tap and monitor the traffic between my wifi router and ubiquiti one.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s