For some time I have had issues while doing captures such as finding the elusive “spare laptop” you can use, multiple trips out to the site to pick up the captures, or finding another NIC to put in there so you can connect remotely and copy the captures over the network, taking up 2 switch ports. Overall it’s just a lousy situation. Recently I came up with a solution in the form of a Raspberry Pi using only the built-in NIC. It’s a very easy to set up for very little money, but I haven’t seen this idea anywhere so thought I would share it. What I am doing on the Cisco side is setting up an RSPAN monitor session and a trunk port; on the Linux side I just enable 802.1q, capture on the RSPAN vlan, and manage on the native vlan.
The Cisco config is easy; all we have to do is set up the RSPAN vlan (4000 in this example), a monitor session, and an interface to capture on.
First just setup the capture vlan:
Then we configure the monitor session. One gotcha with this is that with an RSPAN you can capture a port where your RSPAN vlan trunked down–creating an infinite loop that will have a significant negative impact on your switch and on your day. So, make sure you know where this vlan is going.
monitor session 2 source interface Fa0/1 , Fa0/3 – 24
monitor session 2 source interface Gi0/1 – 2
monitor session 2 destination remote vlan 4000
Finally you setup the port the Pi is plugged into. In this case I am managing on vlan5. You might want to prune down the vlans that are allowed through so that the only thing leaving the port to the Pi are the native and the RSPAN vlan, but I’ll leave that up to you.
switchport trunk native vlan 5
switchport mode trunk
I’ll be the first to admit my Linux skills are far from what some IT professionals may call excellent, so I’ll welcome a better way to do this part if you have any suggestions. For the OS I used Raspbian which is Debian for the Pi. After getting the OS installed I just ran the commands below.
Needed for 802.1q:
sudo apt-get install vlan
Install the packet capture software:
sudo apt-get install tcpdump
Create the vlan 4000 sub-interface:
sudo ip link add link eth0 name eth0.4000 type vlan id 4000
Bring the vlan 4000 sub-interface up:
sudo ifconfig eth0.4000 up
Then in order to make the interface permanent I added onto the file /etc/network/interfaces
iface eth0.4000 inet dhcp
After that I was able to find the DHCP binding of the Pi, SSH into it, and run the following command:
sudo tcpdump -B 16096 -i eth0.4000 -C 25 -W 800 -w file-name &
This starts a circular buffer on the RSPAN vlan (4000) of 800 files, each one 25MB in size. Due to the Pi’s lack of speed I also found it needed a larger buffer than the default. 16MB worked for my needs. The & sign sets it to run in the background so if your SSH session dies it will continue to capture.