To record Ethernet traffic between two devices (man-in-the-middle) I used an Orange Pi R1, which has two Ethernet ports.

It was running with the debian system armbian, but any debian should work. Armbian default login is root/1234.

Orange Pi R1

Bridge Ethernet Ports

Install aptitude install bridge-utils -y.

Create the network bridge by extending nano /etc/network/interfaces with the two interfaces you want to bridge:

1
2
3
auto br0
iface br0 inet dhcp
    bridge_ports eth0 enxc0742bffed92

then restart. Verify the changes with brctl show.

Wireshark Remote Capture

Install tpcdump aptitude install tcpdump -y on your Orange Pi.

On your PC you pipe the captured packets directly into Wireshark:

ssh root@orangepi.fritz.box tcpdump -U -s0 'not port 22' -i eth0 -w - | wireshark -k -i -

You can add capture filters to the tcpdump command. tcpdump can also be replaced by tshark, which uses dumpcap.

tcpdump examples

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
tcpdump -s0 -n host < router IP >  -w upgrade.pcap -i any
tcpdump 'tcp port 80'
tcpdump 'not broadcast'
tcpdump 'host barney'
tcpdump 'host not barney'
tcpdump 'host durer and tcp'
tcpdump 'host vectra and port 23'
tcpdump -i eth0 'host 10.10.1.1'
tcpdump -n 'broadcast and multicast'
tcpdump 'udp port 123' # filter NTP
tcpdump '(port 67 or port 68)'
tcpdump 'dst host 192.168.1.1 and (dst port 80 or dst port 443)'

Temporary bridge

Instead of persisting the bridge, a bash script will temporarily create it. During the creation of the bridge the interfaces will be down.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
#!/bin/bash
brctl addbr br0
brctl addif br0 eth0
brctl addif br0 enxc0742bffed92
ifconfig br0 up

# give br0 static ip
ifconfig mybridge 192.168.100.5 netmask 255.255.255.0

# or tell br0 to get a DHCP ip
# dhclient br0

Alternative: Charles the HTTP Proxy

When you only need to record HTTP and have access to the devices network settings you can proxy the HTTP traffic over your PC and inspect it with Charles. Install the Charles certificate to capture HTTPS.

Bonus: Advertise SSH in mDNS (bonjour)

For anyone that likes to find network devices with mDNS.

aptitude install avahi-daemon -y

nano /etc/avahi/services/ssh.service

1
2
3
4
5
6
7
8
9
<?xml version="1.0" standalone='no'?><!--*-nxml-*-->
<!DOCTYPE service-group SYSTEM "avahi-service.dtd">
<service-group>
  <name replace-wildcards="yes">%h</name>
  <service>
     <type>_ssh._tcp</type>
     <port>22</port>
  </service>
</service-group>