To record Ethernet traffic between two devices (man-in-the-middle) I used an Orange Pi R1, which has two Ethernet ports.
It was running with the debian system armbian, but any debian should work. Armbian default login is root/1234.
Bridge Ethernet Ports
aptitude install bridge-utils -y.
Create the network bridge by extending
nano /etc/network/interfaces with the two interfaces you want to bridge:
then restart. Verify the changes with
Wireshark Remote Capture
aptitude install tcpdump -y on your Orange Pi.
On your PC you pipe the captured packets directly into Wireshark:
ssh email@example.com tcpdump -U -s0 'not port 22' -i eth0 -w - | wireshark -k -i -
You can add capture filters to the tcpdump command. tcpdump can also be replaced by tshark, which uses dumpcap.
Instead of persisting the bridge, a bash script will temporarily create it. During the creation of the bridge the interfaces will be down.
Alternative: Charles the HTTP Proxy
When you only need to record HTTP and have access to the devices network settings you can proxy the HTTP traffic over your PC and inspect it with Charles. Install the Charles certificate to capture HTTPS.
Bonus: Advertise SSH in mDNS (bonjour)
For anyone that likes to find network devices with mDNS.
aptitude install avahi-daemon -y
1 2 3 4 5 6 7 8 9
<?xml version="1.0" standalone='no'?><!--*-nxml-*--> <!DOCTYPE service-group SYSTEM "avahi-service.dtd"> <service-group> <name replace-wildcards="yes">%h</name> <service> <type>_ssh._tcp</type> <port>22</port> </service> </service-group>