This is a basic how to for setting up tcpdump to passively monitor network traffic.
In this instance, it is implemented thru a Raspberry Pi using Raspbian Buster Version 10 on a dedicated ethernet interface of eth1.
ifconfig
Promiscuous mode will allow the adapter to read all traffic allong the line that it can, even if it is not meant for it
sudo cp /etc/dhcpcd.conf /etc/dhcpcd.conf.bak
echo 'static' >> /etc/dhcpcd.conf
echo 'interface eth1' >> /etc/dhcpcd.conf
echo 'static ip_address=0.0.0.0' >> /etc/dhcpcd.conf
sudo reboot now
Create promisc.service file
sudo nano /etc/systemd/system/promisc.service
Paste the service file in there
[Unit]
Description=Put an interface in promiscuous mode during bootup
After=network.target
[Service]
Type=oneshot
ExecStart=/bin/ip link set eth1 promisc on
TimeoutStartSec=0
RemainAfterExit=yes
[Install]' >> /etc/systemd/system/promisc.service
WantedBy=default.target
To Save Ctrl+X and Y and <Enter>
Reload the services, enable the newly created service past reboot, and starts it
sudo systemctl daemon-reload
sudo systemctl enable promisc
sudo systemctl start promisc
If tcpdump
isn't already installed, it needs to be
sudo apt-get install tcpdump -y
Create the tcpdumpsvc.service file
sudo nano /etc/systemd/system/tcpdumpsvc.service
Paste the service file in nano. Make sure that the parameters of ExecStart look correct.
[Unit]
Description=Tcpdump service
After=network.target
[Service]
ExecStart=/usr/sbin/tcpdump -v -tttt -i eth1 -w /location/file -W 100 -C 1000
WorkingDirectory=/location
StandardOutput=inherit
StandardError=inherit
Restart=always
RestartSec=30
TimeoutSec=5
ExecStop=/bin/kill -s QUIT $MAINPID
[Install]
WantedBy=multi-user.target
To Save Ctrl+X and Y and <Enter>
In that Service file:
-i eth1
is the interface that it's pulling from-w /location/file
is the file that it's reading into-W 100
is the number of files-C 1000
is the size of the files in megabytes rounded to 1,000,000- More informaton on tcpdump can be found https://www.tcpdump.org/manpages/tcpdump.1.html
To Save Ctrl+X and Y and <Enter>
Like before, reload the services, enable the newly created service past reboot, and start it
sudo systemctl daemon-reload
sudo systemctl enable tcpdumpsvc
sudo systemctl start tcpdumpsvc
Verify the service is running
sudo service tcpdump status
The files should also be being created at this point as well
All Set