Setting up a Raspberry Pi based IoT Testbed for Traffic Analysis

Over the past few months I have been using a Raspberry Pi to capture the dataflows from several IoT devices. To limit the number of devices involved, I used a standalone network with only my testbed devices connected to it. This blog post describes that setup and also a few helpful bits I discovered along the way. What it does not cover though is the initial setup of the Pi. The Pi foundation does a good job of covering the topic and if this is your first foray into the wonderful world of Pi then I suggest you start with the basics presented here. That being said, this tutorial is not at an advanced level at all and relative beginners should be able to follow it. The only gotcha here is that you have to use the same Linux distribution (or later) on the Pi as I have, which is Raspbian’s Stretch release. If you are a new user and am unsure about the release, just run this command to check your release version:

cat /etc/os-release

The top line of the result should read:

PRETTY_NAME=“Raspbian GNU/Linux 9 (stretch)”

If it does, or if the number following “GNU/Linux” is 9 or higher, then you are good to go. If this is not the case, please first install the latest Raspbian release either through a clean install as per the link presented above or by updating a current install as per this link.

Setting up the Standalone Network

First, as is always good form, we will ensure that our system is up to date by running:

sudo apt-get update
sudo apt-get upgrade

For the Pi to host a stand-alone network (via its Wi-Fi connection) and connect to an existing internet connected network (via its Ethernet port), we will have to make some modifications and install additional software. First we need to install Dnsmasq which handles DNS forwarding and includes a Dynamic Host Configuration Protocol (DHCP) server. DHCP assigns IP addresses (and other settings) on the fly and is a core component of our new setup. Since we are changing quite a few things we will need to stop the associated services. Run these three commands:

sudo apt-get install dnsmasq hostapd
sudo systemctl stop dnsmasq
sudo systemctl stop hostapd

Now we have to make sure that our changes have taken hold by rebooting the Pi.

sudo reboot

The next step is to assign a static IP address to the Wi-Fi port. To do this we will edit the dhcpcd.conf file. Run the following command to open the file in the Nano text editor:

sudo nano /etc/dhcpcd.conf

Now scroll down to the bottom of the file and add/ammend the following:

interface wlan0
    static ip_address=192.168.4.1/24
    nohook wpa_supplicant

On a side note, since we are minimising the number of “things” involved, the Pi’s internal wifi device is used. If you are using something else then the interface will not be wlan0 and you will have to run ifconfig to confirm the device name. With this done we can restart dhcpcd to setup the new wlan0 service:

sudo service dhcpcd restart

Now we have to edit the dnsmasq config file to set the IP range for the devices connecting to the Pi via Wi-Fi and also how long those IP addresses remain valid (called the lease time). Unfortunately the dnsmasq file contains a lot of potential settings which have all been commented out. You can simply add the new settings to the end of the file or delete the old contents and only retain the new settings. We will however, make a backup of the current file first and then create an entirely new file to edit.

sudo mv /etc/dnsmasq.conf /etc/OLDdnsmasq.conf

Now open a new config file:

sudo nano /etc/dnsmasq.conf

To set the IP range and lease time, add the following:

interface=wlan0
  dhcp-range=192.168.4.2,192.168.4.20,255.255.255.0,24h

This sets up wlan0 to provide IP addresses ranging from 192.168.4.2 to 192.168.4.20 valid (leased) for 24 hours.

With the DHCP server up and running we can now turn our attention to the access point. We have to edit the hostapd file by adding the settings listed below. Please remember that your network name and password should not have quotation marks around them and the password should be eight characters or more. Run:

sudo nano /etc/hostapd/hostapd.conf

Then add:

interface=wlan0
driver=nl80211
ssid=”NetworkName”
hw_mode=g
channel=7
wmm_enabled=0
macaddr_acl=0
auth_algs=1
ignore_broadcast_ssid=0
wpa=2
wpa_passphrase=”password”
wpa_key_mgmt=WPA-PSK
wpa_pairwise=TKIP
rsn_pairwise=CCMP

No we need to make this the official system configuration by running:

sudo nano /etc/default/hostapd

Then scroll down in the file till you find #DAEMON_CONF and change it so it reads as follows:

DAEMON_CONF=”/etc/hostapd/hostapd.conf”

We are now ready to start the services up by running:

sudo systemctl start hostapd
sudo systemctl start dnsmasq

Lastly, we need to sort out the routing and iptables by running the following four commands. Start by running:

sudo nano /etc/sysctl.conf

Then uncomment (remove the “#”) from:

net.ipv4.ip_forward=1

Now mask our outbound traffic on the LAN connection by running:

sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

Save the new iptables setup:

sudo sh -c “iptables-save > /etc/iptables.ipv4.nat”

Lastly we need to make sure that all our changes take effect when the Pi boots up. We can do this by editing rc.local which runs near the end of the boot sequence and initialises any background or permanent processes the user wants to set up. Run:

sudo nano /etc/rc.local

In rc.local, just above “exit 0”, add:

iptables-restore < /etc/iptables.ipv4.nat

Now we can reboot the Pi and should be good to go. To check that all is well you can simply use a mobile phone to connect to your network and SSH in from a computer. If SSH isn’t working, please check if it is enabled. On the Pi desktop you can find the setting under Applications Menue -> Preferences -> Raspberry Pi Configuration -> Interfaces.

Capturing traffic

Once our network is up and running, but before adding in the devices we want to monitor, we need to get our monitoring system up and running. This sequence is especially important if you are interested in device fingerprinting since IoT devices tend to reveal a lot during setup. The approach I used is to capture packets on the Pi using tcpdump before transferring them via SSH to a PC for analysis. The transfer and analysis processes are not covered here but for interest, I used winSCP to handle the SSH and Wireshark for the analysis.

Tcpdump is used to dump all, or some, of the traffic on a network into one or more files for later analysis. You can also run it live to see packets in real time, though that is not entirely useful here other than for troubleshooting. A detailed guided of tcpdump’s functionality can be found here, in the form of its manpage.

To install tcpdump, just run:

sudo apt-get install tcpdump

You can then check that all is well by observing some network traffic using the following command (you can use a mobile phone again to generate network traffic):

sudo tcpdump –i eth0

You will now see all the packets not just from the Pi but also the network it is connected to. To stop this just hit Ctrl + C. The next step is to constrain our packet capturing to only the data we want. In the above command we used –i to target the interface we wanted, but in truth we just want the wireless traffic on our new network, so we will use –i wlan0 instead. You can also constrain tcpdump to certain ports, timeframes and a whole host of other variables. These are covered in the manpage linked above. For our needs we will only specifiy wlan0, the period of capture in seconds (using –G) and where to save our capture files (using –w). The command, which you can run to test, looks as follows (it is case sensitive and one continues string):

sudo tcpdump -i wlan0 -G 21600 -w /home/pi/caps/dump-%Y-%m-%d_%H:%M:%S.pcap

This captures all the traffic over the wireless device for a period of 6 hours (recurring), then writes it to a filed named for the time and date of capture. Next we need to get this running in the background and from start up. For this we will use a script and rc.local. To make a script named networkcaps, run:

sudo nano networkcaps.sh

Then enter the following two lines:

#!/bin/sh
sudo tcpdump -i wlan0 -G 21600 -w /home/pi/caps/dump-%Y-%m-%d_%H:%M:%S.pcap

Once you saved and exited, you need to make the script executable by running:

sudo chmod –x networkcaps.sh

Simply adding such a process to rc.local will stall out the Pi and prevent it from booting. Instead, the command to run the script has to be followed by an ampersand. Open rc.local in your chosen editor:

sudo nano /etc/rc.local

Then add (above “exit 0”):

/home/pi/./networkcaps.sh &

After saving and exiting your setup should be complete. The ./ we added before the file name is used to execute it. You can reboot the Pi and it should automatically start capturing packets as a background process, ready for you to add your devices.