How to Build a Miniature Network Monitor Device

Collaboration between Greg Foss, Kjell Hedstrom, Dan Schatz-Miller, Michael Swisher, and Craig Cogdill

LogRhythm’s Network Monitor (NetMon) is a powerful forensics tool that allows organizations to capture, analyze, and alert on network data. Traditionally, NetMon is deployed on a blade server within an organization’s data center. However, there are many situations where a smaller, more tactical device is the optimal solution.

Network Monitor Freemium provides customers with a free and easy way to deploy NetMon on a small and compact system. This is ideal for the home network, branch offices, forensic go-kits, penetration testing drop boxes, and much more.

To demonstrate how to easily deploy NetMon we decided to build a miniature device ourselves.

Hardware

With the release of Network Monitor version 3 and the Freemium license, the hardware requirements have been scaled back significantly, to allow for installation on a diverse array of systems.

Network Monitor Requirements:

  • Intel x86 chipset
  • CPU/Processor: 2 cores (4 cores recommended)
  • Network interface controllers (NICs): 1 1Gbps NIC (2 1Gbps NICs recommended)
  • 60GB of storage (120GB+ recommended)
  • 4GB RAM (8GB recommended)

For this project, we went with the QOTOM-Q190G4—a small, portable, fanless, micro-PC. This is a Quad Core system that comes with a 2GHz CPU, 8GB RAM, four Ethernet ports, two USB ports, a VGA port, and two Wi-Fi NIC’s. The computer itself is passively cooled as the whole chassis is a heat-sink. This results in a silent solution that manages low temperatures under full load, currently selling for under $200 on Amazon. We think it is perfect for a home network or small satellite office.

Click on images to view larger.

Figure 1: Micro-PC Hardware Specifications

Figure 1: Micro-PC Hardware Specifications

The next piece of hardware required is the passive network tap. We went with the Throwing Star LAN Tap available from the Hak5 Shop. These small and simple network taps allow for monitoring of small 10BASE-T and up to 100BASE-TX networks. There are many other and more powerful ways to do this, but we went this route because we are primarily targeting the home network. In the future, we’d like to embed this functionality directly into the device.

Figure 2: Throwing Star LAN Tap

Figure 2: Throwing Star LAN Tap

Note that if you do use a passive tap, be aware that your maximum bandwidth will not be 1 Gb/s. Most passive taps can only split up to 500Mbps without significant loss of signal.

Alternatives

While the hardware mentioned above has been tested and works well, we also analyzed other hardware options. Nearly anything with comparable specs will work, including Intel NUC devices, old laptops or other hardware you might have at home.

Software

Now that the hardware is taken care of, we need to get the NetMon image flashed onto the device. This sounds a bit easier than it is, so follow along below to ensure a successful installation.

First, download NetMon Freemium here.

You can either burn the ISO file to disk and use an external CD ROM drive to install the software or copy the ISO.USB contents to the drive and use a USB to install NetMon.

In order to prepare the installation USB, begin by wiping the drive (OS X instructions below):

  • $ diskutil list
  • $ diskutil info
  • $ diskutil eraseDisk FAT32 NETMON MBRFormat /dev/

Once the drive has been wiped successfully, copy the contents of the ISO over to the USB and make the drive bootable. There are many ways to do this, so we’ll use (dd) on OS X for this example.

This can be done in the same way on Linux. However, if you’re creating the install media on a Windows machine, we recommend using Unetbootin.

Figure 3: Unetbootin ISO to USB Configuration

Figure 3: Unetbootin ISO to USB Configuration

Now that the drive is ready, boot the hardware to the USB drive and follow the instructions to install NetMon.

Initial Configuration and Testing

With NetMon successfully installed onto the Micro-PC, the next phase is deployment. This can vary greatly depending on the deployment scenario, so we’ll focus on testing and validation first.

Ensure that the NetMon appliance is plugged into power and then connect the ethernet cables as shown below. ‘LAN1’ is the management interface and ‘LAN4’ is the going to be used to sniff network traffic. Refer to the picture below, which shows a basic configuration designed to sniff traffic from a single computer.

Figure 4: LAN Tap Configuration

Figure 4: LAN Tap Configuration

Once again, we’re using a minimum of two ports. One is our “input” from the tap. The other is our “output” to the NetMon user interface (Management Interface).

Figure 5: Test Network

Figure 5: Test Network

Once the network interfaces have been configured, power on the NetMon device. Next, browse to the NetMon’s management interface. You will automatically redirect to port 443. From here, follow the on-screen prompts to complete the NetMon configuration.

If all goes well, you will start seeing traffic flow through momentarily.

Figure 6: Test - Sniffing Traffic on a Single System

Figure 6: Test - Sniffing Traffic on a Single System

Deployment

After testing the configuration to ensure that traffic is being captured, let’s translate this to a real-world scenario by configuring the Miniature NetMon on a home network.

In a home network, you’ll need a Tap, Hub, Smart Switch, or a router that supports port mirroring in order to capture traffic in-transit. There are countless products out there that will support these options; however, the ideal solution is to either use a Switch or configure Port Mirroring from the router directly, as this will have the least degradation on your home network’s connection speed. For optimal performance, we recommend utilizing Cat6 Ethernet cables to optimize the wired connections.

Figure 7: Example Network Diagram

Figure 7: Example Network Diagram (Click on images to view larger)

While a mini NetMon is perfect for the home network, it can be installed just as easily in satellite office locations and small businesses.

Penetration Testing Drop Box

You can also use the Mini NetMon device as a penetration testing dropbox to capture network traffic in your target network.

Figure 8: All Up in Your Network, Capturing All the Packets

Figure 8: All Up in Your Network, Capturing All the Packets

In a penetration-testing scenario, you will ideally want to gain access to the NetMon interface remotely. To spawn a reverse-shell that will communicate with a command and control server and allow remote access to the device, all you need to do is configure a cron job using the Python Reverse Shell by Dave Kennedy, or something similar, and configure this to use port forwarding to view the NetMon web interface. From here, you can configure Deep Packet Inspection (DPI) rules to sniff passwords, take full packet captures, pivot to other systems, and much more.

Future

This is just the beginning. There are many more features that we’d like to add to the Mini NetMon—and that’s where we need your help. We’re looking for ideas from the security community around what their needs are, how NetMon can help solve problems they are facing, and general product improvements. Some of the additional items we came up with:

  • Reverse Shell for Remote Access
  • Passive Wireless Sniffing and Management Interface
  • Integrated Software Tap
  • Scale Down the Hardware Requirements

Bonus

If you have a Chromecast, AppleTV, or similar screen-casting device, you can build a miniature “SOC.”

Figure 9: DIY Home Network SOC

Figure 9: DIY Home Network SOC