Recently, I discovered that a family member’s device on my home network had been DNS-hijacked. This was only brought to my attention because some sites on that machine were resolving to fraudulent servers. This made me concerned about what the other devices on my network may be up to.
I decided to do some research and came up with an inexpensive but powerful solution using a managed switch and the ntopng network analysis software.
Using a managed switch allows you to copy traffic from one or more ports onto a designated mirror port. This is similar to how old Ethernet hubs used to work but is more configurable. It allows us to have a copy of all traffic moving through our designated ports (from our router and our modem) onto a port connected to a Raspberry Pi.
1. Purchase Hardware
I already had an extra Raspberry Pi 3 and some Ethernet cables on hand, so I just ended up purchasing a managed switch. I chose a Netgear GS105Ev2 because of its low cost and mirroring capability.
Device | Reason |
---|---|
Raspberry Pi 3 (or newer) | Runs ntopng network traffic analysis software |
Managed Switch | Mirrors traffic from multiple ports |
Ethernet patch cable | Connects Raspberry Pi to managed switch |
2. Configure Managed Switch
Connect the new managed switch to your regular home network. It should ask your DHCP server for an address. Once you have determined which address was assigned, you can navigate to the web-based management interface.
Once connected, you may need to authenticate with the instructions provided with the switch and change the password. After that, configure one of the ports (I chose port 3) as a mirror destination port. This is the port that will connect to your Raspberry Pi. You should be able to configure two other ports as the source ports whose traffic will be mirrored onto port 3. I chose port 1 for my router and 5 for my modem.
3. Configure Raspberry Pi
Set Up Network Interfaces
After installing the Raspbian Linux distribution on my Raspberry Pi, I connected it to my home Wi-Fi using the raspi-config
tool. This allows you to set the SSID and password.
Then, I configured my network settings manually by editing /etc/dhcpcd.conf
as follows:
interface enxb827eb001dc1 static ip_address=172.16.0.1/24 interface wlan0 static ip_address=10.10.10.253/24 static routers=10.10.10.254 static domain_name_servers=10.10.10.252
This places the Wi-Fi adapter on my local network while also assigning a separate private network address for the Ethernet adapter. This address is on a private subnet that is not routable and is separate from my home network and my ISP’s subnet.
Then I enabled promiscuous mode on my Ethernet adapter:
sudo ip link set enxb827eb001dc1 promisc on
This allows the Ethernet interface to accept all incoming traffic, regardless of whether it’s intended for this machine. Actually, there will be no traffic on this interface intended for it. All the traffic will be coming from or going to my router or to sites on the Internet.
Install ntopng
Instructions for installing ntopng are available on their website.
I installed the packages using the following:
wget http://packages.ntop.org/RaspberryPI/apt-ntop_1.0.190416-469_all.deb dpkg -i apt-ntop_1.0.190416-469_all.deb sudo apt install ntopng nprobe n2n
Make sure to check the website for the latest version information.
4. Connect Devices to Switch
Disconnect the managed switch from your home network, then connect your router, modem, and Raspberry Pi to your new managed switch:
Port | Device |
---|---|
Port 1 | Wi-Fi Router (WAN Port) |
Port 3 | Raspberry Pi |
Port 5 | Cable Modem |
Your router should still be able to obtain an IP address using DHCP from your modem, just like when they were directly connected.
5. Connect to ntopng
You should now be able to connect to the ntopng over the Wi-Fi interface on your Raspberry Pi. Mine was connected on 10.10.10.253
. The ntopng
software listens on port 3000 by default, so I was able to connect at http://10.10.10.253:3000
.
6. Analyze Traffic
On my home network, I have configured my Pi-Hole DNS server to route through a DNS over HTTPS setup. As a result, there should be no traffic going out to the Internet on port 53 (DNS). I can use the ntopng tool to examine traffic flows, applications, and ports to see if anything is using this port. It also allows me to examine any other type of traffic in real-time.
With this setup, we can have more confidence that self-hosted services and data are protected. Later in this series, I’ll cover hosting alternatives to Gmail and Google Photos and building up more network services.
Self-Hosting Your Own Cloud
- Setting up OpenVPN
- SMB File Server with Automated Backups using Rsync/Rclone
- Note-taking with Nextcloud & Syncthing
- Movies and Music using Emby
- Protect Yourself Online with Privacy Tools
- Ad and Tracker Blocking with Pi-Hole
- Building a Personal Private Network with WireGuard
- Monitoring Your Internet Traffic with ntopng
- Creating Your Own Certificate Authority and Reverse Proxying Services with Caddy
- Note-taking with Standard Notes
- Email, Contacts, and Calendars
- Photos and Home Movies using Custom Tool
Thank you for a great guide!