Remote WiFi Packet Capture with HORST on Raspberry Pi and Odroid

What’s HORST?

The Highly Optimized Radio Scanning Tool (HORST) is a lightweight IEEE802.11 WLAN analyzer. It was built for troubleshooting WLAN networks, and although it’s not as advanced as other tools (Kismet, Wireshark, tcpdump) it’s very easy to use, free, and can run very efficiently even on a Raspberry Pi.

For the installation and usage details, please see HORST on GitHub.

If you attended WLPC 2017, you have an Odroid that has HORST preinstalled and a USB WiFi Module. (Thanks to WLPC and Jerry Olla for the excellent Maker Session!) You are ready to run HORST! Just log in and type horst. In general, you should be able to install HORST on any Linux Single Board Computer (SBC).

Below I have a few screenshots to demonstrate the type of information HORST captures and displays:

The home screen displays the list of devices detected (top), each packet captured (bottom left), and aggregate results (bottom right).

The statistics window gives figures about the types of package captured and their percentages. It’s very useful to see information such as utilization, retries, etc.

Finally, this is a poor man’s spectrum analyzer, which gives the signal levels and usage per channel. There is much more to HORST, and I encourage you to read the documentation and play with it.

One very neat feature of HORST is the build-in option to run all these packet capturing remotely. If you are troubleshooting an issue at a remote location, you can drop off your Odroid or Raspberry Pi there (their size and weight make deployment easy), and then access the HORST data from anywhere.

How to Run HORST

Here is how it works.

  1. Start HORST on the SBC as a server with: horst -i wlan0 -N -q. HORST won’t display anything on the screen, but it will start packet capturing and listening for incoming connections to port 4444 (the default port).
  2. From any other machine, you can connect to the specific HORST server with: horst -n IP where IP is the IP of the HORST server

The setup looks like this:

The problem here is that you need the inbound port open towards the SBC in order to connect your HORST client and receive the results. If the SBC is behind a firewall or NAT’ed, then you might need to go through extra steps to connect to the HORST server.

An alternative is to have an outbound connection from the SBC towards your console. In general, this is easier to do since ports like 80 or 443 are often open to the Internet in most networks. In addition, opening outbound ports is easier than inbound. With the NetBeez dashboard, you can do exactly that. Here is how it looks:

In this case, the SBCs are connected outbound to the cloud, and you can access them through the CLI console that’s on the NetBeez dashboard. Note that in this scenario, the SBCs are connected through the ethernet to the cloud, and they use the WiFi dongle in monitoring mode.

Now you can start the HORST process on the Odroid or the Raspberry Pi and receive the results on the CLI console. The limitation right now is that the NetBeez GUI console is not fully interactive. The workaround is to get the results as text and import them to a spreadsheet.

Run this command: timeout 5 horst -q -o /dev/stdout

The timeout 5 option makes sure that horst runs for five seconds and then exits. If we don’t add that option, then we’ll have to kill the process in order to stop HORST. You can make the timeout period longer if you need to capture more data.
The -q option makes sure there is no graphical output on the SBC.
The -o /dev/stdout prints the captured packets in CSV format.
Now we can copy and paste the CSV output into a spreadsheet for further analysis:

This is a quick and dirty way to use HORST as a remote packet sniffer. All you need is an Odroid or a Raspberry Pi where to run the software.