Skip to content


Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?

Latest commit


Git stats


Failed to load latest commit information.
Latest commit message
Commit time


RaspberryPi 3 NSM based on Bro. Suitable for a home 'blackbox' deployment.


General Preparation

  • critical stack:
    • get a critical stack account
    • set up a collection and a sensor
    • add feeds to your collection
    • note down sensor API key
  • not down parameters for email server

Prepare Pi

  • download Raspian Lite and put onto micro SD card
  • create empty file ssh on boot file system of SD card
  • connect LAN cable to Pi (make sure DHCP works)
  • optionally: connect WD PiDrive to Pi
  • boot Pi, ssh into devivce
  • change password for user pi (passwd)
  • sudo to root (sudo su -) and use raspi-config to
    • set up WLAN (Network Options)
    • expand filesystem (Advanced Options)
    • exit, don't reboot yet
  • check if you can ssh into Pi using the WLAN IP of the Pi
  • optionally: prepare PiDrice (see Hints below)
  • reboot (reboot)
  • detach LAN cable

Install Foxhound

  • ssh into Pi using WLAN IP
  • update base OS:
sudo su -
apt-get update
apt-get -y -u dist-upgrade
  • install git: apt-get -y install git
  • change into root's home directory: cd
  • clone repository: git clone (as long as the pull request hasn't been accepted by the maintainer pls use my repo: git clone
  • prepare installation:
cd foxhound-nsm
chmod +x
  • optionally: copy unattended-sample.txt to unattended.txt and adopt to your needs
  • begin installation: ./
  • shuwdon device: shutdown -h now

Start Sniffing

  • configure switch (set up port mirroring)
  • plug switch into your home LAN on a suitable spot
  • connect switch mirror port with Pi
  • power up Pi and see if it works as expected (see e.g. Further Reading below)


  • the script isn't meant to be run multiple times on one installation (yet), so to get reliable results you should use a fresh OS SD card (and erase /nsm if using PiDrive) when re-running the script
  • use cheap micro SD card for OS, e.g. 8 GB ones (get multiple and have one ready with current Raspbian distro)
  • use separate file systeem for /nsm, e.g. Western Digital PiDrive Foundation Edition
    • delete existing partitions
    • create primary partition and label it, e.g. NSM
    • format with ext4, e.g. mkfs.ext4 /dev/sda1
    • mount into /nsm, e.g. add LABEL=NSM /nsm ext4 defaults 0 0 to /etc/fstab and mkdir /nsm && mount /nsm

To Do

  • adopt script so it can be run multiple times in a row without creating strange side effects
  • add logging and error handling to script

Further Reading


Foxhound: Blackbox - A Raspberry Pi NSM






No releases published


No packages published