User Tools

Site Tools


docs:guide-user:firewall:capture_filter_inspect_packets

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
docs:guide-user:firewall:capture_filter_inspect_packets [2018/08/08 18:27]
tmomas ↷ Page name changed from docs:guide-user:firewall:capture-filter-inspect-packets to docs:guide-user:firewall:capture_filter_inspect_packets
— (current)
Line 1: Line 1:
-====== How to capture, filter and inspect packets using tcpdump or *shark ====== 
  
-LEDE is a versatile platform base on GNU/Linux, offering state-of-the art solutions. You may use [[http://​www.tcpdump.org|tcpdump]] ,  [[https://​www.wireshark.org|Wireshark]] or even collect data from a switch and send it to a remote analysis system. This article does not cover network intrusion detection, which is documented separately. 
- 
-This HOWTO is based on a discussion on LEDE Forum, please discuss using this link: 
- 
-https://​forum.lede-project.org/​t/​tp-wdr3600-monitoring-capturing-wireless-traffic-howto/​3308 
- 
-Feel free to modify this HOWTO and enjoy LEDE! 
- 
-===== Capturing packets from a LEDE appliance ===== 
- 
-tcpdump is a network capture and analysis tool. It may be used to capture packets on the fly and/or save them in a file for later analysis. tcpdump relies on libcap, therefore it can produce standard pcap analysis files which may be processed by other tools. 
- 
-To install [[http://​www.tcpdump.org|tcpdump]] on your LEDE device: 
- 
-  opkg install tcpdump 
-  ​ 
-To capture all packets on the WAN (eth1): 
- 
-  tcpdump -n -i eth1 
-  tcpdump: verbose output suppressed, use -v or -vv for full protocol decode 
-  listening on eth1, link-type EN10MB (Ethernet), capture size 262144 bytes 
-  13:​16:​55.036711 IP 192.168.1.94.41146 > 121.59.12.182.443:​ Flags [.], ack 2010466204, win 444, options [nop,nop,TS val 1064304519 ecr 2837800946],​ length 0 
-  13:​16:​55.056721 IP 139.59.210.197.443 > 192.168.1.94.41146:​ Flags [.], ack 1, win 1050, options [nop,nop,TS val 2837803506 ecr 1064299424],​ length 0 
-  13:​16:​56.018900 IP 192.168.1.94.38886 > 139.59.209.225.443:​ Flags [P.], seq 3899787899:​3899788551,​ ack 1045321715, win 1043, options [nop,nop,TS val 689756067 ecr   ​651566707],​ length 652 
-  13:​16:​56.072201 IP 139.59.209.225.443 > 192.168.1.94.38886:​ Flags [.], seq 1:1449, ack 652, win 368, options [nop,nop,TS val 651567951 ecr 689756067], length 1448  
- 
-You may also use Wireshark capture and analysis tool.  
- 
-To capture all packets on the WAN: 
-  - Enable SSH connection with certificated (to avoid password prompt) 
-  - Under your GNU/Linux station or MacOsX: 
- 
-  ssh user@myledebox tcpdump -i eth1 -U -s0 -w - 'not port 22' | sudo wireshark -k -i - 
- 
- 
-===== Capturing packets from a switch ===== 
- 
-Modern switches offer port-mirroring,​ i.e. the ability to copy all network packets from a given number of ports to a single-port,​ usually for analysis purpose. Usually, switches with port-mirroring are called "​manageable switches"​. Port mirroring happens in hardware, so your switch might not slow down. Check your documentation if port mirroring is supported. 
- 
-Connect your LEDE device to the monitoring interface of your switch. ​ 
- 
-Then simply use tcpdump or wireshark to monitor traffic. 
- 
-===== Sending packets for remote analysis on the WWW ===== 
- 
-[[https://​www.cloudshark.org|CloudShark]] is an cloud analysis platform, independent and not related to LEDE. It relies on cshark plugin to send packets remotely for analysis. Please check your internal rules, whether sending network traffic to a cloud platform is allowed. ​ 
- 
-Install cshark and luci-app-cshark:​ 
- 
-  opkg install cshark luci-app-cshark 
- 
-Please check [[https://​support.cloudshark.org/​openwrt/​openwrt-cloudshark.html|Cloud shark documentation]] for more information. 
- 
- 
-===== Questions remaining to be documented ===== 
-Please insert here what remains to be documented: 
- 
-- How to send (automatically) pcap files remotely for later analysis, on your own network. 
- 
-- How to trap network traffic using simple rules and log them to syslog/​rsyslog. 
- 
-- Are there uci / luci apps allowing to manage tcpdum rules, traffic analysis, etc ... 
docs/guide-user/firewall/capture_filter_inspect_packets.1533752827.txt.gz · Last modified: 2018/08/08 18:27 by tmomas