OpenWrt is a versatile platform base on GNU/Linux, offering state-of-the art solutions. You may use tcpdump, Wireshark or even collect data from a switch and send it to a remote analysis system. This article does not cover network intrusion detection, which is documented separately.
This HOWTO is based on a discussion on LEDE Forum, please discuss using this link:
This has not been tested recently. It should work if the packages can be installed on the target.
Update 2019-01-01: One person has confirmed its still working on a Buffalo device (Atheros AR71xx) running 18.06.1
tcpdump is a network capture and analysis tool. It may be used to capture packets on the fly and/or save them in a file for later analysis. tcpdump relies on libcap, therefore it can produce standard pcap analysis files which may be processed by other tools.
To install tcpdump on your device:
opkg install tcpdump
To capture all packets on the WAN (eth1):
tcpdump -n -i eth1 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth1, link-type EN10MB (Ethernet), capture size 262144 bytes 13:16:55.036711 IP 192.168.1.94.41146 > 18.104.22.168.443: Flags [.], ack 2010466204, win 444, options [nop,nop,TS val 1064304519 ecr 2837800946], length 0 13:16:55.056721 IP 22.214.171.124.443 > 192.168.1.94.41146: Flags [.], ack 1, win 1050, options [nop,nop,TS val 2837803506 ecr 1064299424], length 0 13:16:56.018900 IP 192.168.1.94.38886 > 126.96.36.199.443: Flags [P.], seq 3899787899:3899788551, ack 1045321715, win 1043, options [nop,nop,TS val 689756067 ecr 651566707], length 652 13:16:56.072201 IP 188.8.131.52.443 > 192.168.1.94.38886: Flags [.], seq 1:1449, ack 652, win 368, options [nop,nop,TS val 651567951 ecr 689756067], length 1448
You may also use Wireshark capture and analysis tool.
To capture all packets on the WAN:
ssh user@myledebox tcpdump -i eth1 -U -s0 -w - 'not port 22' | sudo wireshark -k -i -
Modern switches offer port-mirroring, i.e. the ability to copy all network packets from a given number of ports to a single-port, usually for analysis purpose. Usually, switches with port-mirroring are called “manageable switches”. Port mirroring happens in hardware, so your switch might not slow down. Check your documentation if port mirroring is supported.
Connect your LEDE device to the monitoring interface of your switch.
Then simply use tcpdump or wireshark to monitor traffic.
CloudShark is an cloud analysis platform, independent and not related to LEDE. It relies on cshark plugin to send packets remotely for analysis. Please check your internal rules, whether sending network traffic to a cloud platform is allowed.
Install cshark and luci-app-cshark:
opkg install cshark luci-app-cshark
Please check Cloud shark documentation for more information.
Please insert here what remains to be documented:
- How to send (automatically) pcap files remotely for later analysis, on your own network.
- How to trap network traffic using simple rules and log them to syslog/rsyslog.
- Are there uci / luci apps allowing to manage tcpdum rules, traffic analysis, etc …