Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Next revision
Previous revision
Next revisionBoth sides next revision
inbox:firewall:misc:tcpdump_wireshark [2018/08/14 14:59] – created dturvenedocs:guide-user:firewall:misc:tcpdump_wireshark [2023/01/24 17:09] – confirm working for me cm
Line 5: Line 5:
  
 https://forum.lede-project.org/t/tp-wdr3600-monitoring-capturing-wireless-traffic-howto/3308 https://forum.lede-project.org/t/tp-wdr3600-monitoring-capturing-wireless-traffic-howto/3308
 +
 +<WRAP round important 60%>
 +This has not been tested recently.  It **should** work if the packages can be installed on the target.
 +
 +Update 2019-01-01: One person has confirmed its still working on a Buffalo device (Atheros AR71xx) running 18.06.1
 +
 +Update 2019-02-22: One person has confirmed its still working on a Netgear device (Atheros ar71xx) running 18.06.2
 +
 +Update 2020-09-19: One person has confirmed its still working on a iptime device (mt7620) running 20.172.67167
 +
 +Update 2023-01-24: One person has confirmed its still working on a Xiaomi device running 22.03.2
 +</WRAP>
  
 ===== Capturing packets from an OpenWrt appliance ===== ===== Capturing packets from an OpenWrt appliance =====
Line 13: Line 25:
   opkg install tcpdump   opkg install tcpdump
      
-To capture all packets on the WAN (eth1):+To capture all packets on the WAN (the below assumes that interface eth1 is the WAN interface):
  
-  tcpdump -n -i eth1+  # killall tcpdump; tcpdump -n -i eth1
   tcpdump: verbose output suppressed, use -v or -vv for full protocol decode   tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
   listening on eth1, link-type EN10MB (Ethernet), capture size 262144 bytes   listening on eth1, link-type EN10MB (Ethernet), capture size 262144 bytes
Line 22: Line 34:
   13:16:56.018900 IP 192.168.1.94.38886 > 139.59.209.225.443: Flags [P.], seq 3899787899:3899788551, ack 1045321715, win 1043, options [nop,nop,TS val 689756067 ecr   651566707], length 652   13:16:56.018900 IP 192.168.1.94.38886 > 139.59.209.225.443: Flags [P.], seq 3899787899:3899788551, ack 1045321715, win 1043, options [nop,nop,TS val 689756067 ecr   651566707], length 652
   13:16:56.072201 IP 139.59.209.225.443 > 192.168.1.94.38886: Flags [.], seq 1:1449, ack 652, win 368, options [nop,nop,TS val 651567951 ecr 689756067], length 1448    13:16:56.072201 IP 139.59.209.225.443 > 192.168.1.94.38886: Flags [.], seq 1:1449, ack 652, win 368, options [nop,nop,TS val 651567951 ecr 689756067], length 1448 
 +
 +To capture all packets from a specific host on the network:
 +
 +  # tcpdump -i eth0 host 192.168.2.102 -U -s0 -w /tmp/dump.txt
  
 You may also use Wireshark capture and analysis tool.  You may also use Wireshark capture and analysis tool. 
  
-To capture all packets on the WAN:+To capture all packets on the the 'eth0' interface, excluding port 22 (SSH) traffic, assuming Wireshark is installed in the default location:
   - Enable SSH connection with certificated (to avoid password prompt)   - Enable SSH connection with certificated (to avoid password prompt)
-  - Under your GNU/Linux station or MacOsX:+  - on a Linux system:
  
   ssh user@myledebox tcpdump -i eth1 -U -s0 -w - 'not port 22' | sudo wireshark -k -i -   ssh user@myledebox tcpdump -i eth1 -U -s0 -w - 'not port 22' | sudo wireshark -k -i -
  
 +  - on a macOS system:
 +
 +  ssh user@myledebox tcpdump -i eth1 -U -s0 -w - 'not port 22' | sudo /Applications/Wireshark.app/Contents/MacOS/wireshark -k -i -
 +
 +  - or, on a Windows system:
 +
 +  ssh root@myledebox tcpdump -i eth1 -U -s0 -w - 'not port 22' | "C:\Program Files\Wireshark\Wireshark.exe" -k -i -
  
 +Another option is to use the sshdump tool in wireshark, like so:
 +<code>
 +wireshark '-oextcap.sshdump.remotehost:OpenWrt.lan' '-oextcap.sshdump.remoteusername:root' -i sshdump -k
 +</code>
 ===== Capturing packets from a switch ===== ===== Capturing packets from a switch =====
  
  • Last modified: 2023/01/27 17:20
  • by cm