Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
Next revisionBoth sides next revision
docs:guide-user:firewall:misc:tcpdump_wireshark [2020/09/19 14:23] – add iptime working u-sirodocs:guide-user:firewall:misc:tcpdump_wireshark [2023/01/24 17:09] – confirm working for me cm
Line 14: Line 14:
  
 Update 2020-09-19: One person has confirmed its still working on a iptime device (mt7620) running 20.172.67167 Update 2020-09-19: One person has confirmed its still working on a iptime device (mt7620) running 20.172.67167
 +
 +Update 2023-01-24: One person has confirmed its still working on a Xiaomi device running 22.03.2
 </WRAP> </WRAP>
  
Line 23: Line 25:
   opkg install tcpdump   opkg install tcpdump
      
-To capture all packets on the WAN (eth1):+To capture all packets on the WAN (the below assumes that interface eth1 is the WAN interface):
  
-  killall tcpdump; tcpdump -n -i eth1+  killall tcpdump; tcpdump -n -i eth1
   tcpdump: verbose output suppressed, use -v or -vv for full protocol decode   tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
   listening on eth1, link-type EN10MB (Ethernet), capture size 262144 bytes   listening on eth1, link-type EN10MB (Ethernet), capture size 262144 bytes
Line 32: Line 34:
   13:16:56.018900 IP 192.168.1.94.38886 > 139.59.209.225.443: Flags [P.], seq 3899787899:3899788551, ack 1045321715, win 1043, options [nop,nop,TS val 689756067 ecr   651566707], length 652   13:16:56.018900 IP 192.168.1.94.38886 > 139.59.209.225.443: Flags [P.], seq 3899787899:3899788551, ack 1045321715, win 1043, options [nop,nop,TS val 689756067 ecr   651566707], length 652
   13:16:56.072201 IP 139.59.209.225.443 > 192.168.1.94.38886: Flags [.], seq 1:1449, ack 652, win 368, options [nop,nop,TS val 651567951 ecr 689756067], length 1448    13:16:56.072201 IP 139.59.209.225.443 > 192.168.1.94.38886: Flags [.], seq 1:1449, ack 652, win 368, options [nop,nop,TS val 651567951 ecr 689756067], length 1448 
 +
 +To capture all packets from a specific host on the network:
 +
 +  # tcpdump -i eth0 host 192.168.2.102 -U -s0 -w /tmp/dump.txt
  
 You may also use Wireshark capture and analysis tool.  You may also use Wireshark capture and analysis tool. 
  
-To capture all packets on the WAN:+To capture all packets on the the 'eth0' interface, excluding port 22 (SSH) traffic, assuming Wireshark is installed in the default location:
   - Enable SSH connection with certificated (to avoid password prompt)   - Enable SSH connection with certificated (to avoid password prompt)
-  - Under your GNU/Linux station or MacOsX:+  - on a Linux system:
  
   ssh user@myledebox tcpdump -i eth1 -U -s0 -w - 'not port 22' | sudo wireshark -k -i -   ssh user@myledebox tcpdump -i eth1 -U -s0 -w - 'not port 22' | sudo wireshark -k -i -
-   
-  - or Windows Command Prompt: 
  
-  ssh root@192.168.1.1 tcpdump -i br-lan -U -s0 -w - 'not port 22' | "C:\Program Files\Wireshark\Wireshark.exe" -k -i -+  - on a macOS system: 
 + 
 +  ssh user@myledebox tcpdump -i eth1 -U -s0 -w - 'not port 22' | sudo /Applications/Wireshark.app/Contents/MacOS/wireshark -k -i - 
 + 
 +  - or, on a Windows system:
  
 +  ssh root@myledebox tcpdump -i eth1 -U -s0 -w - 'not port 22' | "C:\Program Files\Wireshark\Wireshark.exe" -k -i -
  
 +Another option is to use the sshdump tool in wireshark, like so:
 +<code>
 +wireshark '-oextcap.sshdump.remotehost:OpenWrt.lan' '-oextcap.sshdump.remoteusername:root' -i sshdump -k
 +</code>
 ===== Capturing packets from a switch ===== ===== Capturing packets from a switch =====
  
  • Last modified: 2023/01/27 17:20
  • by cm