1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
Dismiss Notice

Welcome To SNBForums

SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.

If you'd like to post a question, simply register and have at it!

While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!

Device monitoring...?

Discussion in 'Asuswrt-Merlin' started by JaimeZX, May 25, 2019.

  1. JaimeZX

    JaimeZX Senior Member

    Joined:
    Mar 10, 2018
    Messages:
    202
    Is there an easy way to monitor outbound IP requests by device?

    I could do this in Wireshark, but it seems tedious and I'm sure if I knew the right command (or had the right script) the router could do it as well... mainly trying to see what IP addresses my IoT devices are trying to use. For example, I'm aware my smart plugs do scheduling through AWS, but also try and call-home to China. (I keep China blocked with Skynet.) Just want to have an idea of what else these guys are up to.

    Thanks in advance!
     
  2. skeal

    skeal Part of the Furniture

    Joined:
    Apr 30, 2016
    Messages:
    3,312
    Location:
    /etc
    Turn on logging in Skynet and watch for outgoing connection attempts.
     
  3. JaimeZX

    JaimeZX Senior Member

    Joined:
    Mar 10, 2018
    Messages:
    202
    Sure, but that will only give me results for things being blocked by Skynet, right? I would like to see *all* inbound/outbound connection attempts (blocked or otherwise) to [LAN IP] for a given time period.
     
  4. Carnbroe

    Carnbroe Occasional Visitor

    Joined:
    Jun 4, 2018
    Messages:
    14
    You can of course install tcpdump to the router then export the dump file to your PC to filter by device. Its a bit involved to set up if you don't have any scripts installed and are doing it from scratch but once its installed then its straight forward running it.
     
  5. martinr

    martinr Part of the Furniture

    Joined:
    Nov 27, 2014
    Messages:
    2,086
    Location:
    United Kingdom
    You wouldn’t like to expand on that with a bit of detail sufficient to get it up and running? Or perhaps a link to a suitable site/post? Sounds like an interesting little exercise.
     
    QuikSilver likes this.
  6. ColinTaylor

    ColinTaylor Part of the Furniture

    Joined:
    Mar 31, 2014
    Messages:
    9,098
    Location:
    UK
    martinr likes this.
  7. Carnbroe

    Carnbroe Occasional Visitor

    Joined:
    Jun 4, 2018
    Messages:
    14
    Let me elaborate as typing tcpdump followed by the parameters is the end part of the process :)

    I'll assume that you don't already have any scripts installed but have used wireshark before and are familiar with the various options to get the most out of running tcpdump from the command line.

    The starting point is that you need to be able to connect to the router via SSH and be able to login. There are a number of ways that you can get tcpdump successfully installed so this is just one way to do this. All the information you need to do this is scattered in the forum but I'll provide the links so that you can go to the correct place and see the context of those posts. I'm no expert here but have managed to get it installed and working without too much fuss.

    Its probably make more sense to describe the process from the end point and work backwards so that you can see why you need to do the various steps. When you run the dump program you can either have it display the data on the ssh terminal (running Putty.exe or similar on your PC) or you need to pipe the output to the usb drive. If you have it going to terminal then use <crtl>+c to stop tcpdump and return to the prompt. I personally find that its better to end the tcpdump command with a '&' (to run it in the background) and output the data to a .pcap file so that I can then use wireshark to filter it on my PC. A typical dump command with the output going to a file would be:-
    • tcpdump -i eth0 -p port 853 -w /tmp/mnt/myUSB/pcap/testlogfile.pcap &
    where myUSB is the name I used to label my USB drive and pcap is a directory I created to store the .pcap files in. To set up the share to let your PC connect to the USB drive go to the following page on the router once you have your USB drive added and set up
    where the ip address above is replaced by that of your router. This then lets you set up a samba share such as \\AC3200\pcap which you will be able to access from Windows File Explorer on your PC.

    Also note that if you run the command in the background using the '&' at the end then you cant just leave it running or it will eventually fill up all your space on your USB drive. To stop it, at the ssh prompt type "killall tcpdump" or "ps | grep tcpdump" then kill the PID (the first number displayed). ie. "kill 1234" see here

    Right, that covers running tcpdump, stopping it and then accessing the saved pcap file.

    You will see in various posts that to install tcpdump you enter opkg install tcpdump at the ssh command prompt. However to do that successfully you need to install entware first and to install entware you need to install amtm. Thankfully the process of installing both of these is well documented at the following link.
    My experience was that the guide is good and even although it looked like the shortcuts in amtm were missing they were in fact there but not being displayed. As I said, once you get entware installed then you can use that to install tcpdump via
    Code:
    opkg install tcpdump
    Don't be put off by all of this, its actually straight forward and very worth the effort.
     
    Last edited: Jun 2, 2019
    temujin, JaimeZX, truglodite and 4 others like this.
  8. martinr

    martinr Part of the Furniture

    Joined:
    Nov 27, 2014
    Messages:
    2,086
    Location:
    United Kingdom
    What an excellent write-up! You’ve clearly put a great deal of time and effort into it. It’s a long time since I used Wireshark and it will be like starting afresh, but this has given me the impetus to get familiar with it again.
    I’m sure others will be equally grateful for your hard work.
     
    Last edited: Jun 3, 2019
    JaimeZX, kernol, joe scian and 2 others like this.
  9. martinr

    martinr Part of the Furniture

    Joined:
    Nov 27, 2014
    Messages:
    2,086
    Location:
    United Kingdom
    Your instructions work a treat. I cut and pasted your code and I think maybe grabbed an extra space after the & and got “tcpdump not found”, which threw me for quite a while, until I typed in the command.

    I used WinSCP and Putty from within it. WinSCP let me simply create the folder on the usb drive, as well as copying the file from the usb drive to the desktop for Wireshark analysis. It’s fascinating to see just how much traffic there is and things like ARP requests: who is 192.168.1.1 with the answer along with the mac address in the next packet.

    An excellent learning exercise for tcpdump and Wireshark (and Putty and WinSCP, for anyone unfamiliar with them, too).

    Thanks again.
     
  10. lordtech

    lordtech Occasional Visitor

    Joined:
    Sep 5, 2015
    Messages:
    15
    Hi, I know this is a little bit out of the topic, but when I run the following sentence:
    Code:
    opkg install tcpdump
    I got this:
    Code:
    Installing tcpdump (4.9.2-1b) to root...
    Downloading http://bin.entware.net/armv7sf-k2.6/tcpdump_4.9.2-1b_armv7-2.6.ipk
    Collected errors:
     * opkg_install_pkg: Package size mismatch: tcpdump is 342496 bytes, expecting 342476 bytes
     * opkg_install_cmd: Cannot install package tcpdump.
    Is anyone having the same issue?
     
  11. truglodite

    truglodite Regular Contributor

    Joined:
    Jun 24, 2017
    Messages:
    131
    You missed it by one line...
    Code:
    opkg update
    opkg install tcpdump
     
    L&LD and martinr like this.
  12. lordtech

    lordtech Occasional Visitor

    Joined:
    Sep 5, 2015
    Messages:
    15
    T
    Thanks, It worked!
     
  13. kernol

    kernol Regular Contributor

    Joined:
    Feb 24, 2018
    Messages:
    195
    Location:
    South Africa
    Strange? I get zero packets collected after running this command for the past 12 hours ...
    Code:
    tcpdump -i eth0 -p port 853 -w /tmp/mnt/myUSB/pcap/testlogfile.pcap &
    I have 16 active devices running and plenty of activity reported by Skynet over the period.
    When I stop the process with Killall tcpdump it reports zero packets captured and the testlogfile.pcap is empty?
     
  14. martinr

    martinr Part of the Furniture

    Joined:
    Nov 27, 2014
    Messages:
    2,086
    Location:
    United Kingdom
    Did you change “myUSB” in the command to whatever label you gave to your usb?

    By the way, I think my file went up to around 6MB for just 30 seconds worrh of data collection. I can’t imagine the size of device you’d need for 12 hours’ worth.
     
    Last edited: Jun 7, 2019
  15. kernol

    kernol Regular Contributor

    Joined:
    Feb 24, 2018
    Messages:
    195
    Location:
    South Africa
    LOL - yes indeed I did change the "myUSB" ;) ... The code creates the file correctly in my pcap folder on the USB - but it remains zero bytes.
    If I run it without the & - a blank screen remains in the terminal.

    A reboot of the router made no difference. I will try uninstall tcpdump and reinstall to see if that will fix.

    If I use Wireshark to directly monitor packets on the router - it races along happily. Just can't get tcpdump to work properly.
     
  16. ColinTaylor

    ColinTaylor Part of the Furniture

    Joined:
    Mar 31, 2014
    Messages:
    9,098
    Location:
    UK
    Is your WAN interface actually eth0? If you're using hardware acceleration it's probably vlan2.
    Code:
    nvram get wan0_ifname
     
    martinr likes this.
  17. kernol

    kernol Regular Contributor

    Joined:
    Feb 24, 2018
    Messages:
    195
    Location:
    South Africa
    Thanks Colin - that code responds with - eth0 - so assume that is correct.
     
  18. kernol

    kernol Regular Contributor

    Joined:
    Feb 24, 2018
    Messages:
    195
    Location:
    South Africa
    After executing the tcpdump command - the result is ...
    "listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes"
    The prompt does not return to the root# prompt and still nothing shows up in the testlogfile.pcap file.
    Remove and re-intsall of tcpdump has made no difference?
     
  19. ColinTaylor

    ColinTaylor Part of the Furniture

    Joined:
    Mar 31, 2014
    Messages:
    9,098
    Location:
    UK
    Try just running the command straight to the terminal:

    tcpdump -i eth0 -p port 853

    Then do some nslookup's from a PC.
     
    martinr likes this.
  20. kernol

    kernol Regular Contributor

    Joined:
    Feb 24, 2018
    Messages:
    195
    Location:
    South Africa
    Still absolutely nothing from tcpdump. Nslookups respond on the PC - but no packets intercepted by tcpdump!