Logging all inbound & outbound IP addresses from IoT devices?

[Kobalt]

I got a RT-N66U, Merlin Firmware: 380.69, and I do have "Enable IPTraffic (per IP monitoring)" enabled, and it did make the file tomato_rstats_bcee7b930048.gz in the same directory as the bandwidth monitor file (it does NOT allow a different directory?), however, there isn't 3 new entries to the traffic monitor page selector. Nothing has changed on that page like the FAQ says.
Under Traffic Manager -> Traffic monitor, it just shows bandwidth there.
Nothing else.
No IP listings or anything, and no new options, so, this seems like a bug?


https://github.com/RMerl/asuswrt-merlin/wiki/Enhanced-Traffic-monitoring

IPTraffic (monitoring per device)
Also, Asuswrt-Merlin can track the traffic generated by each individual IP on your network. This option is called IPTraffic. To enable this, you must first set a custom location to store your traffic database (see above). Once again, you must also tell it to create the new data file, by enabling "Create or reset IPTraffic data files". Once done, enable the IPTraffic Monitoring option. This will add three new entries to the Traffic Monitor page selector (on the Traffic Monitoring page).

What I am trying to do is log all inbound & outbound connections to some IoT devices, so, since the above didn't work out that well, what is an alternative way to achieve this?
Would I have to resort to using iptables to log the IPs?

 

[ColinTaylor]

and I do have "Enable IPTraffic (per IP monitoring)" enabled, and it did make the file tomato_rstats_bcee7b930048.gz in the same directory as the bandwidth monitor file

"per IP monitoring" is stored in a cstats file not the rstats file. You need to "Create or reset IPTraffic data files" to create that file.

What I am trying to do is log all inbound & outbound connections to some IoT devices

IPTraffic won't tell you that information.

 

[M@rco]

My IoT devices are all wireless, so I'm using WireShark to periodically log these for 24 hours and when I see in- or outbound connections I don't want, I block them by blacklisting the IP's in SkyNet. Maybe there's a smarter way, but crawling through thousands of lines of ACCEPTED connections in syslog and filtering them per device, it was too much of a hassle plus my remote log service wasn't very pleased with it (free service). Wireshark works perfectly for me, you just need some time to familiarize yourself with the filters used, start a capture, and check later.

 

[Kobalt]

"per IP monitoring" is stored in a cstats file not the rstats file. You need to "Create or reset IPTraffic data files" to create that file.

Whoops, sorry, brain fart. Yes, it was cstats.
7331 Jan 21 16:22 tomato_cstats_bcee7b930048.gz
1303 Jan 21 16:23 tomato_rstats_bcee7b930048.gz

IPTraffic won't tell you that information.

Drat.
OK, thanks for the info, looks like I will have to come up with an alternative way to handle this.

 

[Kobalt]

My IoT devices are all wireless, so I'm using WireShark to periodically log these for 24 hours and when I see in- or outbound connections I don't want, I block them by blacklisting the IP's in SkyNet. Maybe there's a smarter way, but crawling through thousands of lines of ACCEPTED connections in syslog and filtering them per device, it was too much of a hassle plus my remote log service wasn't very pleased with it (free service). Wireshark works perfectly for me, you just need some time to familiarize yourself with the filters used, start a capture, and check later.

I suppose that is one way to handle it with wireshark, I do got a spare laptop I can use to do that.
Also, yeah, I was thinking about grepping the log file for ACCEPTED and handle it that way, shouldn't be that much work for a script to do that on off hours.
Apparently, the router has the netstat command, so, in theory, it should be possible to run that, and grep it for the unique IPs, then dump the IP addresses into a log file as well, just not sure of the performance hit that will be, since you must always keep that running.

Decisions, decisions.

 

[Kobalt]

OK, finally got something I like...

I ended up using iptables to log both inbound & outbound traffic.

-A INPUT -s 192.168.1.214 -m state --state NEW -j LOG --log-prefix "New inbound: "
-A OUTPUT -s 192.168.1.214 -m state --state NEW -j LOG --log-prefix "New outbound: "

the -s is for that specific device IP I want to monitor, and this works for both TCP & UDP, and only for new connections.

Now, just got to figure out the best way to save the data to the USB drive.

 

[ColinTaylor]

You might need to use the FORWARD chain instead of INPUT/OUTPUT.

 

[Kobalt]

You might need to use the FORWARD chain instead of INPUT/OUTPUT.

Hmm, I'm no expert in iptables, but, looking at this chart

it seems INPUT & OUTPUT are correct, since FORWARD will look at things that aren't that specific IP, right?

 

[ColinTaylor]

INPUT and OUTPUT is for traffic to and from the router itself. The FORWARD chain is used for traffic forwarded to and from the LAN.

 

[Kobalt]

INPUT and OUTPUT is for traffic to and from the router itself. The FORWARD chain is used for traffic forwarded to and from the LAN.

I took that chart/docs to mean that you should use INPUT for things going directly to the server (the IoT device that I specified with -s), and OUTPUT is directly from the server (the IoT device), and FORWARD is for when traffic is routed through the router, or, other devices on the LAN.

Hmm...

 

[ColinTaylor]

Maybe this:

-I FORWARD -d 192.168.1.214 -m state --state NEW -j LOG --log-prefix "New inbound: "
-I FORWARD -s 192.168.1.214 -m state --state NEW -j LOG --log-prefix "New outbound: "

 

[Kobalt]

Maybe this:

-I FORWARD -d 192.168.1.214 -m state --state NEW -j LOG --log-prefix "New inbound: "
-I FORWARD -s 192.168.1.214 -m state --state NEW -j LOG --log-prefix "New outbound: "

Tested those out, and the outbound is working, not the inbound.

 kernel: *New outbound:  <4>*New outbound: IN=br0 OUT=eth0 <1>SRC=192.168.1.214 DST=4.2.2.3 <1>LEN=61 TOS=0x00 PREC=0x00 TTL=63 ID=18251 DF PROTO=UDP <1>SPT=49580 DPT=53 LEN=41

On the other hand, my INPUT results in

kernel: New inbound:  <4>New inbound: IN=br0 OUT= MAC=XXXXXXXXXXX <1>SRC=192.168.1.214 DST=XXXX <1>LEN=72 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP <1>SPT=57565 DPT=46703 LEN=52

 

[ColinTaylor]

On the other hand, my INPUT results in

kernel: New inbound:  <4>New inbound: IN=br0 OUT= MAC=XXXXXXXXXXX <1>SRC=192.168.1.214 DST=XXXX <1>LEN=72 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP <1>SPT=57565 DPT=46703 LEN=52

It's difficult to know what to make of that without knowing what DST=XXXX is. I'd expect it to be the router's IP address, 192.168.1.1. But what is on UDP port 46703 I can't guess.

 

[Kobalt]

It's difficult to know what to make of that without knowing what DST=XXXX is. I'd expect it to be the router's IP address, 192.168.1.1. But what is on UDP port 46703 I can't guess.

No, DST is actually amazon's server. Seems it is using their AWS cloud.

 

[Xentrk]

I use iptables to block outbound traffic for lan clients that belong to children at certain times of the day. They can still connect to the router and get an IP address. But no internet. You can do the same for the iot clients you don’t want phoning home or sending data to the WAN. I will post it when I get home.

 

[RMerlin]

Make sure NAT acceleration is disabled if you are using the FORWARD chain, as otherwise your rules will get bypassed by it.

 

[Kobalt]

I use iptables to block outbound traffic for lan clients that belong to children at certain times of the day. They can still connect to the router and get an IP address. But no internet. You can do the same for the iot clients you don’t want phoning home or sending data to the WAN. I will post it when I get home.

Sounds good...

 

[Xentrk]

Sounds good...

Here are the examples.

# Block an incoming connection from PC Lab
iptables -I FORWARD -s 192.168.2.218 -j DROP

# drop rule that blocked an incoming connection from PC Lab
iptables -D FORWARD -s 192.168.2.218 -j DROP

 

[deddc23efb]

I suppose that is one way to handle it with wireshark, I do got a spare laptop I can use to do that.
Also, yeah, I was thinking about grepping the log file for ACCEPTED and handle it that way, shouldn't be that much work for a script to do that on off hours.
Apparently, the router has the netstat command, so, in theory, it should be possible to run that, and grep it for the unique IPs, then dump the IP addresses into a log file as well, just not sure of the performance hit that will be, since you must always keep that running.

Decisions, decisions.

Wireshark is pretty heavy weight for what you're doing. If you can, try tshark instead. It's a cli based version of wireshark (much more powerful tcpdump) - it ships and builds as part of Wireshark. You can do all the same filtering, unique sorting and so on with that tool.