Monitoring Web Usage with Asuswrt-Merlin

[ScottW]

Thanks a lot for posting this! I do have one issue, I can't seem to run the showwebmon.sh script as a script. If I enter the commands from showwebmon.sh one line at a time, including the while loop, I do get the same output you show in your example. However, I am not able to execute the script itself.

Here is what I get when I try to run the script:

admin01@RT-AC68U-2D18:/jffs/scripts# ls -l
-rwxr-xr-x    1 admin01  root           304 Mar 15 10:33 firewall-start
-rwxr-xr-x    1 admin01  root           448 Mar 15 11:38 showwebmon.sh
admin01@RT-AC68U-2D18:/jffs/scripts# showwebmon.sh
-sh: showwebmon.sh: not found
admin01@RT-AC68U-2D18:/jffs/scripts# /jffs/scripts/showwebmon.sh
-sh: /jffs/scripts/showwebmon.sh: not found
admin01@RT-AC68U-2D18:/jffs/scripts# sh showwebmon.sh
': No such file or directoryn_recent_domains
showwebmon.sh: line 12: syntax error: unexpected "done" (expecting "do")
admin01@RT-AC68U-2D18:/jffs/scripts#

I'm not sure what the problem is because the commands do work when typed in manually. In the router's config I have jffs enabled as well as "enable jffs custom scripts and configs". I must be overlooking something obvious. Any ideas?

The execution path ($PATH) doesn't include the /jffs/scripts/ folder.

If you have /jffs/scripts/ as the current folder, try typing ./showwebmon.sh as that should work.

The error you got when using "sh showwebmon.sh" looks like a syntax error in the script itself; perhaps an extra line feed or carriage control. What editor did you use to create the script? What does the script look like when you "cat showwebmon.sh"?

 

[g3m1n1]

The execution path ($PATH) doesn't include the /jffs/scripts/ folder.

If you have /jffs/scripts/ as the current folder, try typing ./showwebmon.sh as that should work.

The error you got when using "sh showwebmon.sh" looks like a syntax error in the script itself; perhaps an extra line feed or carriage control. What editor did you use to create the script? What does the script look like when you "cat showwebmon.sh"?

Hey ScottW, thanks for replying.

I used notepad++ to create the script file, then uploaded it with winscp, then used chmod to make it executable.

admin01@RT-AC68U-2D18:/jffs/scripts# ./showwebmon.sh
-sh: ./showwebmon.sh: not found
admin01@RT-AC68U-2D18:/jffs/scripts# cat showwebmon.sh
#!/bin/sh
# Reformat the webmon output to convert epoch date to general date string
domains="/proc/webmon_recent_domains"
dsort="/tmp/dsort.tmp"
cat $domains | sort > $dsort
while read webdate webip hostname
do
  webdate=$(date -d @$webdate)
  #webdate=${webdate//GMT $(date +"%Y")/} # exclude year in output
  webdate=${webdate//GMT /}  # include year in output
  echo -e "$webdate \t$webip \t$hostname"
done < $dsort
rm $dsort
exit 0admin01@RT-AC68U-2D18:/jffs/scripts#

 

[john9527]

Hey ScottW, thanks for replying.

I used notepad++ to create the script file, then uploaded it with winscp, then used chmod to make it executable.

admin01@RT-AC68U-2D18:/jffs/scripts# ./showwebmon.sh
-sh: ./showwebmon.sh: not found
admin01@RT-AC68U-2D18:/jffs/scripts# cat showwebmon.sh
#!/bin/sh
# Reformat the webmon output to convert epoch date to general date string
domains="/proc/webmon_recent_domains"
dsort="/tmp/dsort.tmp"
cat $domains | sort > $dsort
while read webdate webip hostname
do
  webdate=$(date -d @$webdate)
  #webdate=${webdate//GMT $(date +"%Y")/} # exclude year in output
  webdate=${webdate//GMT /}  # include year in output
  echo -e "$webdate \t$webip \t$hostname"
done < $dsort
rm $dsort
exit 0admin01@RT-AC68U-2D18:/jffs/scripts#

If somehow it got into the wrong format cat won't show it....what happens if you open the script in vi? Any ^M characters?

 

[g3m1n1]

If somehow it got into the wrong format cat won't show it....what happens if you open the script in vi? Any ^M characters?

Yep, that was the problem. Before I even checked the original scripts I saved in notepad++ I just re-wrote them in-shell using Vi and they worked perfectly. Checking the other scripts shows ^M at the end of every line. Kind of annoying, I figured notepad++ would account for that if the language was set to Shell. I even tried changing the encoding in notepad++ but that did not help either. Thanks for the excellent script example, btw.

 

[g3m1n1]

This has been working great for me so far. Thanks a ton to everyone who contributed.

I was wondering if there is a way to use ipt_webmon and iptables to capture the full URL of websites or links instead of just the domain itself.

 

[tijaune]

Yep, that was the problem. Before I even checked the original scripts I saved in notepad++ I just re-wrote them in-shell using Vi and they worked perfectly. Checking the other scripts shows ^M at the end of every line. Kind of annoying, I figured notepad++ would account for that if the language was set to Shell. I even tried changing the encoding in notepad++ but that did not help either. Thanks for the excellent script example, btw.

you should look for settings in winscp to use ascii transfer mode, since it upload the script to router, not notepad++.

 

[SullyTheUnusual]

Ok, I need some help with a script for my Asus router.

Using the information in this thread, I have successfully set up the web activity monitor. I wrote a daily maintenance script which converts everything in /proc/webmon_recent_domains to a readable format, copies it to my USB drive, flushes the iptables and then reboots the router. My problem is, it's only doing the first two tasks. I can run the "shutdown" "init 6" or "halt" command from the shell and it works just fine. I can also run "iptables --flush" without issue. Running them from the script is not working. Can someone please steer me in the right direction?

 

[john9527]

Ok, I need some help with a script for my Asus router.

Using the information in this thread, I have successfully set up the web activity monitor. I wrote a daily maintenance script which converts everything in /proc/webmon_recent_domains to a readable format, copies it to my USB drive, flushes the iptables and then reboots the router. My problem is, it's only doing the first two tasks. I can run the "shutdown" "init 6" or "halt" command from the shell and it works just fine. I can also run "iptables --flush" without issue. Running them from the script is not working. Can someone please steer me in the right direction?

Is there a particular reason you are doing a flush/reboot (doing a reboot will reset the tables)? If you post your script, we may be able to help out.

 

[SullyTheUnusual]

Is there a particular reason you are doing a flush/reboot (doing a reboot will reset the tables)? If you post your script, we may be able to help out.

After converting/logging everything in /proc/webmon_recent_domains, I want to wipe the contents so I don't get duplicates the next time I append to my logs. Since this isn't a real file, I was trying to use the "iptables --flush" and then reboot to accomplish it.

The two lines in my "firewall-start" script that aren't working are:

iptables --flush
reboot

I've tried using the full path and sudo to no avail.

If you know of an easier way to wipe the contents of "webmon_recent_domains", that would be extremely useful to me. I'm not well versed with the iptables command.

 

[john9527]

I'm working on something else right now, so can't test it....but try this....

iptables -t filter -I web_monitor -p tcp -m webmon --clear_search --clear_domain
iptables -t filter -D web_monitor -p tcp -m webmon --clear_search --clear_domain

You may need to add a sleep command between the lines to give it time to process.

 

[SullyTheUnusual]

Here are the commands I used to enable web monitoring:

iptables -t filter -N web_monitor
iptables -t filter -I FORWARD -o eth0 -j web_monitor
iptables -A web_monitor -p tcp -m webmon --max_domains 2000 --max_searches 2000

I ran the first command you suggested, and it did clear the contents of /proc/webmon_recent_domains. I ran the second command and got "iptables: Bad rule (does a matching rule exist in that chain?)".

Here's what "iptables --list" returns after running your commands:

Chain INPUT (policy ACCEPT)
target  prot opt source  destination 
DROP  all  --  anywhere  anywhere  state INVALID
ACCEPT  all  --  anywhere  anywhere  state RELATED,ESTABLISHED
ACCEPT  all  --  anywhere  anywhere  state NEW
ACCEPT  all  --  anywhere  anywhere  state NEW
ACCEPT  udp  --  anywhere  anywhere  udp spt:bootps dpt:bootpc
DROP  all  --  anywhere  anywhere 

Chain FORWARD (policy DROP)
target  prot opt source  destination 
web_monitor  all  --  anywhere  anywhere 
ipttolan  all  --  anywhere  anywhere 
iptfromlan  all  --  anywhere  anywhere 
ACCEPT  all  --  anywhere  anywhere  state RELATED,ESTABLISHED
DROP  all  --  anywhere  anywhere 
DROP  all  --  anywhere  anywhere  state INVALID
ACCEPT  all  --  anywhere  anywhere 
DROP  icmp --  anywhere  anywhere 
ACCEPT  all  --  anywhere  anywhere  ctstate DNAT
ACCEPT  all  --  anywhere  anywhere 

Chain OUTPUT (policy ACCEPT)
target  prot opt source  destination 

Chain FUPNP (0 references)
target  prot opt source  destination 
ACCEPT  udp  --  anywhere  PQ  udp dpt:55523
ACCEPT  udp  --  anywhere  Aimee-Laptop  udp dpt:56216
ACCEPT  udp  --  anywhere  PQ  udp dpt:58499
ACCEPT  udp  --  anywhere  PQ  udp dpt:62999
ACCEPT  udp  --  anywhere  PQ  udp dpt:56717

Chain PControls (0 references)
target  prot opt source  destination 
ACCEPT  all  --  anywhere  anywhere 

Chain iptfromlan (1 references)
target  prot opt source  destination 
RETURN  all  --  anywhere  anywhere  account: network/netmask: 192.168.1.0/255.255.255.0 name: lan

Chain ipttolan (1 references)
target  prot opt source  destination 
RETURN  all  --  anywhere  anywhere  account: network/netmask: 192.168.1.0/255.255.255.0 name: lan

Chain logaccept (0 references)
target  prot opt source  destination 
LOG  all  --  anywhere  anywhere  state NEW LOG level warning tcp-sequence tcp-options ip-options prefix `ACCEPT '
ACCEPT  all  --  anywhere  anywhere 

Chain logdrop (0 references)
target  prot opt source  destination 
LOG  all  --  anywhere  anywhere  state NEW LOG level warning tcp-sequence tcp-options ip-options prefix `DROP '
DROP  all  --  anywhere  anywhere 

Chain web_monitor (1 references)
target  prot opt source  destination 
  tcp  --  anywhere  anywhere  WEBMON --max_domains 300 --max_searches 300
  tcp  --  anywhere  anywhere  WEBMON --max_domains 2000 --max_searches 2000

If you look at the last chain, it looks like it added another entry with 300 as the max domains/searches. That must be the default setting after it clears. I tried deleting the rule with "iptables -t filter -D web_monitor -p tcp -m webmon --clear_search --clear_domain" but it threw "bad rule".

I tried the same command, replacing "--clear_search --clear_domain" with "--max_domains 300 --max_searches 300", but it still wouldn't remove it and thew "bad rule".

I wonder if "iptables --flush web_monitor" would work? I'm at work right now, maybe I'll try that when I get home.

Hope the extra info helps, thanks for you time!

 

[john9527]

I ran the first command you suggested, and it did clear the contents of /proc/webmon_recent_domains. I ran the second command and got "iptables: Bad rule (does a matching rule exist in that chain?)".

I wonder if "iptables --flush web_monitor" would work? I'm at work right now, maybe I'll try that when I get home.

Half way there....it did clear it!

Try this sequence (assuming you made the firewall-start script with the first set of startup commands)

iptables -t filter -I web_monitor -p tcp -m webmon --clear_search --clear_domain
service restart_firewall

 

[SullyTheUnusual]

Half way there....it did clear it!

Try this sequence (assuming you made the firewall-start script with the first set of startup commands)

iptables -t filter -I web_monitor -p tcp -m webmon --clear_search --clear_domain
service restart_firewall

Running those two commands at the shell prompt works brilliantly! However, they will not execute via script. I have even tried supplying the full path to "iptables" and "service".

 

[john9527]

Running those two commands at the shell prompt works brilliantly! However, they will not execute via script. I have even tried supplying the full path to "iptables" and "service".

90% there

How are you editing your script? Double check by opening the script on the router in vi and check that the lines aren't corrupted (contain a ^M character).

 

[SullyTheUnusual]

90% there

How are you editing your script? Double check by opening the script on the router in vi and check that the lines aren't corrupted (contain a ^M character).

I've been using vi all along, no ^M chars.

 

[john9527]

Had to ask the easy question first.....

How are you calling your script? Are you using Merlin's scripting capability? with a cron job? I know both iptables and service commands work in scripts as I've used them. We may be at the point where you need to post your script to get some additional eyes on it.

 

[SullyTheUnusual]

Had to ask the easy question first.....

How are you calling your script? Are you using Merlin's scripting capability? with a cron job? I know both iptables and service commands work in scripts as I've used them. We may be at the point where you need to post your script to get some additional eyes on it.

Yes, I'm using a cron to execute my daily.sh script. Everything in the script runs fine except the "iptables" and "service" commands.

Here's my daily.sh script:

#!/bin/sh
# Reformat the webmon output to convert epoch date to general date string
domains="/proc/webmon_recent_domains"
dsort="/tmp/dsort.tmp"
cat $domains | sort > $dsort

while read webdate webip hostname
do
  webdate=$(date -d @$webdate)
  #webdate=${webdate//GMT $(date +"%Y")/} # exclude year in output
  webdate=${webdate//GMT /}  # include year in output
  echo -e "$webdate \t$webip \t$hostname" >> /tmp/mnt/sda1/logs/domain.log
  done < $dsort
  rm $dsort
  exit 0

# Clear webmon filter

iptables -t filter -I web_monitor -p tcp -m webmon --clear_search --clear_domain
sleep 3
service restart_firewall

Here's my firewall-start script:

#!/bin/sh

# Enable webmon monitoring
  if [ -z "$(iptables -n -L FORWARD | grep 'web_monitor')" ]; then
  modprobe ipt_webmon
  iptables -t filter -N web_monitor
  iptables -t filter -I FORWARD -o eth0 -j web_monitor
  iptables -A web_monitor -p tcp -m webmon --max_domains 2000 --max_searches 2000
  fi

# Add crons

cru a dailymaint "0 0 * * *" /jffs/scripts/daily.sh

 

[john9527]

Yes, I'm using a cron to execute my daily.sh script. Everything in the script runs fine except the "iptables" and "service" commands.

Here's my daily.sh script:

#!/bin/sh
# Reformat the webmon output to convert epoch date to general date string
domains="/proc/webmon_recent_domains"
dsort="/tmp/dsort.tmp"
cat $domains | sort > $dsort
 
while read webdate webip hostname
do
  webdate=$(date -d @$webdate)
  #webdate=${webdate//GMT $(date +"%Y")/} # exclude year in output
  webdate=${webdate//GMT /}  # include year in output
  echo -e "$webdate \t$webip \t$hostname" >> /tmp/mnt/sda1/logs/domain.log
  done < $dsort
  rm $dsort
  exit 0
 
# Clear webmon filter
 
iptables -t filter -I web_monitor -p tcp -m webmon --clear_search --clear_domain
sleep 3
service restart_firewall

You need to take the 'exit 0' out of the script segment I posted

 

[SullyTheUnusual]

You need to take the 'exit 0' out of the script segment I posted

Aww! Can't believe I didn't catch that! Works perfectly! Many thanks!

 

[ocram59]

Hello All
As I wrote in the main fork thread i tried everything to get webmon workin on my RT-N66U
Still unable to find a reason boecause it could not work
It runs smotly without any problem either starting in firewall- start either entering commands manually
I disabled very "optional" service on my router, disabled every possible startup of packages.
NAT i disabled. VPN client is configured but not active
But whatever I try, i always get no data..

cat /proc/webmon_recent_domains | wc -l
always returns 0

Here it is my last IPTABLES list, i cannot see anything wrong there but if someone could take a look please let me know if you see a possible reason for webmon not working

Chain INPUT (policy ACCEPT)
target     prot opt source               destination      
ACCEPT     all  --  anywhere             anywhere         
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:https
ACCEPT     all  --  anywhere             anywhere         
ACCEPT     udp  --  anywhere             anywhere            udp dpt:https
logdrop    all  --  anywhere             anywhere            state INVALID
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere            state NEW
ACCEPT     all  --  anywhere             anywhere            state NEW
ACCEPT     udp  --  anywhere             anywhere            udp spt:bootps dpt:bootpc
logdrop    all  --  anywhere             anywhere         

Chain FORWARD (policy DROP)
target     prot opt source               destination      
monitor    all  --  anywhere             anywhere         
ipttolan   all  --  anywhere             anywhere         
iptfromlan  all  --  anywhere             anywhere         
TCPMSS     tcp  --  anywhere             anywhere            tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU
ACCEPT     all  --  anywhere             anywhere         
ACCEPT     all  --  anywhere             anywhere         
logdrop    all  --  anywhere             anywhere            state INVALID
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
logdrop    all  --  anywhere             anywhere         
ACCEPT     all  --  anywhere             anywhere         
DROP       icmp --  anywhere             anywhere         
ACCEPT     tcp  --  anywhere             anywhere            tcp flags:FIN,SYN,RST,ACK/SYN limit: avg 1/sec burst 5
ACCEPT     tcp  --  anywhere             anywhere            tcp flags:FIN,SYN,RST,ACK/RST limit: avg 1/sec burst 5
ACCEPT     icmp --  anywhere             anywhere            icmp echo-request limit: avg 1/sec burst 5
ACCEPT     all  --  anywhere             anywhere            ctstate DNAT
ACCEPT     all  --  anywhere             anywhere         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination      

Chain FUPNP (0 references)
target     prot opt source               destination      

Chain PControls (0 references)
target     prot opt source               destination      
ACCEPT     all  --  anywhere             anywhere         

Chain iptfromlan (1 references)
target     prot opt source               destination      
RETURN     all  --  anywhere             anywhere            account: network/netmask: 192.168.50.0/255.255.255.0 name: lan
RETURN     all  --  anywhere             anywhere            account: network/netmask: 192.168.50.0/255.255.255.0 name: lan
RETURN     all  --  anywhere             anywhere            account: network/netmask: 192.168.50.0/255.255.255.0 name: lan

Chain ipttolan (1 references)
target     prot opt source               destination      
RETURN     all  --  anywhere             anywhere            account: network/netmask: 192.168.50.0/255.255.255.0 name: lan
RETURN     all  --  anywhere             anywhere            account: network/netmask: 192.168.50.0/255.255.255.0 name: lan
RETURN     all  --  anywhere             anywhere            account: network/netmask: 192.168.50.0/255.255.255.0 name: lan

Chain logaccept (0 references)
target     prot opt source               destination      
LOG        all  --  anywhere             anywhere            state NEW LOG level warning tcp-sequence tcp-options ip-options prefix `ACCEPT '
ACCEPT     all  --  anywhere             anywhere         

Chain logdrop (4 references)
target     prot opt source               destination      
LOG        all  --  anywhere             anywhere            state NEW LOG level warning tcp-sequence tcp-options ip-options prefix `DROP '
DROP       all  --  anywhere             anywhere         

Chain monitor (1 references)
target     prot opt source               destination      
LOG        all  --  anywhere             anywhere            state NEW LOG level info prefix `webmon'
           tcp  --  anywhere             anywhere            WEBMON --max_domains 2000 --max_searches 2000

Thanks for your attention and for any help

BR
ocraM