Short term packet logging to analyze network usage of a device

[aploch]

Hello, I have a cheap Chinese DVR for my security cameras that is sending every frame up to a server in the "clouds". nmap shows no open ports on the device, and I recently saw a lot of UDP traffic using Microsoft Message Analyzer when using their proprietary Windows app to monitor my cameras.

My ultimate goal is to intercept these frames somehow and re-serve them up using a standard like rtsp or something. One intermediary goal is to gain remote access to this DVR (they usually have ports 22, 23, and/or 80 open, but not this one). I don't want to digress too much, but if you're interested more in the actual details of that, I have a post on CCTV forums with more details...

Anywho... I'm wondering about a few things:

1) Is there more information I could readily access and analyze if I logged network information through the router it's using to talk to their servers?
2) Can Merlin dump this information out to a log (TCP, UDP, including [multi|uni|*]cast packets)?
3) Can SSL/HTTPS be analyzed unencrypted somehow (assuming they're using SSL - I assume I can't see the details)?

If the answer #1 is yes but #2 is no, is there an alternative firmware that someone could recommend?

This would likely be a very short term test (a few minutes, at most) with only the one client on the network - so hardware-resource-wise this isn't an issue (I don't think). I would use an extra RT-AC3100 I have laying around for the testing.

Thank you
-Adam

 

[Maverickcdn]

Ill just throw it out there, in my opinion you should be restricting all WAN access to your DVR and cameras and use a VPN for remote access for viewing. Id never let a Chinese unknown brand name hardware get Internet access on my network.

 

[aploch]

Ill just throw it out there, in my opinion you should be restricting all WAN access to your DVR and cameras and use a VPN for remote access for viewing. Id never let a Chinese unknown brand name hardware get Internet access on my network.

This is what I"m trying to do - well I'm trying to fool it into sending the data elsewhere where I can convert it to RTSP or HTTP/MJPG. The only way to view the video (besides with a physical monitor plugged into it) is with their proprietary app which downloads each frame from the internet - regardless of the fact that they exist on the same LAN. So yes, my 8 channels of video from inside and outside of my house is going to a black box in China somewhere, probably being broadcast on a tv station watched my heathens and perverts.

It's doing a lot with UDP which is making it kinda tricky to diagnose, but I was hoping I could get a little better handle on it if I tossed it on it's own router with some pretty intense packet logging... Not sure if that's a thing or not though

 

[aploch]

Why? You can always capture all the data going out and see what it’s doing.

True, and for stuff inbound like SSH/Telnet(lol)/or HTTP this would obviously get caught by NAT, but it is still sending the commies mine (and thousands of others) video sterams. They could probably watch half of the US live if they really wanted to.

My last DVR was also cheap, Chinese, and same firmware AFAIK as this one but much older and buggier - although did support standard inbound connections and protocols/video streams. Since it had RTSP and HTTP/MJPG I locked that down for all outbound access . This new one can't be viewed at all without it going up to them and back down to me though. I have some cronjobs that run gstreamer and/or vlc at times to generate timelapses, etc and I can't use those at all with this new DVR. That's my primary motivation and privacy is my secondary (in other words, if I had to capture the stream coming back to my PC and hack it that way, it would sufficient, but they would still be getting my data and my secondary objective would be shot).

 

[ColinTaylor]

I don't know if it would be of any help to you, but there was another thread here in which someone wanted to mirror the packets being sent out by his weather station to a PC on his LAN. You can then use Wireshark to examine the data. That thread uncovered some bugs in the ROUTE and TEE functions but I believe they've been fixed in the current firmware.

Or maybe just install tcpdump on the router.

 

[sfx2000]

entware has softflowd which is an implementation of netflow - seems like a perfect solution...

Use that along with a linux box (or linux VM on a PC/Mac) using the nfdump tools (nfdump/nfcapd) to capture and analyze the data - one could even export out to a timeseries dashboard using something like influx and graphana...