1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
Dismiss Notice

Welcome To SNBForums

SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.

If you'd like to post a question, simply register and have at it!

While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!

Short term packet logging to analyze network usage of a device

Discussion in 'Asuswrt-Merlin' started by aploch, Jan 23, 2019.

  1. aploch

    aploch New Around Here

    Joined:
    Jan 23, 2019
    Messages:
    3
    Hello, I have a cheap Chinese DVR for my security cameras that is sending every frame up to a server in the "clouds". nmap shows no open ports on the device, and I recently saw a lot of UDP traffic using Microsoft Message Analyzer when using their proprietary Windows app to monitor my cameras.

    My ultimate goal is to intercept these frames somehow and re-serve them up using a standard like rtsp or something. One intermediary goal is to gain remote access to this DVR (they usually have ports 22, 23, and/or 80 open, but not this one). I don't want to digress too much, but if you're interested more in the actual details of that, I have a post on CCTV forums with more details...

    Anywho... I'm wondering about a few things:

    1) Is there more information I could readily access and analyze if I logged network information through the router it's using to talk to their servers?
    2) Can Merlin dump this information out to a log (TCP, UDP, including [multi|uni|*]cast packets)?
    3) Can SSL/HTTPS be analyzed unencrypted somehow (assuming they're using SSL - I assume I can't see the details)?

    If the answer #1 is yes but #2 is no, is there an alternative firmware that someone could recommend?

    This would likely be a very short term test (a few minutes, at most) with only the one client on the network - so hardware-resource-wise this isn't an issue (I don't think). I would use an extra RT-AC3100 I have laying around for the testing.

    Thank you
    -Adam
     
    Last edited: Jan 23, 2019
  2. Maverickcdn

    Maverickcdn Occasional Visitor

    Joined:
    Mar 14, 2018
    Messages:
    13
    Ill just throw it out there, in my opinion you should be restricting all WAN access to your DVR and cameras and use a VPN for remote access for viewing. Id never let a Chinese unknown brand name hardware get Internet access on my network.
     
  3. EventPhotoMan

    EventPhotoMan Senior Member

    Joined:
    Mar 29, 2018
    Messages:
    321
    Why? You can always capture all the data going out and see what it’s doing.
     
  4. aploch

    aploch New Around Here

    Joined:
    Jan 23, 2019
    Messages:
    3
    This is what I"m trying to do - well I'm trying to fool it into sending the data elsewhere where I can convert it to RTSP or HTTP/MJPG. The only way to view the video (besides with a physical monitor plugged into it) is with their proprietary app which downloads each frame from the internet - regardless of the fact that they exist on the same LAN. So yes, my 8 channels of video from inside and outside of my house is going to a black box in China somewhere, probably being broadcast on a tv station watched my heathens and perverts.

    It's doing a lot with UDP which is making it kinda tricky to diagnose, but I was hoping I could get a little better handle on it if I tossed it on it's own router with some pretty intense packet logging... Not sure if that's a thing or not though :)
     
  5. aploch

    aploch New Around Here

    Joined:
    Jan 23, 2019
    Messages:
    3
    True, and for stuff inbound like SSH/Telnet(lol)/or HTTP this would obviously get caught by NAT, but it is still sending the commies mine (and thousands of others) video sterams. They could probably watch half of the US live if they really wanted to.

    My last DVR was also cheap, Chinese, and same firmware AFAIK as this one but much older and buggier - although did support standard inbound connections and protocols/video streams. Since it had RTSP and HTTP/MJPG I locked that down for all outbound access . This new one can't be viewed at all without it going up to them and back down to me though. I have some cronjobs that run gstreamer and/or vlc at times to generate timelapses, etc and I can't use those at all with this new DVR. That's my primary motivation and privacy is my secondary (in other words, if I had to capture the stream coming back to my PC and hack it that way, it would sufficient, but they would still be getting my data and my secondary objective would be shot).
     
  6. ColinTaylor

    ColinTaylor Part of the Furniture

    Joined:
    Mar 31, 2014
    Messages:
    7,548
    Location:
    UK
    I don't know if it would be of any help to you, but there was another thread here in which someone wanted to mirror the packets being sent out by his weather station to a PC on his LAN. You can then use Wireshark to examine the data. That thread uncovered some bugs in the ROUTE and TEE functions but I believe they've been fixed in the current firmware.

    Or maybe just install tcpdump on the router.
     
    Last edited: Jan 24, 2019
  7. sfx2000

    sfx2000 Part of the Furniture

    Joined:
    Aug 11, 2011
    Messages:
    13,788
    Location:
    San Diego, CA
    entware has softflowd which is an implementation of netflow - seems like a perfect solution...

    Use that along with a linux box (or linux VM on a PC/Mac) using the nfdump tools (nfdump/nfcapd) to capture and analyze the data - one could even export out to a timeseries dashboard using something like influx and graphana...