Use Wireshark And DD-WRT Router Firmware To Imitate Port Monitoring On A Router Switch Port
Posted by alex in Insights at 6:02 PMEarlier today I needed to find the quickest and easiest way to monitor all traffic to and from a specific device on my network. The goal was to see how much bandwidth based on a specific amount of time that the device was using. My initial hope was that I could configure port monitoring on my WRT54G running DD-WRT firmware however I quickly found out this is not an option. I eventually settled on adding a couple iptables commands that would send all traffic destined for or sourced from a specific IP address to another IP address. Follow the directions below to add the iptables commands to a router running DD-WRT firmware and then to capture the traffic on a computer running Wireshark.
Configure Port Monitoring On WRT54G Running DD-WRT Firmware:
First off I want to be clear that this is not technically port monitoring but I have added it in this way so others searching for the same functionality as I was will be able to find this solution. This solution is not limited to a Linksys WRT54G nor to DD-WRT for that matter but the requirement would be that it is a router type device using iptables for firewall rules.
We will be adding two configuration lines to the router running DD-WRT. This will tell iptables running on the firewall to send all inbound or outbound traffic from one specific IP address to also send the same traffic to another IP address as well. In this example the device we want to monitor has an IP address of 192.168.1.77 and the listening/monitoring device has an IP address of 192.168.1.97. Also the firewall, in this case DD-WRT, is running on 192.168.1.1. Now SSH to the router running DD-WRT firmware as root so you can enter the below commands from the CLI.
IPTables Commands To Add To DD-WRT Router To Monitor Traffic:
iptables -t mangle -A POSTROUTING -d 192.168.1.77 -j ROUTE --tee --gw 192.168.1.97 iptables -t mangle -A PREROUTING -s 192.168.1.77 -j ROUTE --tee --gw 192.168.1.97
When you enter each of the above commands via the DD-WRT enabled router CLI they should not return anything which will indicate that they were entered properly. Make sure to change the IP addresses to the correct values for your application. The 192.168.1.77 address should be changed to the device you want to monitor and the 192.168.1.97 address should be changed to the computer you are going to monitor from.
Configure Wireshark To Filter On IP Address Specific Packets Sent From Router:
- Launch Wireshark: If you do not already have Wireshark installed you can download it here and then follow the instructions to install. Once you do have Wireshark installed and click on it to launch the network protocol analyzer application the start screen will look similar to the below.
- Configure Wireshark Filter: From the initial Wireshark start screen click on Capture in the top navigation and select Option from the drop down to display the Wireshark Capture Option window as displayed below.
Before you begin the capture you are going to need the IP address of the device you are going to monitor and then you will need to configure the Wireshark filter. Click the Capture Filter button to display the Wireshark Capture Filter configuration window. Click on the filter labeled “IP Address 192.168.0.1″, then modify to the correct IP address of the device you are monitoring. In the example image below I had created a filter previously with the IP address I wanted to monitor.
Click the OK button after you have added the filter to take you back to the Wireshark Capture Options configuration window. The filter should not appear to the right of the Capture Filter button as something like “host 192.168.1.77″.
- Start Wireshark Port Monitoring Capture: Now begin the capture by clicking the Start button. Traffic should already be mirrored to the monitoring computer and when you begin the capture you should see any packets sent to or from that device as displayed below for IP address 192.168.1.77.
This should provide you any data you need including total bandwidth used or details about any packets sent to and from that device.
- Filtering traffic by IP address with Wireshark I use a tool called Wireshark to monitor network activity...
- Add Static DNS Entries to DD-WRT Router Firmware It is easy to add static DNS entries to the...
- Capture Skype VoIP Call Packets On Your Windows XP Computer Using Wireshark There are various reasons why you may want to log the...
- dumpcap: That string isn’t a valid capture filter (syntax error), dumpcap filter syntax I needed to capture some packets on a server to...
- Upgrade a Linksys WRT54G Version 5 Wireless Router Firmware Upgrading a Linksys WRT54G v5 wireless router is a bit...
Tags: bandwidth, capture, dd-wrt, filter, ip address, iptables, mangle, port monitoring, postrouting, prerouting, route, traffic, wireshark, wrt54g
Entries (RSS)
Awesome. I was just looking for some way to do this the other day. Any idea if this should work if the monitor is connected via wifi? I believe everything is set up properly, but I don’t see any traffic. Cheers.
[Reply]
alex Reply:
April 21st, 2010 at 2:29 PM
Hello jeff,
It should work on a wired or wireless network as long as the devices are on the same subnet or broadcast domain. If you were able to resolve your issue we would love to hear what it is so others with the same issue could resolve their issues easily. Thanks for taking the time to leave feedback.
Thanks.
alex
[Reply]
Two questions, how would you remove these rules? I’m assuming “-D” but not sure.
I tried to do this for my whole network using a range and netmask, wireshark gets a lot of traffic compared to before but it doesn’t seem to pick up any actual http packets or traffic like when my ipod connects to it’s email server or google. Any thoughts on why it only seems to get non-http traffic using these rules?
[Reply]
alex Reply:
July 12th, 2010 at 8:49 PM
Hello Doug,
You should be able to delete using “-D” and then reload iptables if necessary. If you have issues there let me know and I can look into that.
I haven’t tested for an entire range but it should work in a similar fashion. Could you post the rules that you used? Do you by chance have a different range for wired versus wireless? I have seen certain wireless routers that separate wired from wireless traffic by default so that may also be something to look into. I would be curious to see the rules though and the IP addresses of the devices you are having issues with. I would also wonder if you add a rule for each separate device if it works fine?
Thanks.
alex
[Reply]
Doug Reply:
July 13th, 2010 at 9:50 AM
Didn’t try separate devices/IPs. I was basically wanting to tap any devices that attached to the network with DHCP (the eventual goal for me was to run a old PC with a simple geo-location of traffic in and out of the network displayed on an old monitor overlayed on Google Earth but we’ll see if it makes it that far).
The rules that I tried were:
iptables -t mangle -A POSTROUTING -d 192.168.x.x-192.168.y.y -j ROUTE –tee –gw 192.168.z.z
iptables -t mangle -A PREROUTING -s 192.168.x.x-192.168.y.y -j ROUTE –tee –gw 192.168.z.z
Where x is the first address in the range and y is the last address in the range and z is the static IP of my machine running wireshark.
After doing a –list I can’t seem to find my rules in the tables but I’m not familiar enough with iptables to know if –list is the right command to be using. So I’m thinking that adding the rule with the dash and range of IPs didn’t work like I wanted it to.
[Reply]
alex Reply:
July 13th, 2010 at 4:07 PM
Hello Doug,
I would suggest adding the range by subnet such as instead of 192.168.x.x-192.168.y.y use 192.168.x.0/24 or if you are using more than a /24 for some reason then do 192.168.x.0/23 or 192.168.x.0/22 or similar.
I suggest reading the iptables man page for detailed iptables information.
Thanks.
alex
[Reply]
Doug Reply:
July 13th, 2010 at 9:51 AM
Also my DDWRT is setup with the wireless and wired networks using the same subnet, no isolation.
[Reply]
alex Reply:
July 13th, 2010 at 4:08 PM
Hello Doug,
I doubt this is an issue with DD-WRT but there are certain wireless routers that regardless of how they are set up split broadcast domains between wired and wireless networks on the same device. I have spent tons of time troubleshooting issues related to specific broadcast type traffic going from wireless to wired for instance. So just keep it in mind even though it should not be an issue since it is configured with DD-WRT.
Thanks.
alex
[Reply]