Earlier today I needed to find the quickest and easiest way to monitor all traffic to and from a specific device on my network. The goal was to see how much bandwidth based on a specific amount of time that the device was using. My initial hope was that I could configure port monitoring on my WRT54G running DD-WRT firmware however I quickly found out this is not an option. I eventually settled on adding a couple iptables commands that would send all traffic destined for or sourced from a specific IP address to another IP address. Follow the directions below to add the iptables commands to a router running DD-WRT firmware and then to capture the traffic on a computer running Wireshark.
Configure Port Monitoring On WRT54G Running DD-WRT Firmware:
First off I want to be clear that this is not technically port monitoring but I have added it in this way so others searching for the same functionality as I was will be able to find this solution. This solution is not limited to a Linksys WRT54G nor to DD-WRT for that matter but the requirement would be that it is a router type device using iptables for firewall rules.
We will be adding two configuration lines to the router running DD-WRT. This will tell iptables running on the firewall to send all inbound or outbound traffic from one specific IP address to also send the same traffic to another IP address as well. In this example the device we want to monitor has an IP address of 192.168.1.77 and the listening/monitoring device has an IP address of 192.168.1.97. Also the firewall, in this case DD-WRT, is running on 192.168.1.1. Now SSH to the router running DD-WRT firmware as root so you can enter the below commands from the CLI.
IPTables Commands To Add To DD-WRT Router To Monitor Traffic:
- iptables -t mangle -A POSTROUTING -d 192.168.1.77 -j ROUTE --tee --gw 192.168.1.97
- iptables -t mangle -A PREROUTING -s 192.168.1.77 -j ROUTE --tee --gw 192.168.1.97
When you enter each of the above commands via the DD-WRT enabled router CLI they should not return anything which will indicate that they were entered properly. Make sure to change the IP addresses to the correct values for your application. The 192.168.1.77 address should be changed to the device you want to monitor and the 192.168.1.97 address should be changed to the computer you are going to monitor from.
Configure Wireshark To Filter On IP Address Specific Packets Sent From Router:
- Launch Wireshark: If you do not already have Wireshark installed you can download it here and then follow the instructions to install. Once you do have Wireshark installed and click on it to launch the network protocol analyzer application the start screen will look similar to the below.
- Configure Wireshark Filter: From the initial Wireshark start screen click on Capture in the top navigation and select Option from the drop down to display the Wireshark Capture Option window as displayed below.
Before you begin the capture you are going to need the IP address of the device you are going to monitor and then you will need to configure the Wireshark filter. Click the Capture Filter button to display the Wireshark Capture Filter configuration window. Click on the filter labeled “IP Address 192.168.0.1”, then modify to the correct IP address of the device you are monitoring. In the example image below I had created a filter previously with the IP address I wanted to monitor.
Click the OK button after you have added the filter to take you back to the Wireshark Capture Options configuration window. The filter should not appear to the right of the Capture Filter button as something like “host 192.168.1.77”.
- Start Wireshark Port Monitoring Capture: Now begin the capture by clicking the Start button. Traffic should already be mirrored to the monitoring computer and when you begin the capture you should see any packets sent to or from that device as displayed below for IP address 192.168.1.77.
This should provide you any data you need including total bandwidth used or details about any packets sent to and from that device.
Network Know-How: An Essential Guide for the Accidental Admin (Paperback)
|
||||||||
Wireshark & Ethereal Network Protocol Analyzer Toolkit (Jay Beale’s Open Source Security) (Paperback)
|
||||||||
Awesome. I was just looking for some way to do this the other day. Any idea if this should work if the monitor is connected via wifi? I believe everything is set up properly, but I don’t see any traffic. Cheers.
Hello jeff,
It should work on a wired or wireless network as long as the devices are on the same subnet or broadcast domain. If you were able to resolve your issue we would love to hear what it is so others with the same issue could resolve their issues easily. Thanks for taking the time to leave feedback.
Thanks.
alex
Two questions, how would you remove these rules? I’m assuming “-D” but not sure.
I tried to do this for my whole network using a range and netmask, wireshark gets a lot of traffic compared to before but it doesn’t seem to pick up any actual http packets or traffic like when my ipod connects to it’s email server or google. Any thoughts on why it only seems to get non-http traffic using these rules?
Hello Doug,
You should be able to delete using “-D” and then reload iptables if necessary. If you have issues there let me know and I can look into that.
I haven’t tested for an entire range but it should work in a similar fashion. Could you post the rules that you used? Do you by chance have a different range for wired versus wireless? I have seen certain wireless routers that separate wired from wireless traffic by default so that may also be something to look into. I would be curious to see the rules though and the IP addresses of the devices you are having issues with. I would also wonder if you add a rule for each separate device if it works fine?
Thanks.
alex
Didn’t try separate devices/IPs. I was basically wanting to tap any devices that attached to the network with DHCP (the eventual goal for me was to run a old PC with a simple geo-location of traffic in and out of the network displayed on an old monitor overlayed on Google Earth but we’ll see if it makes it that far).
The rules that I tried were:
iptables -t mangle -A POSTROUTING -d 192.168.x.x-192.168.y.y -j ROUTE –tee –gw 192.168.z.z
iptables -t mangle -A PREROUTING -s 192.168.x.x-192.168.y.y -j ROUTE –tee –gw 192.168.z.z
Where x is the first address in the range and y is the last address in the range and z is the static IP of my machine running wireshark.
After doing a –list I can’t seem to find my rules in the tables but I’m not familiar enough with iptables to know if –list is the right command to be using. So I’m thinking that adding the rule with the dash and range of IPs didn’t work like I wanted it to.
Hello Doug,
I would suggest adding the range by subnet such as instead of 192.168.x.x-192.168.y.y use 192.168.x.0/24 or if you are using more than a /24 for some reason then do 192.168.x.0/23 or 192.168.x.0/22 or similar.
I suggest reading the iptables man page for detailed iptables information.
Thanks.
alex
Also my DDWRT is setup with the wireless and wired networks using the same subnet, no isolation.
Hello Doug,
I doubt this is an issue with DD-WRT but there are certain wireless routers that regardless of how they are set up split broadcast domains between wired and wireless networks on the same device. I have spent tons of time troubleshooting issues related to specific broadcast type traffic going from wireless to wired for instance. So just keep it in mind even though it should not be an issue since it is configured with DD-WRT.
Thanks.
alex
Hi Alex.
What DD-WRT version did you use?
I tried it in v24-sp1 (07/27/08) std (SVN revision 10011)
and it doesn’t work.
iptables doesn’t return any error when issuing both commands but it doesn’t work..
moreover the tables are empty…
root@WRT160N:/usr/sbin# iptables -t mangle -A POSTROUTING -d 192.168.1.200 -j ROUTE –tee –gw 192.168.1.110
root@WRT160N:/usr/sbin# iptables -t mangle -A PREROUTING -s 192.168.1.200 -j ROUTE –tee –gw 192.168.1.110
root@WRT160N:/usr/sbin# iptables -t mangle -L
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
Do you have any hint?
Thanks, Lino
Hello Lino,
Unfortunately I don’t remember the exact version to be honest. It looks as if you are doing everything properly. I did just try the exact same thing again though to verify it works properly and below are the results on a WRT 600N v1.1 running v24 sp2 build 14896 (08-07-10) mega.
root@router:~# iptables -t mangle -A POSTROUTING -d 192.168.1.33 -j ROUTE –tee –gw 192.168.1.99
iptables -t mangle -A PREROUTING -s 192.168.1.33 -j ROUTE –tee –gw 192.168.1.99
root@router:~# iptables -t mangle -A PREROUTING -s 192.168.1.33 -j ROUTE –tee –gw 192.168.1.99
root@router:~# iptables -t mangle -L
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
ROUTE 0 — 192.168.1.33 anywhere ROUTE gw:192.168.1.99 tee
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
ROUTE 0 — anywhere 192.168.1.33 ROUTE gw:192.168.1.99 tee
I would suggest upgrading the build to see if that helps but everything else you are doing appears to be working properly. Only other difference is the first time I performed this was on a WRT54G and this time a WRT600N and you have a WRT160N.
Hope that helps.
Thanks.
alex
Hello Again,
One other thing. Your networks are 192.168.1.0/24? What is the internal IP of the WRT160N?
Thanks.
alex
Yes, it is 192.168.1.0/24.
WRT160N is 192.168.1.1.
I had downgraded (resetting configuration on router to avoid misconfiguration) from the version you suggested because in that build the “access protection” seem to be broken.
I need “access protection” because the machine I want to “sniff” (a QNAP TS-559 with latest firmware and strong passwords) have been hacked because of old PHP on it.
Everything was working fine till yesterday.
The syslog server (another pc) reported the penetration and now the qnap has unexpexted outgoing connections. I need to block the internet access (on wrt), set up the sniffing, see what’s going on capturing network packets, fix the machine and unblock it again.
So if you don’t have a better hint my next steps will be:
downloading the 14896 again
disconnecting the router (and the whole network) from the internet (to simulate access protection)
try again with that build.
I’ll let you know.
Thank you very much.
Ok…updated and reconfigured router.
IPTABLES NOW WORK!!
With -L I can see the rules..but I have the same problem Doug had some time ago:
I capture only NON HTTP TRAFFIC…
..and both the monitored device and the monitoring one are connected with wire.
will investigate furter…
Hello Lino,
Sounds like you are making progress! You might try to see if you change the DD-WRT web administration port if that allows you to capture port 80 traffic. Not sure if that works as it is only a thought and I have not tried it. Let us know what resolves the issue.
Thanks.
alex
OK…further progress done…
I can’t receive TCP (not HTTP) don’t know why but I found a workaround:
The problem seem to be related to -s and -d switches.
If I tee the whole traffic going through the router it works.
iptables -t mangle -A PREROUTING -j ROUTE –gw 192.168.1.110 –tee
iptables -t mangle -A POSTROUTING -j ROUTE –gw 192.168.1.110 –tee
I modified the capture filter on wireshark filtering by host and I finally obtained traffic informations I needed.
Hope this helps someone…
Thank you all,
Lino.
Hello Lino,
Glad you got it worked out! Thanks for posting back the details as I am sure it will help someone else out.
Thanks.
alex
Hello, I am student at Lund University in Sweden and I am working on my master thesis.
I have a Linksys WRT54GL wireless router, I want to monitor all incoming traffic 802.11 to my router with wireshark. I am interested to see the mac-address or ip-address and RSSI. if I have connected my router to a server where i have installed wireshark through ethernet. I assume the packets that i will be in wireshark would be ethernet packets and not 802.11 packets. so what can i do if i want to see 802.11 packets and be able to see RSSI coming from a device to my router.
thanks
Hello Ricardo,
Sorry for the delay in response. Look into how to set up a monitor port on the WRT54GL… From that you may be able to set up a method to monitor all wireless traffic hitting the router via the server. You also might want to look into splunk/snort to filter the messages you receive on the server itself from the router. Also look into syslog capabilities from the router.
Thanks.
alex
Hi,
I get the routing setup to work in my dd-wrt and can see the traffic in my W7 machince running wireshark, the only problem I have is that the W7 machine seems to route the packets it receives out on the network again which then causes the dd-wrt to route it back again to the W7 machine. Nayone have an idea how to turn of that routing in the W7 machine?
Thanks
Hello Johnny,
Interesting. Could you share your route table on the Windows 7 server? Also what networks are sending traffic to the Windows 7 machine?
netstat -rn
Thanks.
alex
hi,
i tried to follow the Lino steps to some extent.
but it fails when i insert the rules.
i can see things but i cant capture anything from the other machines
is the code that is wrong?
router is: 192.168.1.1
target machine: 192.168.1.152
machine to see the captured packets: 192.168.1.83
iptables -t mangle -A POSTROUTING -d 192.168.1.152 -j ROUTE –tee –gw 192.168.1.83
iptables -t mangle -A PREROUTING -s 192.168.1.152 -j ROUTE –tee –gw 192.168.1.83
what can i do?
thank you very much
Hello Tomy,
Did you try removing the -d and -s switches as noted by Lino?
Thanks.
alex
Hi,
My router address is 192.168.11.1 and I want to forward the traffic from my iPad which is connected to the router by WiFi and it’s address is 192.168.11.41 to my Mac which its address is 192.168.11.61.
I typed the following commands to the router (in administration->commands on the router’s control panel):
iptables -t mangle -A POSTROUTING -d 192.168.11.41 -j ROUTE –tee –gw 192.168.11.61
iptables -t mangle -A PREROUTING -s 192.168.11.41 -j ROUTE –tee –gw 192.168.11.61
And nothing happened. I can’t see anything related to the iPad traffic on wireshark.
When I tried to run “iptables -t mangle -L” I see this:
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
MARK 0 — anywhere bzq-79-180-181-223.red.bezeqint.net MARK or 0x80000000
CONNMARK 0 — anywhere anywhere CONNMARK save
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
Thanks Alex,
Can I use this rule to capture packets on the router Wlan0 port?