Earlier today I needed to find the quickest and easiest way to monitor all traffic to and from a specific device on my network. The goal was to see how much bandwidth based on a specific amount of time that the device was using. My initial hope was that I could configure port monitoring on my WRT54G running DD-WRT firmware however I quickly found out this is not an option. I eventually settled on adding a couple iptables commands that would send all traffic destined for or sourced from a specific IP address to another IP address. Follow the directions below to add the iptables commands to a router running DD-WRT firmware and then to capture the traffic on a computer running Wireshark.
Configure Port Monitoring On WRT54G Running DD-WRT Firmware:
First off I want to be clear that this is not technically port monitoring but I have added it in this way so others searching for the same functionality as I was will be able to find this solution. This solution is not limited to a Linksys WRT54G nor to DD-WRT for that matter but the requirement would be that it is a router type device using iptables for firewall rules.
We will be adding two configuration lines to the router running DD-WRT. This will tell iptables running on the firewall to send all inbound or outbound traffic from one specific IP address to also send the same traffic to another IP address as well. In this example the device we want to monitor has an IP address of 192.168.1.77 and the listening/monitoring device has an IP address of 192.168.1.97. Also the firewall, in this case DD-WRT, is running on 192.168.1.1. Now SSH to the router running DD-WRT firmware as root so you can enter the below commands from the CLI.
IPTables Commands To Add To DD-WRT Router To Monitor Traffic:
- iptables -t mangle -A POSTROUTING -d 192.168.1.77 -j ROUTE --tee --gw 192.168.1.97
- iptables -t mangle -A PREROUTING -s 192.168.1.77 -j ROUTE --tee --gw 192.168.1.97
When you enter each of the above commands via the DD-WRT enabled router CLI they should not return anything which will indicate that they were entered properly. Make sure to change the IP addresses to the correct values for your application. The 192.168.1.77 address should be changed to the device you want to monitor and the 192.168.1.97 address should be changed to the computer you are going to monitor from.
Configure Wireshark To Filter On IP Address Specific Packets Sent From Router:
- Launch Wireshark: If you do not already have Wireshark installed you can download it here and then follow the instructions to install. Once you do have Wireshark installed and click on it to launch the network protocol analyzer application the start screen will look similar to the below.
- Configure Wireshark Filter: From the initial Wireshark start screen click on Capture in the top navigation and select Option from the drop down to display the Wireshark Capture Option window as displayed below.
Before you begin the capture you are going to need the IP address of the device you are going to monitor and then you will need to configure the Wireshark filter. Click the Capture Filter button to display the Wireshark Capture Filter configuration window. Click on the filter labeled “IP Address 192.168.0.1”, then modify to the correct IP address of the device you are monitoring. In the example image below I had created a filter previously with the IP address I wanted to monitor.
Click the OK button after you have added the filter to take you back to the Wireshark Capture Options configuration window. The filter should not appear to the right of the Capture Filter button as something like “host 192.168.1.77”.
- Start Wireshark Port Monitoring Capture: Now begin the capture by clicking the Start button. Traffic should already be mirrored to the monitoring computer and when you begin the capture you should see any packets sent to or from that device as displayed below for IP address 192.168.1.77.
This should provide you any data you need including total bandwidth used or details about any packets sent to and from that device.