I’ve been having a weird networking issue. I’m having trouble determining if it is Comcast’s issue or mine. I see the packets in question leave the remote client, but they never come out the inside ethernet port of my comcast router. I assume the problem is comcast’s but I need to really be sure. I need to monitor the outside interface of my comcast router.
I have a Buffalo router connected to a cable modem (comcast doesn’t supply any of my equipment because I want full control). The Buffalo router comes with dd-wrt pre-installed.
At first I was going to connect a hub between the router and modem so I could tap into the outside interface using wireshark (see Sniffing *ALL* Arduino Network Packets). The problem with tapping into the connection like that is the hub is a 10M device and I really don’t want to downgrade my service like that.
Then it occurred to me I might be able to use tcpdump on the router since it is really just a small unix device. I did a quick check and sure enough, Buffalo was kind enough to include tcpdump in the operating system.
I checked further and found my other (Rosewill) routers do NOT have tcpdump installed. To proceed, you may need to install tcpdump onto your router. If so, google something like ‘How to install tcpdump on dd-wrt’. Here is one such article: https://www.pentest.ro/installing-tcpdump-on-dd-wrt/ .
Enable USB
Unless you just want to watch the raw tcpdump, which is about as exciting as watching grass grow, you are going to want to redirect tcpdump’s output to a file and then examine the output file with wireshark.
On the Buffalo router, this is pretty easy. In Services | USB, just enable USB storage support:
When you insert a USB thumb drive you should see it mount and the path will also be displayed:
--- /dev/sda1 Block device, size 14.83 GiB (15927345152 bytes) FAT32 file system (hints score 4 of 5) Volume size 14.83 GiB (15923150848 bytes, 485936 clusters of 32 KiB) /dev/sda1 mounted to /tmp/mnt/sda1
Determine the Proper tcpdump Command
With storage now available, next determine the tcpdump command you wish to use and test it.
telnet or ssh into your router and login as root (password is the same as the one you use for HTML login). You’ll see something like:
login as: root DD-WRT v3.0-r30355 std (c) 2016 NewMedia-NET GmbH Release: 09/13/16 root@rtr's password: << GRAPHIC OMITTED >> BusyBox v1.24.2 (2016-09-13 15:32:42 CEST) built-in shell (ash) root@rtr:~#
I want to capture all traffic for tcp port 22 on the outside interface so try a tcpdump such as:
tcpdump -s 0 -i eth1 port 22
Generate some test traffic. If this works, then verify you can output to the USB drive:
tcpdump -s 0 -i eth1 -w /tmp/mnt/sda1/out.pcap port 22
Run tcpdump in the Background
Once you are satisfied with your tcpdump, the next step is to run that in the background so you don’t need to keep a telnet / ssh session open.
In dd-wrt, go to Admin | Command and enter the command WITH ‘&’ at the end:
Now click on Run Commands and the tcpdump will start running in the background.
Stopping tcpdump
The tcpdump is now going to run until you reboot the router or you kill the tcpdump process.
To kill the process use
ps | grep tcpdump
to find the process id (PID) of the tcpdump process. Then use
kill PID
replacing PID with the proper process id # and it will kill tcpdump.
Big Dan the Blogging Man 