Using tcpdump with DD-WRT

I’ve been having a weird networking issue. I’m having trouble determining if it is Comcast’s issue or mine. I see the packets in question leave the remote client, but they never come out the inside ethernet port of my comcast router. I assume the problem is comcast’s but I need to really be sure. I need to monitor the outside interface of my comcast router.

I have a Buffalo router connected to a cable modem (comcast doesn’t supply any of my equipment because I want full control). The Buffalo router comes with dd-wrt pre-installed.

At first I was going to connect a hub between the router and modem so I could tap into the outside interface using wireshark (see Sniffing *ALL* Arduino Network Packets). The problem with tapping into the connection like that is the hub is a 10M device and I really don’t want to downgrade my service like that.

Then it occurred to me I might be able to use tcpdump on the router since it is really just a small unix device. I did a quick check and sure enough, Buffalo was kind enough to include tcpdump in the operating system.

I checked further and found my other (Rosewill) routers do NOT have tcpdump installed. To proceed, you may need to install tcpdump onto your router. If so, google something like ‘How to install tcpdump on dd-wrt’. Here is one such article: .

Enable USB

Unless you just want to watch the raw tcpdump, which is about as exciting as watching grass grow, you are going to want to redirect tcpdump’s output to a file and then examine the output file with wireshark.

On the Buffalo router, this is pretty easy. In Services | USB, just enable USB storage support:

When you insert a USB thumb drive you should see it mount and the path will also be displayed:

--- /dev/sda1
Block device, size 14.83 GiB (15927345152 bytes)
FAT32 file system (hints score 4 of 5)
Volume size 14.83 GiB (15923150848 bytes, 485936 clusters of 32 KiB)
/dev/sda1 mounted to /tmp/mnt/sda1

Determine the Proper tcpdump Command

With storage now available, next determine the tcpdump command you wish to use and test it.

telnet or ssh into your router and login as root (password is the same as the one you use for HTML login).  You’ll see something like:

login as: root
DD-WRT v3.0-r30355 std (c) 2016 NewMedia-NET GmbH
Release: 09/13/16
root@rtr's password:
BusyBox v1.24.2 (2016-09-13 15:32:42 CEST) built-in shell (ash)


I want to capture all traffic for tcp port 22 on the outside interface so try a tcpdump such as:

tcpdump -s 0 -i eth1 port 22

Generate some test traffic. If this works, then verify you can output to the USB drive:

tcpdump -s 0 -i eth1 -w /tmp/mnt/sda1/out.pcap port 22

Run tcpdump in the Background

Once you are satisfied with your tcpdump, the next step is to run that in the background so you don’t need to keep a telnet / ssh session open.

In dd-wrt, go to Admin | Command and enter the command WITH ‘&’ at the end:

Now click on Run Commands and the tcpdump will start running in the background.

Stopping tcpdump

The tcpdump is now going to run until you reboot the router or you kill the tcpdump process.

To kill the process use

ps | grep tcpdump

to find the process id (PID) of the tcpdump process. Then use

kill PID

replacing PID with the proper process id # and it will kill tcpdump.


This entry was posted in c-Misc and tagged . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.