Menu
What's new
By:
Filters Better Search

Capturing inbound/outbound traffic that was (somewhat) split through two interfaces with tcpdump

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

D

drmnsamoliu

New Around Here
I have an ASUS RT AC-66U Wi-Fi router with stock firmware which works in router mode with ppp connection to ISP.

Recently when I was trying to capture network traffics on the router with tcpdump, I realized that most outbound traffic can only be captured on eth0 and most inbound traffic can only be captured on eth1.
I also observe that the outbound traffic have the router's public IP address (X.X.195.197) as src and inbound traffic have the local IP address of the device (192.168.2.154) who initialize the connection.

Following are some images from Wireshark
This is capture from eth0, we can see that there are two Client Hello with seemingly no Server Hello response:
i5Nr3.png



This is capture from eth1, which has the two corresponding Server Hello response with no Client Hello:
L7jtW.png


Using the mergecap utility, I can get the full picture of TLS handshake, just with messed up src and dst:
DvuGx.png



From the information I can collect, the router has vlan setup because of the ppp connection:
swjgv.png



I'm not familiar with how ppp and vlan works in low level so I need some clue about how and why this inbound/outbound separation on two interfaces occurred or is needed.

Also, another weird behavior is that capture using tcpdump -i any won't be able to capture most outbound traffic that will show up on eth0 either.
Where can I start looking into to at least be able to capture a "normal" LAN IP <-> Internet IP like capturing in access point mode or on a PC?
 
Last edited:
IIRC:

vlan1 is the router's physical LAN switch ports. eth1 and eth2 are the 2.4 and 5GHz radios respectively. These are all bridged together into br0 which is the "LAN interface".
eth0 is the WAN interface.

I see you also have vlan500 but I don't know what that is. It could be an IPTV vlan or part of using PPPoE. The PPPoE tunnel is usually called something like ppp0.

Be aware that if you have hardware acceleration enabled most of the traffic bypasses the network stack so you won't be able to capture it with tcpdump.

I've not used PPPoE on that router so I'm unsure of any particular quirks it might throw up.
 
Last edited:
ColinTaylor said:
IIRC:

vlan1 is the router's physical LAN switch ports. eth1 and eth2 are the 2.4 and 5GHz radios respectively. These are all bridged together into br0 which is the "LAN interface".
eth0 is the WAN interface.

I see you also have vlan500 but I don't know what that is. It could be an IPTV vlan or part of using PPPoE. The PPPoE tunnel is usually called something like ppp0.

Be aware that if you have hardware acceleration enabled most of the traffic bypasses the network stack so you won't be able to capture it with tcpdump.

I've not used PPPoE on that router so I'm unsure of any particular quirks it might throw up.
Click to expand...
Really appreciate for your knowledge!

Yes there is a ppp0 interface and if I understand correctly vlan500 is there because of selected ISP profile. The ISP requires vlan500 for internet connection.

About hardware acceleration, do you know where I can check to see if it's enabled?
 
ColinTaylor said:
I don't know in stock firmware. Try looking at LAN - Switch Control.
Click to expand...
Words can't show my gratitude Colin, it IS NAT acceleration affecting packet capture!
After disabling it I can capture the full TLS handshake now.

Now I'm going to look into how Broadcom implement their hardware acceleration because it looks kinda like a magic to me that packets can just slip through kernel but somehow still works fine.
 
You must log in or register to reply here.

Similar threads

P
firewall, inbound firewall rules and port forwarding (on RT-AX58U) clarification
Replies
5
Views
1K
eibgrad
eibgrad
Yiannis
Skynet Help me understand Skynet's outbound blocked connection
Replies
6
Views
2K
Yiannis
Yiannis
D
Unable to see most UDP in tcpdump output on GS-AX3000
Replies
6
Views
1K
dwp
D
PaulA
Port isolation on RT-AX88U-Pro (router) w/ Merlin w/ Tagged internet ISP
Replies
2
Views
1K
dacotmeister
D
R
One router, two segments desired.
Replies
4
Views
876
Rombo
R

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 1,254 (members: 24, guests: 1,230)
Top