Device monitoring...?

[martinr]

Still absolutely nothing from tcpdump. Nslookups respond on the PC - but no packets intercepted by tcpdump!

What about just:

tcpdump -i eth0

or even just:

tcpdump

 

[ColinTaylor]

Still absolutely nothing from tcpdump. Nslookups respond on the PC - but no packets intercepted by tcpdump!

Then my guess is that there is no traffic on port 853. Try 53 instead.

EDIT: Or do as @martinr said and remove the "port 853" part altogether. You should be "flooded" with data.

 

[martinr]

Then my guess is that there is no traffic on port 853. Try 53 instead.

EDIT: Or do as @martinr said and remove the port altogether. You should be "flooded" with data.

Flooded indeed. It’s like a dam suddenly burst.

 

[JaimeZX]

Let me elaborate as typing tcpdump followed by the parameters is the end part of the process

I'll assume that you don't already have any scripts installed but have used wireshark before and are familiar with the various options to get the most out of running tcpdump from the command line.

The starting point is that you need to be able to connect to the router via SSH and be able to login. There are a number of ways that you can get tcpdump successfully installed so this is just one way to do this. All the information you need to do this is scattered in the forum but I'll provide the links so that you can go to the correct place and see the context of those posts. I'm no expert here but have managed to get it installed and working without too much fuss.

Its probably make more sense to describe the process from the end point and work backwards so that you can see why you need to do the various steps. When you run the dump program you can either have it display the data on the ssh terminal (running Putty.exe or similar on your PC) or you need to pipe the output to the usb drive. If you have it going to terminal then use <crtl>+c to stop tcpdump and return to the prompt. I personally find that its better to end the tcpdump command with a '&' (to run it in the background) and output the data to a .pcap file so that I can then use wireshark to filter it on my PC. A typical dump command with the output going to a file would be:-

• tcpdump -i eth0 -p port 853 -w /tmp/mnt/myUSB/pcap/testlogfile.pcap &

where myUSB is the name I used to label my USB drive and pcap is a directory I created to store the .pcap files in. To set up the share to let your PC connect to the USB drive go to the following page on the router once you have your USB drive added and set up

• http://192.168.0.1/Advanced_AiDisk_samba.asp

where the ip address above is replaced by that of your router. This then lets you set up a samba share such as \\AC3200\pcap which you will be able to access from Windows File Explorer on your PC.

Also note that if you run the command in the background using the '&' at the end then you cant just leave it running or it will eventually fill up all your space on your USB drive. To stop it, at the ssh prompt type "killall tcpdump" or "ps | grep tcpdump" then kill the PID (the first number displayed). ie. "kill 1234" see here

Right, that covers running tcpdump, stopping it and then accessing the saved pcap file.

You will see in various posts that to install tcpdump you enter opkg install tcpdump at the ssh command prompt. However to do that successfully you need to install entware first and to install entware you need to install amtm. Thankfully the process of installing both of these is well documented at the following link.

• https://www.snbforums.com/threads/amtm-step-by-step-install-guide-l-ld.56237/

My experience was that the guide is good and even although it looked like the shortcuts in amtm were missing they were in fact there but not being displayed. As I said, once you get entware installed then you can use that to install tcpdump via

opkg install tcpdump

Don't be put off by all of this, its actually straight forward and very worth the effort.

This is extremely helpful! (Sorry for the delay in responding; two kids under three keep me pretty busy...) I'll have to look up tcpdump options to find out if I can filter the .pcap creation by local MAC / IP.

 

[kernol]

What about just:

tcpdump -i eth0

or even just:

tcpdump

Then my guess is that there is no traffic on port 853. Try 53 instead.

EDIT: Or do as @martinr said and remove the "port 853" part altogether. You should be "flooded" with data.

Many thanks to both Martin and Collin - enjoyed being flooded for a brief few seconds - so at least know there is nothing wrong with my installed tcpdump.
I got zero packets on port 853 [strange as I have firmware 384.12-alpha-2 running with firmware supplied stubby - DoT] - and no packets on port 53.
I do still have AIProtection enabled [probably unrelated] - but something must be blocking access to the activity on port 853 and/or 53?

 

[kernol]

Looking through the "dam burst" of packets from tcpdump [without options] - I note the only time port 853 is evident in the lines is when referenced as PPPoE - see extract below: -

04:48:31.472745 PPPoE  [ses 0x1] IP one.one.one.one.853 > 169-0-165-62.ip.afrihost.co.za.41781: Flags [.], ack 355, win 30, length 0
04:48:31.473094 PPPoE  [ses 0x1] IP 169-0-165-62.ip.afrihost.co.za.41781 > one.one.one.one.853: Flags [P.], seq 355:659, ack 3045, win 488, length 304
04:48:31.473735 IP router.asus.com.ssh > 192.168.1.51.52908: Flags [P.], seq 4128:4208, ack 1, win 666, length 80
04:48:31.473917 IP 192.168.1.51.52908 > router.asus.com.ssh: Flags [.], ack 4208, win 8208, length 0
04:48:31.476893 PPPoE  [ses 0x1] IP one.one.one.one.853 > 169-0-165-62.ip.afrihost.co.za.41781: Flags [.], ack 659, win 31, length 0
04:48:31.477138 PPPoE  [ses 0x1] IP one.one.one.one.853 > 169-0-165-62.ip.afrihost.co.za.41781: Flags [P.], seq 3045:3197, ack 659, win 31, length 152

Are there any clues in that?

 

[Jack Yaz]

Looking through the "dam burst" of packets from tcpdump [without options] - I note the only time port 853 is evident in the lines is when referenced as PPPoE - see extract below: -

04:48:31.472745 PPPoE  [ses 0x1] IP one.one.one.one.853 > 169-0-165-62.ip.afrihost.co.za.41781: Flags [.], ack 355, win 30, length 0
04:48:31.473094 PPPoE  [ses 0x1] IP 169-0-165-62.ip.afrihost.co.za.41781 > one.one.one.one.853: Flags [P.], seq 355:659, ack 3045, win 488, length 304
04:48:31.473735 IP router.asus.com.ssh > 192.168.1.51.52908: Flags [P.], seq 4128:4208, ack 1, win 666, length 80
04:48:31.473917 IP 192.168.1.51.52908 > router.asus.com.ssh: Flags [.], ack 4208, win 8208, length 0
04:48:31.476893 PPPoE  [ses 0x1] IP one.one.one.one.853 > 169-0-165-62.ip.afrihost.co.za.41781: Flags [.], ack 659, win 31, length 0
04:48:31.477138 PPPoE  [ses 0x1] IP one.one.one.one.853 > 169-0-165-62.ip.afrihost.co.za.41781: Flags [P.], seq 3045:3197, ack 659, win 31, length 152

Are there any clues in that?

Instead of eth0 try ppp0

 

[kernol]

Spot on Jack - got it - many thanks for your expertise .

 

[JaimeZX]

So. tcpdump gurus... one one of my IoT devices,

tcpdump host 192.168.1.X -vv

Gets me a UDP packet every 3 seconds. Okay. So I think "how do I disregard this to view what else?"

tcpdump -i eth0 tcp src 192.168.1.X -vv

gets me "tcp modifier applied to host."

tcpdump -i eth0 tcp src 192.168.1.X -vv

gets me the same.

Obviously

tcpdump tcp

gives ridiculous traffic...

What am I missing? How can I view everything but the 3-second UDP coming from this device?

 

[dave14305]

So. tcpdump gurus... one one of my IoT devices,

tcpdump host 192.168.1.X -vv

Gets me a UDP packet every 3 seconds. Okay. So I think "how do I disregard this to view what else?"

tcpdump -i eth0 tcp src 192.168.1.X -vv

gets me "tcp modifier applied to host."

tcpdump -i eth0 tcp src 192.168.1.X -vv

gets me the same.

Obviously

tcpdump tcp

gives ridiculous traffic...

What am I missing? How can I view everything but the 3-second UDP coming from this device?

What about

tcpdump -i br0 src 192.168.1.X and not udp -vv

You won’t see 192.168.1.0/24 addresses on eth0, only br0 (LAN).

Edit: including a site I reference often for tcpdump and lsof help: https://danielmiessler.com/study/tcpdump/

 

[JaimeZX]

That's great, thanks man. Now, the confusing thing is that somehow I see zero traffic to/from the device, even when I am sending it commands from my phone. Not clear on how that's possible, unless tcpdump isn't actually showing all the traffic? (even without your and not udp switch). Dunno. Meanwhile, I know that once upon a time I saw said packets going to/from the device when I was running wireshark.

 

[dave14305]

That's great, thanks man. Now, the confusing thing is that somehow I see zero traffic to/from the device, even when I am sending it commands from my phone. Not clear on how that's possible, unless tcpdump isn't actually showing all the traffic? (even without your and not udp switch). Dunno. Meanwhile, I know that once upon a time I saw said packets going to/from the device when I was running wireshark.

Maybe change src to host to see both directions.

 

[ColinTaylor]

Now, the confusing thing is that somehow I see zero traffic to/from the device, even when I am sending it commands from my phone. Not clear on how that's possible, unless tcpdump isn't actually showing all the traffic?

How is your phone connected to your network? tcpdump running on the router will only see traffic that is being routed through it, or broadcast/multicast traffic. If your phone is connected directly to the LAN (via WiFi) then tcp cannot see the traffic because it is "switched".

https://wiki.wireshark.org/CaptureSetup/Ethernet

 

[JaimeZX]

Wait... that didn't make sense to me. If my phone is on the wifi (5GHz) the router still has to switch the packets through to the IoT device (on 2.4GHz)...
In any event, I tried disconnecting and turning the lights on and off through the T-Mobile network, still nothing showing in tcpdump. ?