What's new

Device monitoring...?

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

JaimeZX

Senior Member
Is there an easy way to monitor outbound IP requests by device?

I could do this in Wireshark, but it seems tedious and I'm sure if I knew the right command (or had the right script) the router could do it as well... mainly trying to see what IP addresses my IoT devices are trying to use. For example, I'm aware my smart plugs do scheduling through AWS, but also try and call-home to China. (I keep China blocked with Skynet.) Just want to have an idea of what else these guys are up to.

Thanks in advance!
 
Is there an easy way to monitor outbound IP requests by device?

I could do this in Wireshark, but it seems tedious and I'm sure if I knew the right command (or had the right script) the router could do it as well... mainly trying to see what IP addresses my IoT devices are trying to use. For example, I'm aware my smart plugs do scheduling through AWS, but also try and call-home to China. (I keep China blocked with Skynet.) Just want to have an idea of what else these guys are up to.

Thanks in advance!
Turn on logging in Skynet and watch for outgoing connection attempts.
 
Sure, but that will only give me results for things being blocked by Skynet, right? I would like to see *all* inbound/outbound connection attempts (blocked or otherwise) to [LAN IP] for a given time period.
 
You can of course install tcpdump to the router then export the dump file to your PC to filter by device. Its a bit involved to set up if you don't have any scripts installed and are doing it from scratch but once its installed then its straight forward running it.
 
You can of course install tcpdump to the router then export the dump file to your PC to filter by device. Its a bit involved to set up if you don't have any scripts installed and are doing it from scratch but once its installed then its straight forward running it.
You wouldn’t like to expand on that with a bit of detail sufficient to get it up and running? Or perhaps a link to a suitable site/post? Sounds like an interesting little exercise.
 
Let me elaborate as typing tcpdump followed by the parameters is the end part of the process :)

I'll assume that you don't already have any scripts installed but have used wireshark before and are familiar with the various options to get the most out of running tcpdump from the command line.

The starting point is that you need to be able to connect to the router via SSH and be able to login. There are a number of ways that you can get tcpdump successfully installed so this is just one way to do this. All the information you need to do this is scattered in the forum but I'll provide the links so that you can go to the correct place and see the context of those posts. I'm no expert here but have managed to get it installed and working without too much fuss.

Its probably make more sense to describe the process from the end point and work backwards so that you can see why you need to do the various steps. When you run the dump program you can either have it display the data on the ssh terminal (running Putty.exe or similar on your PC) or you need to pipe the output to the usb drive. If you have it going to terminal then use <crtl>+c to stop tcpdump and return to the prompt. I personally find that its better to end the tcpdump command with a '&' (to run it in the background) and output the data to a .pcap file so that I can then use wireshark to filter it on my PC. A typical dump command with the output going to a file would be:-
  • tcpdump -i eth0 -p port 853 -w /tmp/mnt/myUSB/pcap/testlogfile.pcap &
where myUSB is the name I used to label my USB drive and pcap is a directory I created to store the .pcap files in. To set up the share to let your PC connect to the USB drive go to the following page on the router once you have your USB drive added and set up
where the ip address above is replaced by that of your router. This then lets you set up a samba share such as \\AC3200\pcap which you will be able to access from Windows File Explorer on your PC.

Also note that if you run the command in the background using the '&' at the end then you cant just leave it running or it will eventually fill up all your space on your USB drive. To stop it, at the ssh prompt type "killall tcpdump" or "ps | grep tcpdump" then kill the PID (the first number displayed). ie. "kill 1234" see here

Right, that covers running tcpdump, stopping it and then accessing the saved pcap file.

You will see in various posts that to install tcpdump you enter opkg install tcpdump at the ssh command prompt. However to do that successfully you need to install entware first and to install entware you need to install amtm. Thankfully the process of installing both of these is well documented at the following link.
My experience was that the guide is good and even although it looked like the shortcuts in amtm were missing they were in fact there but not being displayed. As I said, once you get entware installed then you can use that to install tcpdump via
Code:
opkg install tcpdump

Don't be put off by all of this, its actually straight forward and very worth the effort.
 
Last edited:
Let me elaborate as typing tcpdump followed by the parameters is the end part of the process :)

I'll assume that you don't already have tcpdump already installed but have used wireshark before and are familiar with the various options to get the most out of running tcpdump from the command line. The starting point is that you need to be able to connect to the router via SSH and be able to login. There are a number of ways that you can get tcpdump successfully installed so this is just one way to do this. All the information you need to do this is scattered in the forum but I'll provide the links so that you can go to the correct place and see the context of those posts. I'm no expert here but have managed to get it installed and working without too much fuss.

Its probably make more sense to describe the process from the end point and work backwards so that you can see why you need to do the various steps. When you run the dump program you can either have it display the data on the ssh terminal (running Putty.exe or similar on your PC) or you need to pipe the output to the usb drive. If you have it going to terminal then use <crtl>+c to stop tcpdump and return to the prompt. I personally find that its better to end the tcpdump command with a & (to run it in the background) and output the data to a .pcap file so that Ican then use wireshark to filter it. A typical command would be
  • tcpdump -i eth0 -p port 853 -w /tmp/mnt/myUSB/pcap/testlogfile.pcap &
where myUSB is the name I used to label my USB drive. . To do this go to the following page on the router once you have your USB set up
where the ip address is that of your router. This then lets you set up a samba share so that you can access the dump files on your PC via windows file explorer by just going to something like \\AC3200\pcap

Also note that if you run the command in the background then you cant just leave it running or it will eventually fill up all your space on your USB drive. To stop it, at the ssh prompt type "killall tcpdump" or "ps | grep tcpdump" then kill the PID (the first number displayed). ie. "kill 1234" see here

Right, that covers running tcpdump, stopping it and then accessing the saved pcap file.

You will see in various posts that to install tcpdump you enter opkg install tcpdump at the ssh command prompt. However to do that successfully you need to install entware first and to install entware you need to install amtm. Thankfully the process of installing both of these is well documented at the following link.
My experience was that the guide is good and even although it looked like the shortcuts in amtm were missing they were in fact there but not being displayed. As I said, once you get entware installed then you can use that to install tcpdump via
Code:
opkg install tcpdump

Don't be put off by all of this, its actually straight forward and very worth the effort.

What an excellent write-up! You’ve clearly put a great deal of time and effort into it. It’s a long time since I used Wireshark and it will be like starting afresh, but this has given me the impetus to get familiar with it again.
I’m sure others will be equally grateful for your hard work.
 
Last edited:
Let me elaborate as typing tcpdump followed by the parameters is the end part of the process :)

I'll assume that you don't already have any scripts installed but have used wireshark before and are familiar with the various options to get the most out of running tcpdump from the command line.

The starting point is that you need to be able to connect to the router via SSH and be able to login. There are a number of ways that you can get tcpdump successfully installed so this is just one way to do this. All the information you need to do this is scattered in the forum but I'll provide the links so that you can go to the correct place and see the context of those posts. I'm no expert here but have managed to get it installed and working without too much fuss.

Its probably make more sense to describe the process from the end point and work backwards so that you can see why you need to do the various steps. When you run the dump program you can either have it display the data on the ssh terminal (running Putty.exe or similar on your PC) or you need to pipe the output to the usb drive. If you have it going to terminal then use <crtl>+c to stop tcpdump and return to the prompt. I personally find that its better to end the tcpdump command with a '&' (to run it in the background) and output the data to a .pcap file so that I can then use wireshark to filter it on my PC. A typical dump command with the output going to a file would be:-
  • tcpdump -i eth0 -p port 853 -w /tmp/mnt/myUSB/pcap/testlogfile.pcap &
where myUSB is the name I used to label my USB drive and pcap is a directory I created to store the .pcap files in. To set up the share to let your PC connect to the USB drive go to the following page on the router once you have your USB drive added and set up
where the ip address above is replaced by that of your router. This then lets you set up a samba share such as \\AC3200\pcap which you will be able to access from Windows File Explorer on your PC.

Also note that if you run the command in the background using the '&' at the end then you cant just leave it running or it will eventually fill up all your space on your USB drive. To stop it, at the ssh prompt type "killall tcpdump" or "ps | grep tcpdump" then kill the PID (the first number displayed). ie. "kill 1234" see here

Right, that covers running tcpdump, stopping it and then accessing the saved pcap file.

You will see in various posts that to install tcpdump you enter opkg install tcpdump at the ssh command prompt. However to do that successfully you need to install entware first and to install entware you need to install amtm. Thankfully the process of installing both of these is well documented at the following link.
My experience was that the guide is good and even although it looked like the shortcuts in amtm were missing they were in fact there but not being displayed. As I said, once you get entware installed then you can use that to install tcpdump via
Code:
opkg install tcpdump

Don't be put off by all of this, its actually straight forward and very worth the effort.
Your instructions work a treat. I cut and pasted your code and I think maybe grabbed an extra space after the & and got “tcpdump not found”, which threw me for quite a while, until I typed in the command.

I used WinSCP and Putty from within it. WinSCP let me simply create the folder on the usb drive, as well as copying the file from the usb drive to the desktop for Wireshark analysis. It’s fascinating to see just how much traffic there is and things like ARP requests: who is 192.168.1.1 with the answer along with the mac address in the next packet.

An excellent learning exercise for tcpdump and Wireshark (and Putty and WinSCP, for anyone unfamiliar with them, too).

Thanks again.
 
Hi, I know this is a little bit out of the topic, but when I run the following sentence:
Code:
opkg install tcpdump
I got this:
Code:
Installing tcpdump (4.9.2-1b) to root...
Downloading http://bin.entware.net/armv7sf-k2.6/tcpdump_4.9.2-1b_armv7-2.6.ipk
Collected errors:
 * opkg_install_pkg: Package size mismatch: tcpdump is 342496 bytes, expecting 342476 bytes
 * opkg_install_cmd: Cannot install package tcpdump.

Is anyone having the same issue?
 
...
Code:
opkg install tcpdump
I got this:
Code:
Installing tcpdump (4.9.2-1b) to root...
Downloading http://bin.entware.net/armv7sf-k2.6/tcpdump_4.9.2-1b_armv7-2.6.ipk
Collected errors:
 * opkg_install_pkg: Package size mismatch: tcpdump is 342496 bytes, expecting 342476 bytes
 * opkg_install_cmd: Cannot install package tcpdump.
...

You missed it by one line...
Code:
opkg update
opkg install tcpdump
 
Strange? I get zero packets collected after running this command for the past 12 hours ...
Code:
tcpdump -i eth0 -p port 853 -w /tmp/mnt/myUSB/pcap/testlogfile.pcap &
I have 16 active devices running and plenty of activity reported by Skynet over the period.
When I stop the process with Killall tcpdump it reports zero packets captured and the testlogfile.pcap is empty?
 
Strange? I get zero packets collected after running this command for the past 12 hours ...
Code:
tcpdump -i eth0 -p port 853 -w /tmp/mnt/myUSB/pcap/testlogfile.pcap &
I have 16 active devices running and plenty of activity reported by Skynet over the period.
When I stop the process with Killall tcpdump it reports zero packets captured and the testlogfile.pcap is empty?
Did you change “myUSB” in the command to whatever label you gave to your usb?

By the way, I think my file went up to around 6MB for just 30 seconds worrh of data collection. I can’t imagine the size of device you’d need for 12 hours’ worth.
 
Last edited:
Did you change “myUSB” in the command to whatever label you gave to your usb?

By the way, I think my file went up to around 6MB for just 30 seconds worrh of data collection. I can’t imagine the size of device you’d need for 12 hours’ worth.
LOL - yes indeed I did change the "myUSB" ;) ... The code creates the file correctly in my pcap folder on the USB - but it remains zero bytes.
If I run it without the & - a blank screen remains in the terminal.

A reboot of the router made no difference. I will try uninstall tcpdump and reinstall to see if that will fix.

If I use Wireshark to directly monitor packets on the router - it races along happily. Just can't get tcpdump to work properly.
 
Strange? I get zero packets collected after running this command for the past 12 hours ...
Code:
tcpdump -i eth0 -p port 853 -w /tmp/mnt/myUSB/pcap/testlogfile.pcap &
I have 16 active devices running and plenty of activity reported by Skynet over the period.
When I stop the process with Killall tcpdump it reports zero packets captured and the testlogfile.pcap is empty?
Is your WAN interface actually eth0? If you're using hardware acceleration it's probably vlan2.
Code:
nvram get wan0_ifname
 
Is your WAN interface actually eth0? If you're using hardware acceleration it's probably vlan2.
Code:
nvram get wan0_ifname
Thanks Colin - that code responds with - eth0 - so assume that is correct.
 
After executing the tcpdump command - the result is ...
"listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes"
The prompt does not return to the root# prompt and still nothing shows up in the testlogfile.pcap file.
Remove and re-intsall of tcpdump has made no difference?
 
Try just running the command straight to the terminal:

tcpdump -i eth0 -p port 853

Then do some nslookup's from a PC.
 
Try just running the command straight to the terminal:

tcpdump -i eth0 -p port 853

Then do some nslookup's from a PC.
Still absolutely nothing from tcpdump. Nslookups respond on the PC - but no packets intercepted by tcpdump!
 

Similar threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top