What's new

RT-AC68U running Merlin, how to monitor traffic with Wireshark?

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

jamesnmandy

Regular Contributor
I have installed Wireshark on my wifi connected laptop and followed Merlins instructions on how to enable IPTraffic and set it up to write to jffs partition on the attached USB stick.

But how do I tell Wireshark to pull this IP data? Is this a Wireshark question or how do I know if I have my router properly configured? I'm missing something fundamental.
 
I have installed Wireshark on my wifi connected laptop and followed Merlins instructions on how to enable IPTraffic and set it up to write to jffs partition on the attached USB stick.

But how do I tell Wireshark to pull this IP data? Is this a Wireshark question or how do I know if I have my router properly configured? I'm missing something fundamental.
I think IPTraffic is an Asus proprietary database. It is not readable by Wireshark and contains far less data density than an Ethernet sniff.

I have not done it yet, but the only way I can think of doing it is installing tcpdump in Entware and saving the output in a Samba shared directory.
 
yeah im only getting the traffic that is coming over the wireless connection. I don't have the ability to tell it to give me the traffic that is only moving across the LAN. The only LAN option is for the LAN port on the laptop doing the monitoring. I want to get the LAN and WAN traffic going through the router transmitted to my laptop so I can monitor traffic remote (as in from my couch not from outside the home)
 
So according to this page
https://wiki.wireshark.org/CaptureSetup/Ethernet

"Capture using a monitor mode of the switch
Some Ethernet switches (usually called "managed switches") have a monitor mode. Managed switches have been expensive in the past, but some models can now be found for less than $100. This monitor mode can dedicate a port to connect your (Wireshark) capturing device. It's sometimes called 'port mirroring', 'port monitoring', 'Roving Analysis' (3Com), or 'Switched Port Analyzer' or 'SPAN' (Cisco). Using the switch management, you can select both the monitoring port and assign a specific port you wish to monitor. Actual procedures vary between switch models; you may need to use a terminal emulator, specialized SNMP client software or (more recently) a Web browser. Caution: the monitoring port must be at least as fast as the monitored port, or you will certainly lose packets.

Note that some switches might not support monitoring all traffic passing through the switch, only traffic on a particular port. On those switches, you might not be able to capture all traffic on the network, only traffic sent to or from some particular machine on the switch.

While high-end managed switches (like e.g. Cisco Catalyst) usually fully dedicate a monitoring port to the task, i.e. such port can only be used to deliver the monitored traffic to a capturing device and its ingress direction is muted (or only enabled for injection of TCP reset packets by a security device, so it is not learning the source MAC addresses of the received frames), some low-end models keep the monitoring port fully operational and just add the frames mirrored from the monitored port(s) to its egress direction, making the behaviour similar to one of a hub except that the link speed may be up to 1 Gbit/s and the device is actively sold. An example of this kind of monitoring switches is Netgear's GS105E, currently available for less than $50.

Rumor has it that some switches can monitor the whole throughput of the switch. As a switch can transfer more traffic than a single line can transmit, you will be unlikely to see all traffic."

I have a GS105Ev2 on my LAN and it supports port mirroring as well. It is currently full. There is an ethernet cable from the routers switch that is feeding the switch and then 4 other devices connected to it. So I am trying to figure out how I am supposed to configure it. It needs a source port and a destination port. Would the source port be the one that is directly connected to the router or the port which has the device plugged in that I want to monitor? Currently the device I want to monitor isn't on the GS105E, it's plugged into the routers switch but that's easy to change.

Then, how do I get my laptop connected to the wifi to get the data from that port? I don't want to have to plug the laptop into the switch with a cable.

The device I want to monitor is an Nvidia Shield TV box running android so I don't have the ability to run Wireshark directly on it. I do have a small nettop pc I use as an HTPC front end. Could I mirror the device(Shield) to be monitored (source port?) to the port that nettop is plugged into on the same switch(destination port?) and then install Wireshark on the HTPC nettop and then use an RDC to remote into that nettop ?
 
Last edited:
I think IPTraffic is an Asus proprietary database. It is not readable by Wireshark and contains far less data density than an Ethernet sniff.

No, IPTraffic was originally developed for Tomato. It stores data in a linked list format, so it's not human-readable. You'd have to write your own parser.
 
IPTraffic is not a packet capture database. It only contains dates, IPs, and amounts of data sent. There's nothing to analyze in this database.
 
My question is, why?

Wireshark can read trace files from other sources, just not IPTraffic apparently.

Well I'm not sure that's an appropriate question to ask. I want to monitor the packet data to determine who that client is communicating with, what the ip's are and what protocol and port number it is using so that I can optimize my network to either deny or allow that traffic based on my preference for my own reasons. That's all I can tell you. Why does anyone want to analyze and understand traffic on their own network? Because reasons. It's not a question as to why, it's how.

IPTraffic is not a packet capture database. It only contains dates, IPs, and amounts of data sent. There's nothing to analyze in this database.

Question. Is enabling IPTraffic even required for what I am doing or is it putting unnecessary load on my router and writing to jffs unnecessarily? Thanks


Just as an FYI to anyone who finds this thread. I was able to reconfigure my connections and use the GS105Ev2 to port mirror the Shield packets to a pc running Wireshark on the same switch to accomplish this. Then I simply remote into that client over my wifi to allow me to monitor it without being wired in. If you look at my post above where I quoted the Wireshark site on how to do that, it works exactly as described. I am now able to capture and analyze all of the traffic being sent to the client in question in real time while certain applications are running on that client.
 
I did exactly what I was trying to do using the method I described above in the last paragraph. Just so you know. It took the router out of the equation but it definately worked.
I had no doubt that it would work if you just wanted to mirror one port of the switch to another. But my answer was in response to your question asking how configure the switch to mirror traffic directly over the router's WiFi connection.
 
I had no doubt that it would work if you just wanted to mirror one port of the switch to another. But my answer was in response to your question asking how configure the switch to mirror traffic directly over the router's WiFi connection.

Yeah. It would eliminate the need to set up Wireshark on the other client and then have to remote into it to use the interface. Simpler setup. I understand this router can't do that. Thanks.
 

Similar threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Staff online

Top