I am new to modern Asus routers and just got my 1st GS-AX3000. I managed to install Entware on the USB drive and installed the Entware tcpdump package so I can capture packets passing in the router and view them in Wireshark. I was pretty easily able to do this with my old Netgear R6400 (both v1 and v2) using its built-in tcpdump installation.
On a very basic level, this all appears to work on the new Asus. But after seeing the initial UDP connection and response between a device on my LAN to a server on the WAN, wireshark is NOT showing me the ongoing UDP traffic - at least not when filtering the data on the IP of the LAN device. However, I KNOW that the ongoing UDP conversation is happening fine as I can see the results of it via a web page. I find this strange indeed as this was all clear as day on the Netgear.
I decided to search in wireshark for the string that is the MAC of the LAN device. And I find a large number of them containing this information. They are all in localhost to localhost UDP packets and I suspect that the Asus is doing something that obfuscates (perhaps unintentionally, I don't know) what is going on from a wireshark perspective. At first I thought this might be the result of some form of traffic monitoring or QOS (or similar) but I have all of that disabled. There is, of course, the firewall that is enabled but I had one enabled on the Netgear as well.
Another possibility is a difference in the behavior of the tcpdump utility between the Netgear-installed version and the Entware-installed version on the Asus. The command line options used on each are identical (except for the name of the output file). I don't know the version info from the Netgear offhand. But this is what I see on the Asus:
tcpdump version 4.9.3
libpcap version 1.10.1 (with TPACKET_V3)
I am not really expert at all in any of this. I know just enough to be dangerous - to myself.
Any suggestions about what is going on here and how to eliminate it? Thanks!
On a very basic level, this all appears to work on the new Asus. But after seeing the initial UDP connection and response between a device on my LAN to a server on the WAN, wireshark is NOT showing me the ongoing UDP traffic - at least not when filtering the data on the IP of the LAN device. However, I KNOW that the ongoing UDP conversation is happening fine as I can see the results of it via a web page. I find this strange indeed as this was all clear as day on the Netgear.
I decided to search in wireshark for the string that is the MAC of the LAN device. And I find a large number of them containing this information. They are all in localhost to localhost UDP packets and I suspect that the Asus is doing something that obfuscates (perhaps unintentionally, I don't know) what is going on from a wireshark perspective. At first I thought this might be the result of some form of traffic monitoring or QOS (or similar) but I have all of that disabled. There is, of course, the firewall that is enabled but I had one enabled on the Netgear as well.
Another possibility is a difference in the behavior of the tcpdump utility between the Netgear-installed version and the Entware-installed version on the Asus. The command line options used on each are identical (except for the name of the output file). I don't know the version info from the Netgear offhand. But this is what I see on the Asus:
tcpdump version 4.9.3
libpcap version 1.10.1 (with TPACKET_V3)
I am not really expert at all in any of this. I know just enough to be dangerous - to myself.
Any suggestions about what is going on here and how to eliminate it? Thanks!
