Posted: Thu Jun 30, 2022 16:30 Post subject: Sending all lan traffic to monitor PC
I have a server on the network that's connected via ethernet that I would like to send all traffic to be monitored with wireshark.
This is the code I found in the forum to do this but it seems be obsolete and there's a new way to go about this. Here's a screenshot:
https://i.imgur.com/TCtI8cz.png
When I wireshark the ethernet adapter I don't see any mirrored traffic. Any ideas what I am missing?
Here's the specs of the router:
Router Name DD-WRT
Router Model Netgear R6400 v2
Firmware Version DD-WRT v3.0-r44627 (10/22/20)
Kernel Version Linux 4.4.240 #1265 SMP Wed Oct 21 08:34:03 +04 2020 armv7l
IIRC, the old method used the TEE module, but now requires the ROUTE module.
Also, you may have to load the ROUTE module explicitly.
Code:
modprobe ipt_ROUTE
But there's no guarantee the ROUTE (or TEE) module is even available. The above works w/ FreshTomato, but I can't get it to load this module, nor accept these same firewall rules on my own RT-AC68U running DD-WRT.
ALL firewall rules belong in the firewall script, NEVER the startup script.
Anytime you add firewall rules, you should verify they got added, and are getting hits (pkts field > 0).
P.S. What you might want to consider instead is capturing an output file w/ tcpdump (which will likely require an Entware install, plus the tcpdump package), then import that to WireShark.
Depending on what you're trying to do, dealing w/ an *active* flow of traffic during analysis can be difficult. It's sometimes better to just capture the data for some defined period of time and deal w/ it offline.
IIRC, the old method used the TEE module, but now requires the ROUTE module.
Also, you may have to load the ROUTE module explicitly.
Code:
modprobe ipt_ROUTE
But there's no guarantee the ROUTE (or TEE) module is even available. The above works w/ FreshTomato, but I can't get it to load this module, nor accept these same firewall rules on my own RT-AC68U running DD-WRT.
ALL firewall rules belong in the firewall script, NEVER the startup script.
Anytime you add firewall rules, you should verify they got added, and are getting hits (pkts field > 0).
Code:
iptables -t mangle -vnL
I telnetted into the router and got the follow:
Code:
root@DD-WRT:~# modprobe ipt_ROUTE
modprobe: module ipt_ROUTE not found
modprobe: failed to load module ipt_ROUTE: No such file or directory
root@DD-WRT:~# iptables -t mangle -vnL
Chain PREROUTING (policy ACCEPT 208K packets, 105M bytes)
pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 8905 packets, 982K bytes)
pkts bytes target prot opt in out source destination
@eibgrad is not the ROUTE for older kernels and TEE for newer?
I can use TEE and tcpdump on my router (R6400)
TBH, I don't recall. All I know is that I was using TEE for ages on FT (FreshTomato), then it suddenly stopped working w/ more recent FT firmware (that was probably a couple years ago). I had to switch to ROUTE. So I *assumed* they deprecated TEE in favor of ROUTE. But I could be wrong.
Another option for the OP is to install FT (FreshTomato). Even if only for diagnostic purposes. As I said, it works fine for me, at least w/ my RT-AC68U. And FT supports the Netgear r6400 v2 as well. Just save your current dd-wrt config before updating to FT, so you easily return to it.
Joined: 16 Nov 2015 Posts: 6436 Location: UK, London, just across the river..
Posted: Thu Jun 30, 2022 18:23 Post subject:
yep as it's advised TEE or ROUTE...i had some struggle to make TEE to work, reading tons of threads in the past...
best bet Wireshark on TAP or tcpdump exported, but to have all the traffic stored on the router side, or on USB or fetched anywhere especially on high traffic it could be a playful game...that's where tap device comes handy...you can add a switch or hub to this port and try via those instead of tap, but on high load same issue...
also 3.0-r44627 is old and full of unpatched security flaws as well lacks of updated binaries, two of those are DNSmasq (the back bone of DDWRT) and SSL... so, if you prefer stability over security, at least you know now..!! _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55630 WAP
TP-Link WR1043NDv2 -DD-WRT 55723 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55779 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55819 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55779 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
Joined: 16 Nov 2015 Posts: 6436 Location: UK, London, just across the river..
Posted: Thu Jun 30, 2022 18:43 Post subject:
i simply have it via Entware although is one version older..
tcpdump - 4.9.3-4
but its installed by default on my R7000 as well R7800...no idea witch version..i guess BS maintains the most recent...
is sure need lib libpcap - 1.10.1-1 _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55630 WAP
TP-Link WR1043NDv2 -DD-WRT 55723 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55779 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55819 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55779 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913