2

I have root access to my dd-wrt router at 192.168.0.1 and computer at 192.168.0.100.

I need to get the traffic comming through the router(in the Internet and out) from some other computer(192.168.0.101) and examine it in let's say wireshark on my 192.168.0.100 machine. How can this be done? Probably using iptables on router.

Zabuzzman
  • 733
  • 10
  • 25
Johanna James
  • 23
  • 3

4 Answers4

5

From the machine where you want to run wireshark:

 ssh root@ddwrt tcpdump -i eth0 -w - host 192.168.0.101 | wireshark -i -
Zabuzzman
  • 733
  • 10
  • 25
  • 2
    @JohannaJames note that this will not store any data on the router but tunnel it through SSH to your local station's `Wireshark` for immediate examination. It might be worth enabling compression for SSH by supplying the `-C` parameter if the router is only reachable over a WAN. – the-wabbit Apr 29 '13 at 08:42
3

You can install tcpdump on DD-WRT router to record a pcap file that you can analyze later with WireShark. pcap is the file format used by tcpdump to do the capture the network traffic.

Mircea Vutcovici
  • 17,619
  • 4
  • 56
  • 83
1

the iptables TEE target can replicate packets to a given nexthop, this will do what you need.

Olipro
  • 3,007
  • 19
  • 18
  • The TEE target is even already available with DD-WRT out-of-the box: http://thatexplainsalot.com/blog/2010/11/use-wireshark-and-dd-wrt-router-firmware-to-imitate-port-monitoring-on-a-router-switch-port/ But obviously, the traffic is not going to be routed through the internet so the TEE destination needs to be a network-local Wireshark station or at least be capable of tunneling the packets to the Wireshark station. – the-wabbit Apr 29 '13 at 08:44
0

You may also try iptables -d 192.168.0.101 -t LOG. I'm not sure if dd-wrt iptables compiled with LOG support, so it might not work.

Please also note: your poor router will probably die on logging if there are too many traffic going to 192.168.0.101.

rvs
  • 4,125
  • 1
  • 27
  • 31