Assistance Needed: Capturing Network Events & Identifying Rogue Devices on OpenWRT

Hello OpenWRT Community,

I hope everyone is doing well. I am embarking on a project and could really use the expertise of the many knowledgeable members in this forum.

Objective: I aim to enhance the current OpenWRT system to better manage and monitor device connections/disconnections and identify potentially rogue devices through network traffic analysis.


  1. Capture Connect/Disconnect Events: I need guidance on how to modify the OpenWRT codebase (or create a plugin) to effectively capture device connection and disconnection events. Ideally, the solution would allow for real-time monitoring and logging of these events with relevant details like MAC address, IP, and timestamp.
  2. Network Traffic Capture for Rogue Device Identification: I'm also interested in setting up a mechanism to monitor and analyze network traffic specifically to detect rogue or unauthorized devices. If there's any existing solution or if a custom solution is feasible, insights on this would be valuable.


  • Is there already an existing plugin or package in OpenWRT that can assist with this, or will this require custom modifications?
  • For those who have experience in this domain, what challenges or pitfalls should I be aware of?
  • Would it be more efficient to directly modify the OpenWRT codebase, or would creating a separate plugin be a more modular and maintainable approach?

I genuinely appreciate any assistance, advice, or pointers in the right direction. Whether it's code snippets, references to relevant documentation, or personal experiences, all input is welcome.

Thank you in advance for your time and expertise. I am looking forward to the collective wisdom of this community.

Warm regards,

tcpdump / wireshark ?

if you want a commercial solution, Cloudshark.

If your goal is to deny access to your network to unauthorized devices I recommend:

VLAN for ethernet connection (if someone is not authorized to use an ethernet connection with the VLANs you should solve it, in this case the biggest problem is that the device is present inside your structure so it is like having a thief in your house)

and for WIFI connection (in this case the advice is not to identify unauthorized devices but to prevent their access):

Is there a way to capture connect/disconnect event?

RADIUS server is interesting but I am looking to get this event with in openwrt. Is there a way?

logread -f | grep "AP-STA-CONNECTED"
logread -f | grep "AP-STA-DISCONNECTED"

1 Like
1 Like