In addition to the above rule tracing, you could also use tcpdump
to watch raw packet traffic. (If you're not familiar with it, it's basically wireshark's internals.)
The -n
turns off name resolution (like with many other network/port tools), so we just see IP addresses in the output. -i
takes an interface name parameter, so here we're seeing just packets crossing br-lan
. It has a rich filter language, close enough to iptables and nft to be recognizable, but different enough to be annoying.
$ tcpdump -n -i br-lan
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on br-lan, link-type EN10MB (Ethernet), snapshot length 262144 bytes
06:31:28.878378 IP6 fd91:f453:ed1f::1.22 > fd91:f453:ed1f:0:ec3d:ad74:4033:fdb3.53837: Flags [P.], seq 408652691:408652887, ack 856843803, win 1002, length 196
06:31:28.922412 IP6 fd91:f453:ed1f:0:ec3d:ad74:4033:fdb3.53837 > fd91:f453:ed1f::1.22: Flags [.], ack 196, win 1026, length 0
06:31:30.190480 IP 10.1.2.192.63730 > 10.1.2.1.53: 52699+ A? api.dropboxapi.com. (36)
06:31:30.190738 IP 10.1.2.192.59187 > 10.1.2.1.53: 51229+ AAAA? api.dropboxapi.com. (36)
Note that port number is mashed onto the end of the IP address using a dot as a separator.
To see all the packets on your client3
interface that have port 34 either source or destination, you could say this and wait until something happens. (You can prefix 'port' with either 'src' or 'dst' to look at just one direction.)
$ tcpdump -i client3 'port 34'
The man page (https://www.tcpdump.org/manpages/tcpdump.1.html) has some examples, but there are a lot more (and better) examples in various blogs and tutorials out there.
You probably don't need to use this next one, but a way to track connections is to use the conntrack
tool, which must be user-installed (opkg install conntrack
). It will show you the meta-context information that netfilter stashes for packet flows. Using conntrack -E
, you can watch as connections change state from new to established and so on. Like tcpdump
it has its own filter language, again simultaneously similar and different. (If you find yourself debugging nft
expressions ct state
or ct status
, or their iptables
equivalent, this is the tool to use.)