Log WAN traffic

Hi there,

I would like to know what connections are leaving (or entering) the router device through the WAN interface. I'm interested in all connections like NTP, DNS, TCP, UDP, IP, etc. Human readable URLs would be nice, but IP addresses would also be sufficient.

I know that logging can fill up storage easily, so I would log connections only once instead of all packets and all directions. But it seems that OpenWRT iptables don't understand the argument -ctstate (at least I get Bad argument `–ctstate' error message when restarting the firewall).

So, is it possible to log all the connections leaving or entering the router, while not flooding the logs with continuous entries for the same connection?

Thank you and best regards

Just the basics first:
--ctstate requires the "state" module. load it by prepending the argument -m state like this:
-m state --ctstate (...)
Also, if it still gives you an error, try:
-m state --state (...)

tcpdump might fit your needs. You can have it filter out and output basic information for the protocols you want, you can do a full traffic dump and analyze it in Wireshark or some other .pcap compatible tool.

Thank you for your help. I still get an error with both variants..

iptables v1.8.3 (legacy): Couldn't load match `state':No such file or directory

But I found out that logging works fine using conntrack...

 -m conntrack --ctstate NEW

Thank you for your help. I will take a look at this method, because I remember Wireshark being able to analyse large data volumes very easy.

Ooh, okay. There are a few different versions of iptables in the wild that name the modules differently.

You could also set up a syslog server somewhere in the network and log to it, that solves the limited memory constraint.

I use softflowd and a netflow collector like NfSen. It only does things like: IPs, protocol, total traffic. You'll have to see if the netflow data produced is enough for your needs.

1 Like