Question on packet log in Linksys WRT3200ACM

I'm using Linksys WRT3200ACM router and it has openwrt support (

  1. I want to keep a log of the timestamps when packets are received and transmitted by this device, the packet sizes and IP addresses for source and destination (for each packet transmitted and each packet received).

  2. I also want to keep a log of the NAV timers on the device. Or in other words, transmissions heard by this device on its operating channel and how long those transmissions lasted. Alternatively, packet sizes and data rates for those transmissions will also help.

Are there any standard tools that can enable me to do this or does anyone have any pointers on how to get started? I've taken a look at the openwrt page and the wiki page of this router but I don't have any clue on how to do this. The documentation is very terse but maybe that's just because of the little openwrt experience I have.

"Standard" approaches to this kind of logging, such as use of tcpdump, would apply to any capable hardware. How you store the data (flash is a bad choice due to speed and flash wear) and how you get the data without grinding your CPU to death are the big challenges with any embedded-SoC device. Effectively capturing all traffic at 100s of mbps typically requires a multi-core x86-class device.

port mirroring support for mvebu has been added to the tree, could maybe send things down the pipe to something more resourceful.

Thanks for your reply. I appreciate you taking the time. As far as I understand, tcpdump picks up packet info at a point where the packet is passed to the wireless driver and received from it. So wouldn't the timestamps actually be enqueue timestamps as opposed to when the packet was actually transmitted? Also (for point 2), can tcpdump record all packets including those not meant for the router (e.g., coming from another device existing on the same channel but associated with a different router)? I would appreciate if you can tell me your thoughts on this. Also, as you correctly pointed out, storage is a problem. But I've the device connected to a linux machine over the ethernet port. Can't the log be periodically transmitted back to the linux machine?

Thanks for your reply. I appreciate you taking the time. But does port mirroring work for obtaining transmit timestamps? I'm assuming that it will only provide enqueue timestamps. But I may be wrong.

If you're talking about wireless transmit timestamps just have a nearby device listen on a wifi monitor interface.

1 Like

Thanks for your reply. I appreciate you taking the time. What you pointed out is correct. Unfortunately, I'm using this for my research project and want to implement a tool to do this from the router itself.

Then I'm almost sure you'll have to modify the wireless drivers in the kernel. You apparently want extremely precise timestamps. This is well outside anything done "normally" in networking capture. If tcpdump isn't accurate enough for you, then you'll have to customize kernel info.

Also there's a kind of heisenberg's principle at work here. If you're modifying the kernel to collect and process extra data the timing results will of course be different than what they would have been if you hadn't modified the kernel.

I'm guessing doing this on a second machine with a wireless monitor will be much more accurate.

I see. Thanks a lot! Are there any good resources/online tutorials that can give me an example on how to modify the wireless drivers in the kernel? I've never done anything like this before.

I doubt that instrumenting the wireless drivers is what I'd call a good first foray into kernel hacking. I'd suggest start with capturing packets on a separate machine with a separate monitor interface, while you read up on kernel hacking. Maybe a search on amazon for linux kernel device driver will leave you with some places to get started.

Also have a look at some of the hooks provided through eBPF:

1 Like

Thanks a lot! Appreciate your reply.


  2. I'm not sure this will quite fit your need: