Sniff traffic between 2 interfaces FTTX

My ISP gives 2 devices to provide internet access: ONT+Router
I wanna use a router with an embedded ONT, so I only have 1 device.

The problem is that they dont give out the configuration for you to use your own devices, so using a exploit I gained admin access to the router, but the ONT is another history.

So I thought of sniffing the the traffic between ONT and router , using a OpenWRT device. I have read but it isnt enough detailed for my knowledge.

What I want to do, if possible, is to bridge 3 ethernet ports on the Openwrt device, and connect to each one of them the ONT, the router and a PC with wireshark to sniff the traffic.

How do I manage to do that? Also I have read that I need to use VLANs so the traffic is processed by the openwrt device's cpu, and make it sniffable.

The openwrt device is a ar5387un with the latest openwrt version.

@mofo, welcome to the community.

Just as a note, from personal experience:

  • my ONT (Verizon) uses a proprietary single-stranded Layer 1 fiber protocol. So, even if I found a device with fiber SFP, it wouldn't connect to their fiber cable
  • my ISP carries: phone, Internet and TV on 3 different wavelengths on that proprietary fiber
  • In the United States, this is still considered inside the ISP's network, the demarcation point IS the ONT itself
  • If you're trying to flash an ONT with OpenWrt, I don't know of any devices that have been hacked
  • Yes, but on my ONT, only one MAC is recognized to get an address via DHCP, so be careful. I sniff by mirroring the WAN port to another port on my device - then run Wireshark on that.

Also see this thread:


Hope this helps.

1 Like

AS far as I know your ISP will have to provision your ONT, so there is very little chance of "sneaking' in your own ONT. Given that, why don't you talk to your ISP, maybe the are willing (or legally required) to provision your own ONT for you?

1 Like

@mofo, if you know how to legitimately procure an ONT (i.e. not one that someone simply snatched off the side of their house and put on eBay), please let me know.

I actually have another ONT from my aunt,from her old ISP (and router too). Some ISP "gift" you with routers, some of them have the ONT embedded in them, so some people sell them on 2nd hand apps.

My ISP doesnt even tell you the admin pass for the router.

Since the ONT is connected via ethernet to the router, I wanted to use an Openwrt device (an old router I have) to connect it between them, and try to sniff the ONT connections details.

Officially, they let you use a router of your choice if you connect it to their router's eth port #4 (leaving you with 3 devices connected...) ,and unofficially, people found it a way for using their own router by adding a VLAN with a specific number,and connecting it to the ONT.

I even connected to the ONT via serial port, but I couldnt do anything, since I didnt find any guide for that specific model, and the commands of the shell were to technical for me (it wasnt a unix shell, just one with propietary commands, even tried to dump it almost blindly, but failed)

I dont want to install OpenWRT on the ONT, just use an old router that has Openwrt installed as sniffer.

put a managed switch between you and the ONT and port mirror to a laptop running Wireshark. an sg108e from tplink for $35 would work

If the OP already owns an OpenWrt-capable device with enough ports, there's no need to purchase additional equipment:

Would a hub do the trick too?

If I mirror the eth port where the ONT is connected, I would only sniff traffic from the ONT, right?
Shouldnt I sniff both traffic from and to the ont? (to and from the router)
Any guide on how to mirror a port in openwrt?

port mirroring can do both ingress and egress, there's a tick box on the switch page in Luci, it should let you set up mirroring. I haven't done it on OpenWrt but check out the Luci switch page and maybe post screenshot with question of it's not obvious from there

1 Like