Sniffing all IP packets

Installing and Using OpenWrt
1

I have a IPTV box from a Swedish operator, it's capable of playing IPTV contents. I know they are using IGMP to inform a upstream router/switch to subscribe/unsubscribe specific UDP broadcast groups.

What I want to achieve here is to monitor all the IGMP packets from/to the IPTV box. So my question is, is it possible to setup a openwrt box and monitor all the traffic? I've got a MikorTik RB450G.

2

Yes, you only need to do a wire tap with a switch or a router with port mirroring and run the data tap to wireshark or similar.

3

The problem with data package analyses is that you really need a goal with the data tapping before starting the project because it is a lot of meaningless data and most persons doesn’t find it very exiting to look at for more than a couple of hours.

1 Like
4
1 Like
5

@flygarn12 @vgaetera Thank you guys. I have a very clear goal - monitor the IGMP part.

6

You can achieve what you want with your available equipment.

  1. Your RB450 supports port mirroring, so use it .
  2. Mirror source - the port where the IPTV box is plugged in.
  3. Mirror target - some free port.
  4. Connect a PC with Wireshark installed to the mirror target port.
  5. Start a capture session, using an IGMP filter.

image

2 Likes
7

What does the different udp broadcast groupes actually do?

8

The following is an example of our setup. Each column represents a channel. The 1st column represents a broadcast address, the 2nd column represents the port number.
|239.251.255.014|5000|
|239.251.255.015|5000|
|239.251.255.112|5000|
|239.251.255.110|5000|
|239.251.255.029|5000|
|239.251.255.030|5000|
So each broadcast group is a channel. The payload is mpeg-ts. So the whole protocol stack is mpeg-ts over udp.
If you install ffmpeg/ffplay on your Linux box, you shall be able to play it with the following command

ffplay udp://239.251.255.030:5000
9

Mpeg-ts…are you actually using this in Sweden connected to a public IPTV provider or do you use this in a local/private IPTV area?

10

It's public

11

Hmmmm, I need to clarify the requirement

  1. We have a router, which is capable of delivering both IPTV multicast traffic and Internet unicast traffic.
  2. An IPTV box is connected to the router directly.
  3. I cannot tweak the router, nor the IPTV box.
    What I want to achieve here is to put a device in between. This device is transparent to both IPTV box and the router. I just want to monitor the traffic through this device.
    Can I install openwrt and do some magic there?

Cheers.

12
  1. With OpenWRT 19.07 you can make a switch bridge between two ports that doesn’t have a interface.
    Than you mirror tx and rx on one of these ports in this bridge.
    You run the internet traffic through this bridge.
    Then you do a parallel bridge with the other ports with a ordinary interface and so on. To that interface you connect the wireshark computer.
    Then you send the mirrored data from the internet bridge to the port that the wireshark computer is connected to.

Done!

I found this instruction on a blogg when I googled something like “ethernet tap to OpenWRT” or something like that last winter.

13

You could try docker and install a dpi container like ntopng

14

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.