Tcpdump and DSA - how to monitor WAN traffic

Installing and Using OpenWrt
1

WIth 21.0.2 my router is now using DSA. I cannot figure out how to get tcpdump to monitor traffic on the WAN.

The relevant bits of ip a output (full dump at end) (all "inet6" data omitted as I do not have IPv6 going upstream) appear to be

# ip a
...
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1508 qdisc mq state UP qlen 1024
    link/ether [REDACTED] brd ff:ff:ff:ff:ff:ff
3: eth1: <BROADCAST,MULTICAST> mtu 1500 qdisc cake state DOWN qlen 1024
    link/ether [REDACTED] brd ff:ff:ff:ff:ff:ff
...
8: wan@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    link/ether [REDACTED] brd ff:ff:ff:ff:ff:ff
    inet [MY GLOBAL IPV4]/24 brd [REDACTED].255 scope global wan
       valid_lft forever preferred_lft forever
...
19: ifb4eth1: <BROADCAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc cake state UNKNOWN qlen 32
    link/ether [REDACTED] brd ff:ff:ff:ff:ff:ff

So it looks most likely that what I want is tcpdump -i wan@eth0, but that prints tcpdump: wan@eth0: No such device exists (SIOCGIFHWADDR: No such device).

In 19.07, the WAN was on eth1, and the fact that the 'cake' qdisc is applied to that interface suggests that at some level it still is, but tcpdump -i eth1 prints tcpdump: eth1: That device is not up.

tcpdump -i ifb4eth1 actually goes into capture mode, but nothing is observed, even though I know traffic is flowing over the WAN (tested by downloading some files that my browser doesn't have cached).

tcpdump -i eth0 sees everything, including all the LAN traffic, which means that what I want to see is buried in a flood of SSH packets. Filter expressions all malfunction, e.g. -i eth0 'not (tcp and port 22)' doesn't filter out anything and -i eth0 'host [public IP]' filters out everything.

What is the right way to make tcpdump monitor the WAN?

Full `ip a` output 
# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1508 qdisc mq state UP qlen 1024
    link/ether [REDACTED] brd ff:ff:ff:ff:ff:ff
    inet6 [REDACTED]/64 scope link
       valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST> mtu 1500 qdisc cake state DOWN qlen 1024
    link/ether [REDACTED] brd ff:ff:ff:ff:ff:ff
4: lan4@eth0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue master br-lan state LOWERLAYERDOWN qlen 1000
    link/ether [REDACTED] brd ff:ff:ff:ff:ff:ff
5: lan3@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-lan state UP qlen 1000
    link/ether [REDACTED] brd ff:ff:ff:ff:ff:ff
6: lan2@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-lan state UP qlen 1000
    link/ether [REDACTED] brd ff:ff:ff:ff:ff:ff
7: lan1@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-lan state UP qlen 1000
    link/ether [REDACTED] brd ff:ff:ff:ff:ff:ff
8: wan@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    link/ether [REDACTED] brd ff:ff:ff:ff:ff:ff
    inet [REDACTED]/24 brd [REDACTED].255 scope global wan
       valid_lft forever preferred_lft forever
    inet6 [REDACTED]/64 scope link
       valid_lft forever preferred_lft forever
17: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    link/ether [REDACTED] brd ff:ff:ff:ff:ff:ff
    inet 10.0.0.1/24 brd 10.0.0.255 scope global br-lan
       valid_lft forever preferred_lft forever
    inet6 [REDACTED]/60 scope global noprefixroute
       valid_lft forever preferred_lft forever
    inet6 [REDACTED]/64 scope link
       valid_lft forever preferred_lft forever
19: ifb4eth1: <BROADCAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc cake state UNKNOWN qlen 32
    link/ether [REDACTED] brd ff:ff:ff:ff:ff:ff
    inet6 [REDACTED]/64 scope link
       valid_lft forever preferred_lft forever
21: wlan1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq master br-lan state UP qlen 1000
    link/ether [REDACTED] brd ff:ff:ff:ff:ff:ff
    inet6 [REDACTED]/64 scope link
       valid_lft forever preferred_lft forever
22: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq master br-lan state UP qlen 1000
    link/ether [REDACTED] brd ff:ff:ff:ff:ff:ff
    inet6 [REDACTED]/64 scope link
       valid_lft forever preferred_lft forever
1 Like
2

Of course I discover the answer immediately after posting the question: ls /sys/class/net reveals that the problem is that ip a is being a little too helpful with its @-thingies...

# ls /sys/class/net
br-lan    ifb4eth1  lan3      wan
eth0      lan1      lan4      wlan0
eth1      lan2      lo        wlan1

... and the proper command is simply tcpdump -i wan.

Hopefully this will be of use to people in the future facing the same puzzle.

1 Like
3

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.