Tcpdump failing to capture inbound http packets

dkhusted · February 12, 2025, 11:09am

I am running tcpdump on a GL-iNet Puli router, which is running OpenWRT. Using the tcpdump i want to capture all http traffic between a device on the wlan0 and a remote server. I have been testing tcpdump with the command:

tcpdump -i any -X -v -w captures.pcap

I am able to capture HTTP request sent from the device to the remote server which i am analyzing with WireShark, but not able to capture the responses from the server. I know that the server is sending responses back, and that the device is able to receive them, as i have confirmed this on the device.

What could be the cause of this?

brada4 · February 12, 2025, 12:22pm

What is in ubus call system board and what exact command you are using?

dkhusted · February 12, 2025, 1:50pm

{
        "kernel": "5.10.176",
        "hostname": "GL-XE300",
        "system": "Qualcomm Atheros QCA9533 ver 2 rev 0",
        "model": "GL.iNet GL-XE300(NOR/NAND)",
        "board_name": "glinet,gl-xe300-nor-nand",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "22.03.4",
                "revision": "r20123-38ccc47687",
                "target": "ath79/nand",
                "description": "OpenWrt 22.03.4 r20123-38ccc47687"
        }
}

I am using the cmd:

tcpdump -i wlan0 -nnvvv port 80

brada4 · February 12, 2025, 3:02pm

Are you using firewall offload?

lleachii · February 12, 2025, 3:03pm

Remove port 80

Specifically use MAC of the device instead

ether host aa:bb:cc:11:22:33

dkhusted · February 16, 2025, 11:15am

not sure what that is. I have kept the firewall as default, with an exception for port 4242.

dkhusted · February 16, 2025, 11:17am

I have tried that, to see if the response came through a different port, but i was still not able to capture it.
I have tried with its specific IP, but it did not help.