TP-WDR3600 monitoring/capturing wireless traffic: howto?

Dear folks,

this is probably a non-LEDE-related question, but I decided to ask this question here: is there a way to mirror wireless traffic to an ethernet port?

Background: currently I am into VOIP. And try to learn about proper configuration, try to pentest my internal asterisk configuration using wireshark, kali and my LEDE router as the central unit on which asterisk is running. And I want to monitor my complete network traffic.

Tried: use the mirror option in switch configuration (cpu -> free LAN port), but found out, that except broadcasts only wired traffic is mirrored. I suspect this being a general networking problem (wireless traffic is not controlled by the switch, although VLANs are defined here). Conveniently this also monitors my WAN traffic, but I didn't find an easy way to monitor WLAN-only devices like smartphones and such. Possible solution would be: turn off internal wireless AP and use an external AP and connect it via trunk to one of the LAN ports (I use more than one VLAN for wireless).

Also tried to use wireshark in promiscuous mode, but found out, that none of my wireless client adapters seem to support this mode.

Is there an easy way to internally route wireless traffic through the internal switch, besides using two LAN ports, configure them properly and use an external cable to connect them? There are no free ports left for this in my current configuration besides the mirror port I use for monitoring.

Curious from germany

codefish

Google using wireshark on LEDE/openwrt.
You run tcpdump in promiscuous mode over SSH (and ignoring your monitoring PCs IP).

@weedy: many thanx - seems I used the wrong search terms in the past, now found what I 've been looking for. Also seems I need to dig a bit deeper into iptables (as already suspected :wink: ).

with now satisfied greetz from Germany

codefish

You can use cshark package in Lede....simillar like wireshark but it runs via Lede.:slight_smile:

@Knomax: thank you, too. A bit less of use for me, as I need visible live monitoring, not offline analysis. But an interesting option I haven't come across before (there are so many packets out there :wink: )

Luci luci-app-statistics????Have a look in software.

@Knomax: interesting, too! But of not much use here, as I try to trace SIP, RTP and STUN (VOIP). Target is to learn about proper VOIP configuration and especially ensure I cannot get hacked before I actually put asterisk13 online (asterisk, firewall, routing). Have read lots of stories about unsafe asterisk configurations and people's VOIP accounts having been abused. This is already a huge lot of stuff I now have to learn. But absolutely makes fun to learn as LEDE runs rock-solid (except PJSIP which I haven't managed to get running, so for now I use the older SIP module)

edit: quite interesting to see how often sipvicious-scripts try to analyze my configuration. A huge botnet seems to be out there trying to abuse any unsafe VOIP servers. Let's see if I can configure some honeypot on my LEDE device which could be fun :slight_smile:

I am looking for a similar solution for security and training purpose:

I will not use cshark as it is cloud shark capture. I don't think companies would agree to send capture information on the web. At least not in France!

According to the documentation, cshark also supports USB storage:
https://support.cloudshark.org/openwrt/openwrt-cloudshark.html

But I did not success to enable it.

Currently, I use a switch and a small LEDE device:

  • a LEDE device to sniff network, configured with 2 ports, one for ssh access, the other to sniff network (no configuration).
  • port mirroring on my switch to mirror all ports 1 to 8 to port 10, except the switch management port and LEDE device used to sniff network.
  • eth2 port on the LEDE device is connected to port 10 using wired cable.

Then I run tcpdump to dump sessions, example: tcpdump -vv -i eth2 -XX port http

i don't know how to use wireshark using a remote ssh session.

Also, my switch is only IPv4 capable, so I loose all IPv6 features. I think it would be nice to develop a luci app to mirror selected ports to a pipe or a remote address. Something like cshark, but with local control and a solution using wireshark. Do you have any idea how this would look?

Apparently, the needed tools are https://github.com/mmaraya/port-mirroring
It works under LEDE and should provide a reliable solution.

port-mirroring is an OpenWrt package that sends copies of network packets from your OpenWrt router to another device on your network or beyond, giving you the ability to monitor and analyze network traffic without additional hardware. Intrusion detection systems, network application debugging, and network performance monitoring are common use cases. This is a continuation of the work started by Bruce Geng at https://code.google.com/p/port-mirroring/.

Finally, I used a much simplier solution:

ssh user@myledebox tcpdump -i eth2 -U -s0 -w - 'not port 22' | sudo wireshark -k -i -

This forwards all traffic from port eth2 to wireshark.

Maybe we should write a wiki page to propose various solutions and analyse them?

Writing a wiki for this would be a GREAT idea! Unfortunately I cannot help much with this, as I still have a lot to learn :wink:

I am going to create this HOWTO and we can simply work together, this is easy to do.

1 Like

I'm looking forward into reading this HOWTO. I still have much to learn and this would be a great addition.

I created this small HOWTO as a "starting-point". Feel free to modify it and make it richer:
https://lede-project.org/docs/howto/capture-filter-inspect-packets

1 Like

Does anyone know how to get the detailed 802.11x auth and capabilities data like this:

with tcpdump? All my captures always skip it and there is just 4 request with auth and then it is DHCP and pas that nothing relevant.

@ffries "This page does not exist anymore"

Take this one: https://openwrt.org/docs/guide-user/firewall/misc/tcpdump_wireshark