DD-WRT and Wireshark

Wireshark is a open-source protocol analyzer that can visualize the frames passing through the router. This analyzer is available on many platforms, but can not run directly on the router.

using tcpdump

While one could run tcpdump directly on the router, interpreting its output takes a bit of work. Another option run tcpdump on the router and pipe its output to wireshark on a Linux host.
To capture traffic on bridge br0, use the following commands on a Linux host.

mkfifo /tmp/$PPID
ssh rtr "tcpdump -i br0 -w – ‘not ((src host rtr and src port 22) or (dst host rtr and dst port 22))’" > /tmp/$PPID. &
wireshark -k -i /tmp/$PPID

using etherpuppet

Instead we forward all packets from an interface on the router to a Linux host with the protocol analyzer.

Prepare the router

cd /jffs
wget http://www.secdev.org/projects/etherpuppet/files/etherpuppet-mipsel
chmod 755 etherpuppet-mipsel

Prepare the Linux host

wget http://hg.secdev.org/etherpuppet/raw-files/top/etherpuppet.c
gcc -o etherpuppet etherpuppet.c
sudo yum install wireshark-gnome
sudo usermod -a -G wireshark $NAME

Instruct the router to forward all packets on the bridge that joins the LAN and wireless traffic (br0).

./etherpuppet-mipsel -i br0 -s 999 -C

Receive the packets on the Linux host and start the protocol analyzer.

sudo ./etherpuppet -m -c rtr2.vonk:999 &
sudo ifconfig puppet0 up
sudo wireshark # select interface puppet0

In Wireshark select the puppet0 interface.

Embedded software developer
Passionately curious and stubbornly persistent. Enjoys to inspire and consult with others to exchange the poetry of logical ideas.

3 Replies to “DD-WRT and Wireshark”

  1. Hi Coert,

    Thanks a lot for this tutorial.

    I have a little issue with etherpuppet when running it from a EA6300V1 with DD-WRT K3.x. I have a 16 GB USB drive with two partitions, one for /jffs and one for /opt:

    root@WAP1:/opt/etherpuppet# df -h
    Filesystem Size Used Available Use% Mounted on
    /dev/root 26.1M 26.1M 0 100% /
    /dev/mtdblock/6 6.8G 4.0K 6.4G 0% /jffs
    /dev/sda1 6.8G 4.0K 6.4G 0% /jffs
    /dev/sda2 6.8G 16.0E 6.5G 100% /opt

    When I run etherpuppet-mipsel, I get a “Permission denied” error, regardless of having etherpuppet-mipsel copied to /jffs or /opt.

    root@WAP1:/opt/etherpuppet# wget http://www.secdev.org/projects/etherpuppet/files/etherpuppet-mipsel
    Connecting to http://www.secdev.org (
    etherpuppet-mipsel 100% |********************************************************| 63235 0:00:00 ETA
    root@WAP1:/opt/etherpuppet# ls -l
    -rw-r–r– 1 root root 63235 Sep 4 18:29 etherpuppet-mipsel
    root@WAP1:/opt/etherpuppet# chmod 777 etherpuppet-mipsel
    root@WAP1:/opt/etherpuppet# ls -l
    -rwxrwxrwx 1 root root 63235 Sep 4 18:29 etherpuppet-mipsel
    root@WAP1:/opt/etherpuppet# /opt/etherpuppet/etherpuppet-mipsel -i br0 -S 999 -C
    -sh: /opt/etherpuppet/etherpuppet-mipsel: Permission denied
    root@WAP1:/opt/etherpuppet# ./etherpuppet-mipsel -i br0 -s 999 -C
    -sh: ./etherpuppet-mipsel: Permission denied

    Any ideas what could I be doing wrong?

Leave a Reply

Your email address will not be published. Required fields are marked *


This site uses Akismet to reduce spam. Learn how your comment data is processed.