DD-WRT and Wireshark

networking-ddwrt-and-wiresharkWireshark is a open-source protocol analyzer that can visualize the frames passing through the router. This analyzer is available on many platforms, but can not run directly on the router.

using tcpdump

While one could run tcpdump directly on the router, interpreting its output takes a bit of work. Another option run tcpdump on the router and pipe its output to wireshark on a Linux host.
To capture traffic on bridge br0, use the following commands on a Linux host.

mkfifo /tmp/$PPID
ssh rtr "tcpdump -i br0 -w - 'not ((src host rtr and src port 22) or (dst host rtr and dst port 22))'" > /tmp/$PPID. &
wireshark -k -i /tmp/$PPID

using etherpuppet

Instead we forward all packets from an interface on the router to a Linux host, where they the protocol analyzer runs.

Prepare the router

cd /jffs
wget http://www.secdev.org/projects/etherpuppet/files/etherpuppet-mipsel
chmod 755 etherpuppet-mipsel

Prepare the Linux host

wget http://hg.secdev.org/etherpuppet/raw-files/top/etherpuppet.c
gcc -o etherpuppet etherpuppet.c
sudo yum install wireshark-gnome
sudo usermod -a -G wireshark $NAME

Instruct the router to forward all packets on the bridge that joins the LAN and wireless traffic (br0).

./etherpuppet-mipsel -i br0 -s 999 -C

Receive the packets on the Linux host and start the protocol analyzer.

sudo ./etherpuppet -m -c rtr2.vonk:999 &
sudo ifconfig puppet0 up
sudo wireshark # select interface puppet0

In Wireshark select the puppet0 interface.

Coert Vonk

Coert Vonk

Independent Firmware Engineer at Los Altos, CA
Welcome to the things that I couldn’t find.This blog shares some of the notes that I took while deep diving into various fields.Many such endeavors were triggered by curious inquiries from students. Even though the notes often cover a broader area, the key goal is to help the them adopt, flourish and inspire them to invent new technology.
Coert Vonk

Latest posts by Coert Vonk (see all)

3 comments to DD-WRT and Wireshark

  • Armando

    Hi Coert,

    Thanks a lot for this tutorial.

    I have a little issue with etherpuppet when running it from a EA6300V1 with DD-WRT K3.x. I have a 16 GB USB drive with two partitions, one for /jffs and one for /opt:

    root@WAP1:/opt/etherpuppet# df -h
    Filesystem Size Used Available Use% Mounted on
    /dev/root 26.1M 26.1M 0 100% /
    /dev/mtdblock/6 6.8G 4.0K 6.4G 0% /jffs
    /dev/sda1 6.8G 4.0K 6.4G 0% /jffs
    /dev/sda2 6.8G 16.0E 6.5G 100% /opt

    When I run etherpuppet-mipsel, I get a “Permission denied” error, regardless of having etherpuppet-mipsel copied to /jffs or /opt.

    root@WAP1:/opt/etherpuppet# wget http://www.secdev.org/projects/etherpuppet/files/etherpuppet-mipsel
    Connecting to http://www.secdev.org (
    etherpuppet-mipsel 100% |********************************************************| 63235 0:00:00 ETA
    root@WAP1:/opt/etherpuppet# ls -l
    -rw-r–r– 1 root root 63235 Sep 4 18:29 etherpuppet-mipsel
    root@WAP1:/opt/etherpuppet# chmod 777 etherpuppet-mipsel
    root@WAP1:/opt/etherpuppet# ls -l
    -rwxrwxrwx 1 root root 63235 Sep 4 18:29 etherpuppet-mipsel
    root@WAP1:/opt/etherpuppet# /opt/etherpuppet/etherpuppet-mipsel -i br0 -S 999 -C
    -sh: /opt/etherpuppet/etherpuppet-mipsel: Permission denied
    root@WAP1:/opt/etherpuppet# ./etherpuppet-mipsel -i br0 -s 999 -C
    -sh: ./etherpuppet-mipsel: Permission denied

    Any ideas what could I be doing wrong?

  • Armando

    Nevermind… I figured it out. Thanks.

  • John Russell

    I ran into the same problem. The EA6300V1 has an ARMv7-A processor, whereas etherpuppet-mipsel is compiled for a Mips processor.

    Maybe someone can compile etherpuppet.c for Arm (http://www.secdev.org/projects/etherpuppet/).

Leave a Reply

You can use these HTML tags

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>




Protected with IP Blacklist CloudIP Blacklist Cloud