Analyzing Network Traffic with OpenWrt

It's only fair to share...Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInDigg thisShare on RedditPin on PinterestPrint this pageEmail this to someone

Please go through “Getting Started with OpenWrt – Linuxfying Routers” if you are new to OpenWrt. I will be using the “WiFi repeater mode” discussed in the “Getting Started” guide and proceed with analyzing network traffic.

These approaches might specially come in handy, when you need to analyze packets generated by mobile devices. It could be a great setup to analyze how an Android device infected with a malware, behaves and communicates with external components.

In addition, similar setup can also be used to perform a passive man in the middle attack. This is why it is generally advised not to use public WiFi networks unless you are protected with a VPN (or at least trusted SSL/TSL connections).

Current device configuration if as follows :

  • OpenWrt Router : 192.168.9.1
  • Android Device : 192.168.9.121
  • Laptop with Wireshark : 192.168.9.183

Analyzing with Remote Wireshark Listener

SSH into OpenWrt installed router (usually port 22) and install “iptables-mod-tee” with below command :

Run following iptables command to “forward a copy of each packet with source-IP (-s) on out interface (-o) to gateway-IP (–gateway) ”

Run following iptables command to “forward a copy of each packet with destination-IP (-d) on in interface (-i) to gateway-IP (–gateway) ”

Start capturing traffic on Wireshark with below filter applied :

Wireshark

Few interesting resources on iptable rules :

Capturing communication with tcpdump

Tcpdump can be installed on OpenWrt router itself. Therefore, this approach eliminates the need of having a remote Wireshark or similar listener to analyze the traffic in real-time.

SSH into OpenWrt installed router and install “tcpdump” with below command :

Execute below command to listen on interface (-i) and store captured information to a file (-w) and be verbose while doing so (-v).

Retrieve and open the pcap.cap file with Wireshark for further analysis.

Bunch of tcpdump usage examples are available at :

It's only fair to share...Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInDigg thisShare on RedditPin on PinterestPrint this pageEmail this to someone

One comment on “Analyzing Network Traffic with OpenWrt

  1. David September 14, 2016 8:57 PM

    This is a useful discussion, I have a raspberry pi running OpenWrt as the outside interface and a GL-AR150 configured with a tor wireless interface (and also a non-tor).
    I let all the mobile devices connect to tor so that google tracking and association of the ip address with accounts doesn’t happen. I don’t want all household being stored forever. This works for everything but voice over ip calls.
    The OpenWrt also makes it easy to change external ip address.
    I would be interested in learning more about how to log various types of activity on the network and setting up conditions to decide which things are logged, blocked, recorded etc; possibly using an interactive database?
    It seems that the analysis section could be expanded in more detail. I don’t know how much Wireshark can do.

Leave a Reply

Your email address will not be published.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code class="" title="" data-url=""> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong> <pre class="" title="" data-url=""> <span class="" title="" data-url="">