Analyzing Network Traffic with OpenWrt

Please go through “Getting Started with OpenWrt – Linuxfying Routers” if you are new to OpenWrt. I will be using the “WiFi repeater mode” discussed in the “Getting Started” guide and proceed with analyzing network traffic.

These approaches might specially come in handy, when you need to analyze packets generated by mobile devices. It could be a great setup to analyze how an Android device infected with a malware, behaves and communicates with external components.

In addition, similar setup can also be used to perform a passive man in the middle attack. This is why it is generally advised not to use public WiFi networks unless you are protected with a VPN (or at least trusted SSL/TSL connections).

Current device configuration if as follows :

  • OpenWrt Router :
  • Android Device :
  • Laptop with Wireshark :

Analyzing with Remote Wireshark Listener

SSH into OpenWrt installed router (usually port 22) and install “iptables-mod-tee” with below command :

Run following iptables command to “forward a copy of each packet with source-IP (-s) on out interface (-o) to gateway-IP (–gateway) ”

Run following iptables command to “forward a copy of each packet with destination-IP (-d) on in interface (-i) to gateway-IP (–gateway) ”

Start capturing traffic on Wireshark with below filter applied :


Few interesting resources on iptable rules :

Capturing communication with tcpdump

Tcpdump can be installed on OpenWrt router itself. Therefore, this approach eliminates the need of having a remote Wireshark or similar listener to analyze the traffic in real-time.

SSH into OpenWrt installed router and install “tcpdump” with below command :

Execute below command to listen on interface (-i) and store captured information to a file (-w) and be verbose while doing so (-v).

Retrieve and open the pcap.cap file with Wireshark for further analysis.

Bunch of tcpdump usage examples are available at :

5 comments on “Analyzing Network Traffic with OpenWrt

  1. David September 14, 2016 8:57 PM

    This is a useful discussion, I have a raspberry pi running OpenWrt as the outside interface and a GL-AR150 configured with a tor wireless interface (and also a non-tor).
    I let all the mobile devices connect to tor so that google tracking and association of the ip address with accounts doesn’t happen. I don’t want all household being stored forever. This works for everything but voice over ip calls.
    The OpenWrt also makes it easy to change external ip address.
    I would be interested in learning more about how to log various types of activity on the network and setting up conditions to decide which things are logged, blocked, recorded etc; possibly using an interactive database?
    It seems that the analysis section could be expanded in more detail. I don’t know how much Wireshark can do.

  2. Graham Constantine March 2, 2017 8:34 AM

    Thanks Ayoma. I like that you gave two choices to achieve the same thing.
    Much appreciated

  3. PearlineJuicy July 11, 2018 6:20 AM

    I often visit your blog and have noticed that you don’t
    update it often. More frequent updates will give your site
    higher authority & rank in google. I know that writing articles takes a lot of time, but you can always help yourself with miftolo’s tools which will
    shorten the time of creating an article to a couple of

  4. Dolev Ben Aharon August 17, 2018 6:43 PM

    Thank you!!

  5. BestQuincy August 18, 2018 6:41 PM

    I have noticed you don’t monetize your blog, don’t waste your traffic, you can earn extra bucks every month.
    You can use the best adsense alternative for any type of website (they approve all websites), for more details simply search in gooogle: boorfe’s tips monetize your website

Leave a Reply

Your email address will not be published.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code class="" title="" data-url=""> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong> <pre class="" title="" data-url=""> <span class="" title="" data-url="">