-
Notifications
You must be signed in to change notification settings - Fork 15
Tcpdumpsniffing
tcpdump is a handy tool for sniffing network traffic. Typically, it runs on the router and allows you to observe traffic directly there. Use
# okpg install tcpdump
to install the OpenWRT package. The interface usb0 is typically used by the usb stick:
root@OpenWrt:~# ifconfig usb0
usb0 Link encap:Ethernet HWaddr 02:11:22:33:44:55
inet6 addr: aaaa::1/64 Scope:Global
inet6 addr: fe80::11:22ff:fe33:4455/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1284 Metric:1
RX packets:23 errors:0 dropped:0 overruns:0 frame:0
TX packets:26 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:1564 (1.5 KiB) TX bytes:2616 (2.5 KiB)
In order to show the IP packets on this network, use
# tcpdump -i usb0
tcpdump: WARNING: usb0: no IPv4 address assigned
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on usb0, link-type EN10MB (Ethernet), capture size 96 bytes
23:13:02.553968 IP6 :: > ff02::2: ICMP6, router solicitation, length 8
23:13:02.836969 IP6 :: > ff02::1:ff33:4411: ICMP6, neighbor solicitation, who has fe80::11:22ff:fe33:4411, length 24
23:13:06.469967 IP6 fe80::11:22ff:fe33:4411 > ff02::2: ICMP6, router solicitation, length 16
23:13:10.378973 IP6 fe80::11:22ff:fe33:4411 > ff02::2: ICMP6, router solicitation, length 16
By observing the ICMP6 router solicitation messages, you can see that one device has the IPv6 address fe80::11:22ff:fe33:4411. This requires a working radvd on the router. If you're unsure what the link-local address of your socket is, this is a great way to identify it.
By using the -s 0 switch, you can tell tcpdump to work on the full network package. For example:
# tcpdump -i usb0 -s 0
tcpdump: WARNING: usb0: no IPv4 address assigned
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on usb0, link-type EN10MB (Ethernet), capture size 65535 bytes
23:31:45.646483 IP6 fe80::11:22ff:fe33:4455 > ff02::1:ff33:4411: ICMP6, neighbor solicitation, who has aaaa::11:22ff:fe33:4411, length 32
23:31:45.722965 IP6 aaaa::11:22ff:fe33:4411 > fe80::11:22ff:fe33:4455: ICMP6, neighbor advertisement, tgt is aaaa::11:22ff:fe33:4411, length 32
23:31:45.723075 IP6 bbbb::f07b:a2b8:ed4e:8c19 > aaaa::11:22ff:fe33:4411: ICMP6, echo request, seq 0, length 16
23:31:45.795941 IP6 aaaa::11:22ff:fe33:4411 > bbbb::f07b:a2b8:ed4e:8c19: ICMP6, echo reply, seq 0, length 16
23:31:46.639696 IP6 bbbb::f07b:a2b8:ed4e:8c19 > aaaa::11:22ff:fe33:4411: ICMP6, echo request, seq 1, length 16
23:31:46.716964 IP6 aaaa::11:22ff:fe33:4411 > bbbb::f07b:a2b8:ed4e:8c19: ICMP6, echo reply, seq 1, length 16
Finally, you can use -w /tmp/foo.pcap to write a pcap file. This can then be processed on a different machine. Wireshark is also capable of reading pcap files.