Packet-sniffing with a Buffalo WHR-HP-G54DD
Running tcpdump on a Buffalo WHR-HP-G54 wireless router
The problem is commonplace and really quite simple; You want to know
what's happening (or failing to happen) on the network between two
hosts. If one of the two hosts is your computer, then you just fire up your
trusty packetsniffer
(eg. Wireshark) and you can see
everything that's going on.
But what if it's some other device like f.ex a VOIP telephone or a
game console connected to the internet? You can't install a
packet sniffer on them, and running wireshark on your computer
connected to the same switch only shows a few broadcast packets.
This is actually a Frequently Asked Question in
Wiresharks FAQ #7.1,
and their solutions are:
- Use a HUB instead of a switch
- Unfurtunately they are getting increasingly hard to find.
- Buy a managed switch with port mirroring
- Cisco have them, but they are quite expensive.
Update: The Cisco SLM2005 and SLM2008 gigabit switches
support port mirroring and are fairly cheap.
I found a third solution: Run a packet sniffer on the switch itself.
DD-WRT is an open source linux
based alternative firmware, compatible with a large number of cheap
wireless routers and the perfect basis for a packet sniffing switch
since a kind programmer have already ported 'tcpdump' (an old
packet sniffer) to it. The Buffalo WHR-HP-G54DD come preinstalled with
DD-WRT, but any DD-WRT compatible router will do.
When you log on the Buffalo WHR-HP-G54DD, it seems to have three real network
interfaces and a bridge connecting wireless and lan:
| eth2 | Wireless |
| vlan0 | 4-Port Switch |
| vlan1 | Wan/Internet |
| br0 | Bridge between wireless and LAN |
Using tcpdump you can dump any traffic on the interfaces except
on the switch. You can only see traffic on the switch if it is routed
to either the internet or the wireless side.
Packet sniffing on individual ports of the switch
The 4-port switch in the Buffalo WHR-HP-G54DD has a built-in hardware
bridge acting on the 4 ports, and any traffic the hardware-bridge can
handle itself it not sent up to the software-layer and hence invisible
to tcpdump.
Fortunately this is a programmable switch so we can alter its
behaviour by defining virtual lans. Basicly we want to tell the
hardware-bridge that each port is on a seperate vlan and there for it
must not forward data between them, and at the same time tell the
software bridge that all ports are on the same lan and it therefore
must forward data between them. That way all data packets are sent
through the software layer where tcpdump can access them, although
probably at a considerable performance penalty.
It should be possible to do this configuration via the GUI, but it
doesn't seem to work right so instead we'll telnet to the router and
configure it on the command line (default Username=root, Password=admin):
# Put each port except port 5 on it's own vlan
nvram set port1vlans="0"
nvram set port2vlans="2"
nvram set port3vlans="3"
nvram set port4vlans="4"
nvram set port5vlans="0 1 2 3 4 16"
# Same table as above, but sorted by vlan instead of port
nvram set vlan0ports="1 5*"
nvram set vlan2ports="2 5"
nvram set vlan3ports="3 5"
nvram set vlan4ports="4 5"
# Add vlan1-4 to the software bridge
nvram set lan_ifnames="vlan1 vlan2 vlan3 vlan4 eth1 eth2 eth3"
nvram set vlan0_bridged=1
nvram set vlan2_bridged=1
nvram set vlan3_bridged=1
nvram set vlan4_bridged=1
# Not sure what these do
nvram set vlan2hwname=et0
nvram set vlan3hwname=et0
nvram set vlan4hwname=et0
nvram set vlans=1
# Save and reboot
nvram commit
reboot
Now it should be possible to run tcpdump on a specific port
(f.ex tcpdump -i vlan3) to sniff on port 3, or sniff all
ports on the bridge br0 (tcpdump -i br0).
The above commands are a bare minimum to be able to run tcpdump on
individual ports. A more complete script for configuring the router as
a sniffer switch can be found in
sniffer_switch_mode.sh, as
described in this HOWTO:
HOWTO configure a WHR-HP-G54DD for packet sniffing
- Install DD-WRT
v24rc7 mini generic firmware to free up some flash space for
jffs2 filesystem.
(Router GUI: Administration->Firmware Upgrade)
- Enable SSHd
(Router GUI: Services->Services->Secure Shell)
- Enable JFFS2 support
(Router GUI: Administration->Management->JFFS2 Support)
- Copy libpcap.so.0.9 to
/jffs/usr/lib/
ssh -x root@192.168.1.1 /bin/mkdir -p /jffs/usr/lib
scp libpcap.so.0.9 root@192.168.1.1:/jffs/usr/lib/
- Copy tcpdump and
sniffer_switch_mode.sh to
/jffs/usr/sbin/
ssh -x root@192.168.1.1 /bin/mkdir -p /jffs/usr/sbin
scp tcpdump sniffer_switch_mode.sh root@192.168.1.1:/jffs/usr/sbin/
- Configure router for sniffer mode
ssh -x root@192.168.1.1
root@DD-WRT:~# sh /jffs/usr/sbin/sniffer_switch_mode.sh
The router is configured with the following parameters:
- Wireless link is disabled and radio is turned off
- DHCP-server is disabled
- 4-port switch have no IP address and act only as a simple switch
- WAN-port is configured with the IP 192.168.2.1 netmask 255.255.255.0
- WAN-port allows access via telnet on 192.168.2.1:23
- WAN-port allows access via ssh on 192.168.2.1:22
- WAN-port allows access via web on 192.168.2.1:80
Now you're ready to sniff packets on the 4-port switch, while
connected through the WAN-port. The interface names for the 4 ports
are vlan11, vlan12, vlan13
and vlan14, and the entire switch can be access through
the bridge named br1
Examples on how to use the packet sniffing switch
- Simple packet sniffing on the switch
ssh -x root@192.168.2.1
root@DD-WRT:~# tcpdump -i br1
- Simple packet sniffing on port 3 of the switch
ssh -x root@192.168.2.1
root@DD-WRT:~# tcpdump -i vlan13
- Packet sniffing as a single remote command. Note that full
path to executables and library is required
ssh -x root@192.168.2.1 env LD_LIBRARY_PATH=/jffs/usr/lib /jffs/usr/sbin/tcpdump -i br1
- Remote command packet sniffing with raw packet dump to a local file.
This command will do a remote packet capture on the switch and
save the raw packet data on the local PC, where it can be analysed
with Wireshark or other tools.
ssh -x root@192.168.2.1 env LD_LIBRARY_PATH=/jffs/usr/lib
/jffs/usr/sbin/tcpdump -i br1 -s0 -U -w - > netdata.pcap
- If you're using linux on your PC then you can pipe the raw
tcpdump capture into a Wireshark running on the local PC and get
live analysis of the data
ssh -x root@192.168.2.1 env LD_LIBRARY_PATH=/jffs/usr/lib
/jffs/usr/sbin/tcpdump -i br1 -s0 -U -w - | wireshark -k -i -
- And, my favorite, piping the raw packet data into
Etherape for a
live graphical representation of the network traffic
ssh -x root@192.168.2.1 env LD_LIBRARY_PATH=/jffs/usr/lib
/jffs/usr/sbin/tcpdump -i br1 -s0 -U -w - | etherape -r -
Hints, ideas, solutions or praise are welcome at email: richard[at]haywire[dot]dk.