sniffing some fresh tomatoes

Perhaps the title is a little misleading, but it’s an opportunity to combine two of my greatest loves: food and computers. I suppose even this intro is misleading. Oh. Forget it. Lets get down to business. And this time our business is rather short (and sweet).

Running tcpdump on my Linksys router (well, Buffalo WHR-54GS to be precise, but the same famous WRT54G clone that runs open source firmware).


I’ve been running Tomato firmware for quite a while now (from version 0.7 or something??). What a wonderful firmware. Definitely the very best. Neat. Stylish. Full of all the features one can think of. And then some. A true work of art.

Alas, I wanted to sniff some traffic to analyse using Wireshark (some SIP stuff, I might cover it some other time), and couldn’t be bothered getting my old heavy dusty hub out just to capture some packets. I was therefore turning to my fresh Tomato, but no such tool is available.

Well, not quite.

A few google searches concluded that I could probably get a pre-compiled binary, place it on a CIFS network share, and run it. So I did.

I download the latest ipkg of tcpdump off ipkg.nslu2-linux.org. Renamed the file to .tar.gz, untar’d it and extracted the binary inside data.tar.gz (/opt/bin/tcpdump).

I used a CIFS windows share feature on tomato. Straight under Administration->CIFS Client and pointed it to the share with the tcpdump binary. Telnet onto the router and off you go, saving the packet dump onto the same windows share. Then analyse it with Wireshark. Job Done. Smells delicious, doesn’t it?

# telnet 192.168.0.1
Trying 192.168.0.1...
Connected to 192.168.0.1.
Escape character is '^]'.
unknown login: root
Password: 


Tomato v1.21.1515


BusyBox v1.2.2 (2008.07.26-14:43+0000) Built-in shell (ash)
Enter 'help' for a list of built-in commands.

# cd /cifs1
# ./tcpdump ip host 192.168.0.110 -w ./dumpfile.txt -s0
tcpdump: listening on br0, link-type EN10MB (Ethernet), capture size 65535 bytes

17 Responses to “sniffing some fresh tomatoes”

  1. Dan McGrath

    This is cool. This is very cool. Well done mate, very interesting. I would have:
    a) fished out the old hub
    b) spanned a port on a cisco switch

    Nice work, your solution is more elegant than either of these.
    -Dan

  2. Arlene

    Great advice. After a day of steep learning curve I got it to work.

    But I note that the dump shows traffic relating to my PC’s IP and none of the others PC on my home network. A solution would be appreciated.

    Thanks.

  3. Yoav Aner

    Hi Arlene,

    Not sure exactly what you’re doing, but I’m guessing you’re running tcpdump with the wrong settings. If you notice, in my example I’m only listening to IP address 192.168.0.110 (ip host). You can run it without such filter or with a different one, or perhaps tcpdump isn’t listening on the right interface on your router.

    Have a look at http://linux.die.net/man/8/tcpdump for more info on tcpdump

  4. Arlene

    Hi Yoav,

    I got tcpdump to capture in the way I want and then used Wireshark to sharpen the focus.

    Again, lots of thanks to you.

    Could SSH daemon be used instead of telnet?

  5. Yoav Aner

    Hi Arlene,

    Glad you managed to get it working.

    Of course you can use SSH instead of telnet. This is a standard feature of the tomato firmware.

    Look under Administration->Admin Access (SSH Daemon)

  6. Martin

    Hi,

    I’ve tried to do that on Wrt54GL but it complains about libpcap, so I’ve also downloaded libpcap, tried to create symlink (from libpcap.0.9.4 to libpcap.0.9), but it still complains about shared library. Tried to export LD_LIBRARY_PATH to /cifs1/, no luck.

    Any ideas?

  7. Yoav Aner

    Sorry Martin, but I really don’t have any ideas. I’m assuming you’re running the latest firmware?

  8. Matt

    Thanks, this was sweet. Your directions are perfect.

  9. Clueless

    What you’ve shown here is just how to start the tcpdump program, right? What commands do you use to get it into the router’s /opt/bin/ folder? Or do you download it with the router’s wget command?

  10. Clueless

    Oh, I get it. You extract the binary to your desktop computer, share it in a samba folder, then enter something like \\192.168.1.142\shared in the /cifs1 UNC section of the Tomato configuration, then enter username and password below that, then you can see it and run it when you go “cd /cifs1”

    It doesn’t work, though. If I do it locally like

    sudo tcpdump -i eth1 -w pipe

    and then in another terminal

    wireshark -k -i pipe

    it works, but it doesn’t work if I log into the router and do

    tcpdump -w pipe -s0

  11. Yoav Aner

    Hi clueless, I’m not entirely sure what you are doing and – perhaps more importantly, on which host you are running which command. I simply saved the tcpdump output into a file and only later opened it with wireshark.

    Perhaps use the wireshark -r instead?
    (see here )

    Make sure you run wireshark on your pc where it has full permissions to the tcpdump file (which would probably be on the smb share). Hope this helps.

  12. Ran Sagy

    Hi there!

    Tried following your instructions on a newly purchased WRT54GL v1.1 running Tomato 1.27 and i can’t get tcpdump to run – regardless of which binary i try.

    Any idea where to get a fresh binary that runs on tomato?

  13. Chris W

    Got this running in minutes, thanks for the concise instructions!

  14. Yoav Aner

    Thanks Zach !

    Hope I understood what you are saying correctly. Unless you’re doing heavy filtering, it’s probably not such a great idea to just see tcpdump output on-screen. Therefore it’s easier some time to just dump it into file and then load it with an easier tool like wireshark. It might also perform better on such a small device, but I’m not sure about that.

Leave a Reply

css.php