Gingerlime

sniffing some fresh tomatoes 3 September, 2008

Filed under: Technology — Yoav Aner @ 10:31 pm

Perhaps the title is a little misleading, but it’s an opportunity to combine two of my greatest loves: food and computers. I suppose even this intro is misleading. Oh. Forget it. Lets get down to business. And this time our business is rather short (and sweet).

Running tcpdump on my Linksys router (well, Buffalo WHR-54GS to be precise, but the same famous WRT54G clone that runs open source firmware).


I’ve been running Tomato firmware for quite a while now (from version 0.7 or something??). What a wonderful firmware. Definitely the very best. Neat. Stylish. Full of all the features one can think of. And then some. A true work of art.

Alas, I wanted to sniff some traffic to analyse using Wireshark (some SIP stuff, I might cover it some other time), and couldn’t be bothered getting my old heavy dusty hub out just to capture some packets. I was therefore turning to my fresh Tomato, but no such tool is available.

Well, not quite.

A few google searches concluded that I could probably get a pre-compiled binary, place it on a CIFS network share, and run it. So I did.

I download the latest ipkg of tcpdump off ipkg.nslu2-linux.org. Renamed the file to .tar.gz, untar’d it and extracted the binary inside data.tar.gz (/opt/bin/tcpdump).

I used a CIFS windows share feature on tomato. Straight under Administration->CIFS Client and pointed it to the share with the tcpdump binary. Telnet onto the router and off you go, saving the packet dump onto the same windows share. Then analyse it with Wireshark. Job Done. Smells delicious, doesn’t it?

# telnet 192.168.0.1
Trying 192.168.0.1…
Connected to 192.168.0.1.
Escape character is ‘^]’.
unknown login: root
Password:

Tomato v1.21.1515

BusyBox v1.2.2 (2008.07.26-14:43+0000) Built-in shell (ash)
Enter ‘help’ for a list of built-in commands.

# cd /cifs1
# ./tcpdump ip host 192.168.0.110 -w ./dumpfile.txt -s0
tcpdump: listening on br0, link-type EN10MB (Ethernet), capture size 65535 bytes

del.icio.us:sniffing some fresh tomatoes digg:sniffing some fresh tomatoes reddit:sniffing some fresh tomatoes
 

13 Responses to “sniffing some fresh tomatoes”

  1. christian Says: September 20th, 2008 at 5:55 pm

    Thanks a lot! Tcpdump with tomato from CIFS1 drive, great!

  2. Dan McGrath Says: December 9th, 2008 at 4:42 pm

    This is cool. This is very cool. Well done mate, very interesting. I would have:
    a) fished out the old hub
    b) spanned a port on a cisco switch

    Nice work, your solution is more elegant than either of these.
    -Dan

  3. Arlene Says: December 26th, 2008 at 8:08 pm

    Great advice. After a day of steep learning curve I got it to work.

    But I note that the dump shows traffic relating to my PC’s IP and none of the others PC on my home network. A solution would be appreciated.

    Thanks.

  4. Yoav Aner Says: December 26th, 2008 at 9:15 pm

    Hi Arlene,

    Not sure exactly what you’re doing, but I’m guessing you’re running tcpdump with the wrong settings. If you notice, in my example I’m only listening to IP address 192.168.0.110 (ip host). You can run it without such filter or with a different one, or perhaps tcpdump isn’t listening on the right interface on your router.

    Have a look at http://linux.die.net/man/8/tcpdump for more info on tcpdump

  5. Arlene Says: January 4th, 2009 at 5:28 pm

    Hi Yoav,

    I got tcpdump to capture in the way I want and then used Wireshark to sharpen the focus.

    Again, lots of thanks to you.

    Could SSH daemon be used instead of telnet?

  6. Yoav Aner Says: January 8th, 2009 at 4:58 pm

    Hi Arlene,

    Glad you managed to get it working.

    Of course you can use SSH instead of telnet. This is a standard feature of the tomato firmware.

    Look under Administration->Admin Access (SSH Daemon)

  7. Martin Says: January 16th, 2009 at 11:35 am

    Hi,

    I’ve tried to do that on Wrt54GL but it complains about libpcap, so I’ve also downloaded libpcap, tried to create symlink (from libpcap.0.9.4 to libpcap.0.9), but it still complains about shared library. Tried to export LD_LIBRARY_PATH to /cifs1/, no luck.

    Any ideas?

  8. Yoav Aner Says: January 24th, 2009 at 2:31 am

    Sorry Martin, but I really don’t have any ideas. I’m assuming you’re running the latest firmware?

  9. Matt Says: March 20th, 2009 at 9:49 pm

    Thanks, this was sweet. Your directions are perfect.

  10. Daniel Says: March 22nd, 2009 at 7:43 pm

    Beautiful! Can’t express my thanks enough!

  11. Clueless Says: September 5th, 2009 at 2:33 am

    What you’ve shown here is just how to start the tcpdump program, right? What commands do you use to get it into the router’s /opt/bin/ folder? Or do you download it with the router’s wget command?

  12. Clueless Says: September 5th, 2009 at 3:17 am

    Oh, I get it. You extract the binary to your desktop computer, share it in a samba folder, then enter something like \\192.168.1.142\shared in the /cifs1 UNC section of the Tomato configuration, then enter username and password below that, then you can see it and run it when you go “cd /cifs1″

    It doesn’t work, though. If I do it locally like

    sudo tcpdump -i eth1 -w pipe

    and then in another terminal

    wireshark -k -i pipe

    it works, but it doesn’t work if I log into the router and do

    tcpdump -w pipe -s0

  13. Yoav Aner Says: September 5th, 2009 at 4:42 am

    Hi clueless, I’m not entirely sure what you are doing and – perhaps more importantly, on which host you are running which command. I simply saved the tcpdump output into a file and only later opened it with wireshark.

    Perhaps use the wireshark -r instead?
    (see here )

    Make sure you run wireshark on your pc where it has full permissions to the tcpdump file (which would probably be on the smb share). Hope this helps.

Leave a Reply