Perhaps the title is a little misleading, but it’s an opportunity to combine two of my greatest loves: food and computers. I suppose even this intro is misleading. Oh. Forget it. Lets get down to business. And this time our business is rather short (and sweet).
Running tcpdump on my Linksys router (well, Buffalo WHR-54GS to be precise, but the same famous WRT54G clone that runs open source firmware).
I’ve been running Tomato firmware for quite a while now (from version 0.7 or something??). What a wonderful firmware. Definitely the very best. Neat. Stylish. Full of all the features one can think of. And then some. A true work of art.
Alas, I wanted to sniff some traffic to analyse using Wireshark (some SIP stuff, I might cover it some other time), and couldn’t be bothered getting my old heavy dusty hub out just to capture some packets. I was therefore turning to my fresh Tomato, but no such tool is available.
Well, not quite.
A few google searches concluded that I could probably get a pre-compiled binary, place it on a CIFS network share, and run it. So I did.
I download the latest ipkg of tcpdump off ipkg.nslu2-linux.org. Renamed the file to .tar.gz, untar’d it and extracted the binary inside data.tar.gz (/opt/bin/tcpdump).
I used a CIFS windows share feature on tomato. Straight under Administration->CIFS Client and pointed it to the share with the tcpdump binary. Telnet onto the router and off you go, saving the packet dump onto the same windows share. Then analyse it with Wireshark. Job Done. Smells delicious, doesn’t it?
# telnet 192.168.0.1 Trying 192.168.0.1... Connected to 192.168.0.1. Escape character is '^]'. unknown login: root Password: Tomato v1.21.1515 BusyBox v1.2.2 (2008.07.26-14:43+0000) Built-in shell (ash) Enter 'help' for a list of built-in commands. # cd /cifs1 # ./tcpdump ip host 192.168.0.110 -w ./dumpfile.txt -s0 tcpdump: listening on br0, link-type EN10MB (Ethernet), capture size 65535 bytes
17 replies on “sniffing some fresh tomatoes”
Thanks a lot! Tcpdump with tomato from CIFS1 drive, great!
This is cool. This is very cool. Well done mate, very interesting. I would have:
a) fished out the old hub
b) spanned a port on a cisco switch
Nice work, your solution is more elegant than either of these.
-Dan
Great advice. After a day of steep learning curve I got it to work.
But I note that the dump shows traffic relating to my PC’s IP and none of the others PC on my home network. A solution would be appreciated.
Thanks.
Hi Arlene,
Not sure exactly what you’re doing, but I’m guessing you’re running tcpdump with the wrong settings. If you notice, in my example I’m only listening to IP address 192.168.0.110 (ip host). You can run it without such filter or with a different one, or perhaps tcpdump isn’t listening on the right interface on your router.
Have a look at http://linux.die.net/man/8/tcpdump for more info on tcpdump
Hi Yoav,
I got tcpdump to capture in the way I want and then used Wireshark to sharpen the focus.
Again, lots of thanks to you.
Could SSH daemon be used instead of telnet?
Hi Arlene,
Glad you managed to get it working.
Of course you can use SSH instead of telnet. This is a standard feature of the tomato firmware.
Look under Administration->Admin Access (SSH Daemon)
Hi,
I’ve tried to do that on Wrt54GL but it complains about libpcap, so I’ve also downloaded libpcap, tried to create symlink (from libpcap.0.9.4 to libpcap.0.9), but it still complains about shared library. Tried to export LD_LIBRARY_PATH to /cifs1/, no luck.
Any ideas?
Sorry Martin, but I really don’t have any ideas. I’m assuming you’re running the latest firmware?
Thanks, this was sweet. Your directions are perfect.
Beautiful! Can’t express my thanks enough!
What you’ve shown here is just how to start the tcpdump program, right? What commands do you use to get it into the router’s /opt/bin/ folder? Or do you download it with the router’s wget command?
Oh, I get it. You extract the binary to your desktop computer, share it in a samba folder, then enter something like \\192.168.1.142\shared in the /cifs1 UNC section of the Tomato configuration, then enter username and password below that, then you can see it and run it when you go “cd /cifs1”
It doesn’t work, though. If I do it locally like
sudo tcpdump -i eth1 -w pipe
and then in another terminal
wireshark -k -i pipe
it works, but it doesn’t work if I log into the router and do
tcpdump -w pipe -s0
Hi clueless, I’m not entirely sure what you are doing and – perhaps more importantly, on which host you are running which command. I simply saved the tcpdump output into a file and only later opened it with wireshark.
Perhaps use the wireshark -r instead?
(see here )
Make sure you run wireshark on your pc where it has full permissions to the tcpdump file (which would probably be on the smb share). Hope this helps.
Hi there!
Tried following your instructions on a newly purchased WRT54GL v1.1 running Tomato 1.27 and i can’t get tcpdump to run – regardless of which binary i try.
Any idea where to get a fresh binary that runs on tomato?
Got this running in minutes, thanks for the concise instructions!
If you don’t need to dump the output to a file, then you can bypass the cifs step and just download tcpdump from here:
http://www.dslreports.com/forum/r21525639-Tomato-GNULinux-Tips-Tricks
What I did:
$ wget http://www.dslreports.com/r0/download/1376456~0df06f4164393e0fdd2aa2eede183328/tcpdump.zip
$ unzip tcpdump.zip
$ rm tcpdump.zip
$ chmod +x tcpdump
$ ./tcpdump …
Thanks Zach !
Hope I understood what you are saying correctly. Unless you’re doing heavy filtering, it’s probably not such a great idea to just see tcpdump output on-screen. Therefore it’s easier some time to just dump it into file and then load it with an easier tool like wireshark. It might also perform better on such a small device, but I’m not sure about that.