Port mirroring on openWRT router
Worried about IoT snooping on you? Which data they are sending back to the companies/manufacturers etc.? are they sending it securely? Then read on…
By Fahad Usman
The biggest benefit of having a LEDE router is that it is a Linux distro!
This means that you can intercept uninvited traffic on any port on the router including the internet (WAN, or Wide Area Network) side of the router. Sadly, most people don’t have the technical knowledge to even set this kind of thing up, let alone decipher the traffic. I had to spend a day to learn about it and I thought to share my knowledge here with you so that you can try and monitor traffic on your router.
Here is the network setup:
A common approach you find people talk about is to alter your firewall so that packets are mirrored to another machine. While this works, I’m not a big fan of this method, primarily because the router firewall is so important to your local network.
Fortunately, there are other ways to obtain the WAN traffic. I will show you how you can use port mirroring on OpenWRT router to make a “copy” of your incoming or outgoing packets on a particular IP address which might be associated to an IoT device such as “Hive” which is connected to your boiler in your home/office etc.
I will not be using IP-tables and fiddling with my firewall because of the reasons descried above and therefore, will be using good old
tcpDump is a great tool for dumping (to
StdOut, or a console terminal) a copy of your
packet stream on a particular interface or IP address. In the Linux world they call this a
"Tee" because it makes a duplicate without interrupting the original stream.
nc (in Mac terminal) is great to move data from one network endpoint to another. With these two tools, you can mirror data from your router’s port/interface/IP to another computer.
“All you need is a laptop with wireshark and netcat installed and you can dump all the traffic on a particular IP in wireshark for analysis”
Step 1: Prepare the monitoring machine:
It’s time to prepare your monitoring laptop/computer. You need to have
wireshark installed on the computer.
I am using a Mac, so the
netcat comes pre-installed in these machines. So just have to download the
Once installed, then fire-up your
terminal on the Mac and start “listening” for connections:
nc -l 192.168.1.247 8888
Here I am listening on my local laptop with IP address
192.168.1.247 on port
If I open up another terminal and type:
echo hello fahad | nc 192.168.1.157 8888
This will send
"hello fahad" to the listening
You can also pipe (|) the output directly to the
wireshark on the monitoring laptop by:
nc -l 192.168.1.247 8888 | wireshark -k -i - &
Now open up a new terminal and proceed to the step 2.
Step 2: Prepare the OpenWRT router:
ssh in to your router by:
opkg install netcat
opkg install tcpdump
Step 3: Capturing the traffic
You are now ready to start listening for traffic on the IP address you’re interested in. In my case the
Hive is connected at
tcpdump -n host 192.168.1.179 -w - | netcat 192.168.1.247 8888
tcpdump command will start capturing any packets where the
destination host is
–w tag will output in the
pcap format for the
The output of
tcpdump is then piped to your listening machine at (
You should now see packets being captured on the
wireshark for analysis!
As you can see from the output that the device is sending application data to an amazon AWS instance at
126.96.36.199. The good thing is that it is using TLS for encryption so the data is all jumbeld up and unreadable. How do I know this is sending data to amazon cloud?? Just lookup via whois.
Hope this was helpful 🙂