Port mirroring on openWRT router

Port mirroring on openWRT router

Worried about IoT snooping on you? Which data they are sending back to the companies/manufacturers etc.? are they sending it securely? Then read on…

By Fahad Usman

The biggest benefit of having a LEDE router is that it is a Linux distro!

This means that you can intercept uninvited traffic on any port on the router including the internet (WAN, or Wide Area Network) side of the router. Sadly, most people don’t have the technical knowledge to even set this kind of thing up, let alone decipher the traffic. I had to spend a day to learn about it and I thought to share my knowledge here with you so that you can try and monitor traffic on your router.

Here is the network setup:

 

A common approach you find people talk about is to alter your firewall so that packets are mirrored to another machine. While this works, I’m not a big fan of this method, primarily because the router firewall is so important to your local network.

Fortunately, there are other ways to obtain the WAN traffic. I will show you how you can use port mirroring on OpenWRT router to make a “copy” of your incoming or outgoing packets on a particular IP address which might be associated to an IoT device such as “Hive” which is connected to your boiler in your home/office etc.

I will not be using IP-tables and fiddling with my firewall because of the reasons descried above and therefore, will be using good old tcpdump with netcat!

tcpDump is a great tool for dumping (to StdOut, or a console terminal) a copy of your packet stream on a particular interface or IP address. In the Linux world they call this a "Tee" because it makes a duplicate without interrupting the original stream.

netcat or nc (in Mac terminal) is great to move data from one network endpoint to another. With these two tools, you can mirror data from your router’s port/interface/IP to another computer.

“All you need is a laptop with wireshark and netcat installed and you can dump all the traffic on a particular IP in wireshark for analysis”

Step 1: Prepare the monitoring machine:

It’s time to prepare your monitoring laptop/computer. You need to have netcat and wireshark installed on the computer.

I am using a Mac, so the netcat comes pre-installed in these machines. So just have to download the wireshark.

Once installed, then fire-up your terminal on the Mac and start “listening” for connections:

nc -l 192.168.1.247 8888

Here I am listening on my local laptop with IP address 192.168.1.247 on port 8888.

If I open up another terminal and type:

echo hello fahad | nc 192.168.1.157 8888

This will send "hello fahad" to the listening port 8888

You can also pipe (|) the output directly to the wireshark on the monitoring laptop by:

nc -l 192.168.1.247 8888 | wireshark -k -i - &

Now open up a new terminal and proceed to the step 2.

Step 2: Prepare the OpenWRT router:

ssh in to your router by:

ssh [email protected]

Then install:

opkg update

opkg install netcat

opkg install tcpdump

 

Step 3: Capturing the traffic

You are now ready to start listening for traffic on the IP address you’re interested in. In my case the Hive is connected at 192.168.1.179

tcpdump -n host 192.168.1.179 -w - | netcat 192.168.1.247 8888

This tcpdump command will start capturing any packets where the source or destination host is 192.168.1.179. –w tag will output in the pcap format for the wireshark.

The output of tcpdump is then piped to your listening machine at (192.168.1.247) on port 8888

You should now see packets being captured on the wireshark for analysis!

As you can see from the output that the device is sending application data to an amazon AWS instance at 18.202.112.78. The good thing is that it is using TLS for encryption so the data is all jumbeld up and unreadable. How do I know this is sending data to amazon cloud?? Just lookup via whois.

Hope this was helpful 🙂

Leave a Reply

Close Menu