Sunday, August 6, 2017

OpenWrt Remote Network WireShark Packet Feed

After my last post on installing OpenWrt on a Cisco/LinkSys EA3500 to stream RTL-SDR data, I was inspired to investigate other "interesting" data to stream from a WiFi hub. In particular I was hoping to sniff some ESP8266/ESP32 packets during development.

 I had an old Linksys E1200 on hand. Things looked a little bleak as the OpenWrt site seemed to indicate there were some issues. However the router noted there was apparently slightly different than mine (I have the Cisco logo) so I thought I'd give it a try.

At the bottom of the Linksys TechData page I found a link to the OpenWrt firmware: openwrt-15.05-brcm47xx-mips74k-linksys-e1200-v2-squashfs.bin and downloaded it (there are other downloads here in case you don't have a V2, etc). Install was easy from the stock Linksys firmware. I was able to easily telnet to IP 192.168.1.1 - a fixed address when plugging the router into my test network, not via DHCP. This also meant it had no clue as to DNS, default router, etc. Surprisingly LuCI came pre-installed with the bin image. I still edited the config file manually.

You'll probably need to use vi to edit the config files if you don't use LuCI:

i          - to insert
[esc] :qw  - to same and exit
I added only 2 lines to the /etc/config/network file - the gateway and dns settings:
config interface 'lan'
        option ifname 'eth0.1'
        option force_link '1'
        option type 'bridge'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option gateway '192.168.1.10'
        option dns '8.8.8.8'
        option ip6assign '60'
Reload the network settings:

/etc/init.d/network reload
Try to ping google.com (or anything on the internet) from the router. If successful, install a few things:
opkg update
opkg install nano # install nano if you don't know VI/VIM very well
opkg install tcpdump # this is the important part that will be called remotely from you client wireshark

On your local Ubuntu:
sudo apt-get install wireshark
sudo mkfifo /tmp/pipe
sudo chmod 777 /tmp/pipe

Or on Windows WSL (Ubuntu on Windows 10):
sudo apt-get install wireshark
sudo apt-get install x11-apps
export DISPLAY=:0 # you may wish you put in this your ~/.bashrc
sudo pkexec env DISPLAY=$DISPLAY XAUTHORITY=$XAUTHORITY XDG_RUNTIME_DIR=$XDG_RUNTIME_DIR wireshark
Then for wireshark:
wireshark -k -i /tmp/pipe & ssh root@192.168.1.1 "tcpdump -i any -s 0 -U -w - not port 22" > /tmp/pipe
It should look something like this. There's initially a failure message, but then a few moments later a password prompt. One you login, all the WiFi router packets should be forwarded to the your local network packet capture!
0 $ wireshark -k -i /tmp/pipe & ssh root@192.168.1.1 "tcpdump -i any -s 0 -U -w - not port 22" > /tmp/pipe
[3] 4709
Failed to connect to generic netlink.
root@192.168.1.1's password:
tcpdump: listening on any, link-type LINUX_SLL (Linux cooked), capture size 65535 bytes

For Windows 10 WSL: I downloaded XMing X-windows client. Be careful,there are a lot of fake download links there. If you know of a better place to download XMing or some other Windows X-windows client, please let me know. Despite being 8 years old - XMing seems to work well on Windows 10:


Pinging google from local router


viewing local router traffic on remote WSL WireShark w/XMing






No comments:

Post a Comment

comments are welcome, but I prefer not to allow links to promotions or other unrelated services.

OpenWrt Remote Network WireShark Packet Feed

After my last post on installing OpenWrt on a Cisco/LinkSys EA3500 to stream RTL-SDR data , I was inspired to investigate other "intere...