Categories
Tech

Installing TCPDump on DD-WRT WRT54GL

This article will serve as a quick tutorial on installing TCPDump on a LinkSys WRT54GL box running the custom DD-WRT firmware.

TCPDump is a command line packet analyser. It’s a bit like Wireshark except it is command line based and in this tutorial, we will be installing it on a router and not on a PC.

Requirements and assumptions

There are a few requirements before you go ahead and install TCPDump… of which are listed below.

  • I got TCPDump working on my WRT-54GL v1.1 box running the recommended firmware build (as of this post) 14929 std-nokaid
  • You will need to enable JFFS2 Support – this can be found on the Administration –> Management page.
  • You will need a SSH/Telnet session configured and open

Note: If you run in to File not found errors, these are most likely due to not being enough free space on the JFFS storage. However these can be safely ignored. Read more about the errors here.

Note2: The WRT54GL does not have enough storage space to ‘permanently’ install TCPDump; because of this, the installation will disappear on a router recycle (as it is stored on RAM).

Installing TCPDump

Copy and paste the following in to your SSH/Telnet session:

[bash]
mkdir -p /tmp/smbshare/tmp/ipkg
cd /tmp/smbshare/tmp/ipkg
wget http://downloads.openwrt.org/whiterussian/packages/libpcap_0.9.4-1_mipsel.ipk
ipkg -d smbfs install libpcap_0.9.4-1_mipsel.ipk
wget http://downloads.openwrt.org/whiterussian/packages/tcpdump_3.9.4-1_mipsel.ipk
ipkg -d smbfs install tcpdump_3.9.4-1_mipsel.ipk
export LD_LIBRARY_PATH="$LD_LIBRARY_PATH:/tmp/smbshare/usr/lib"
PATH="$PATH:/tmp/smbshare/usr/sbin"
[/bash]

Running TCPDump

Simple! All you need to do is type tcpdump.
Running tcpdump without any switches will just spit out all packets going in and out of the router.
The full list of command line switches for tcpdump can be found on the man page here.

Examples

[bash]tcpdump -D[/bash]
The -D will list all interfaces on the router… you can capture packets from a particular interface in future commands by using the -i switch
[bash]tcpdump -s 65535 -w /tmp/dump[/bash]
The above command will capture all 65535 bytes of the packets flowing in/out of the router and save it to a file called dump in the /tmp directory… by default, TCPDump only captures 96 bytes which isn’t very useful when you need to analyse the contents of the packets in Wireshark or similar.
[bash]tcpdump host 192.168.5.150 -w /tmp/dump -s 65535[/bash]
This command will save all packets going in/out from the host 192.168.5.150 and save it to  a dump file in the temporary directory.

3 replies on “Installing TCPDump on DD-WRT WRT54GL”

Well that’s all well and fine, but there’s 1 error in your tutorial there.

You need to issue the command:
export LD_LIBRARY_PATH=”$LD_LIBRARY_PATH:/tmp/smbshare/usr/lib”

instead of
LD_LIBRARY_PATH=”$LD_LIBRARY_PATH:/tmp/smbshare/usr/lib”

Also, I was able to use 7-zip, extract the ipk’s down to the data.tar (the important part of the package), then send that to the router, and tar -xvf data.tar

for both libpcap and tcpdump

And I didn’t need to change anything in the router at all. Well, except enabling ssh/telnet.

Lastly, I wouldn’t bother saving dumpfiles to the ramdrive in the router. Not very useful for long logging sessions. Either increase verbosity on tcpdump and log the output with putty or your favorite telnet/ssh client or redirect the raw log output with netcat to another computer acting as a logger (Making sure you add a rule in tcpdump to ignore that. Ex. NOT PORT 31337)

Hello Daniel,
I’ve changed the ‘LD_LIBRARY_PATH=’ command now – thanks for spotting!
Some useful tips there too regarding logging to another device. Definitely worth doing if you’re going to be doing some verbose monitoring for a lengthy period of time.

Comments are closed.