This article will serve as a quick tutorial on installing TCPDump on a LinkSys WRT54GL box running the custom DD-WRT firmware.
TCPDump is a command line packet analyser. It’s a bit like Wireshark except it is command line based and in this tutorial, we will be installing it on a router and not on a PC.
Requirements and assumptions
There are a few requirements before you go ahead and install TCPDump… of which are listed below.
- I got TCPDump working on my WRT-54GL v1.1 box running the recommended firmware build (as of this post) 14929 std-nokaid
- You will need to enable JFFS2 Support – this can be found on the Administration –> Management page.
- You will need a SSH/Telnet session configured and open
Note: If you run in to File not found errors, these are most likely due to not being enough free space on the JFFS storage. However these can be safely ignored. Read more about the errors here.
Note2: The WRT54GL does not have enough storage space to ‘permanently’ install TCPDump; because of this, the installation will disappear on a router recycle (as it is stored on RAM).
Copy and paste the following in to your SSH/Telnet session:
mkdir -p /tmp/smbshare/tmp/ipkg cd /tmp/smbshare/tmp/ipkg wget http://downloads.openwrt.org/whiterussian/packages/libpcap_0.9.4-1_mipsel.ipk ipkg -d smbfs install libpcap_0.9.4-1_mipsel.ipk wget http://downloads.openwrt.org/whiterussian/packages/tcpdump_3.9.4-1_mipsel.ipk ipkg -d smbfs install tcpdump_3.9.4-1_mipsel.ipk export LD_LIBRARY_PATH="$LD_LIBRARY_PATH:/tmp/smbshare/usr/lib" PATH="$PATH:/tmp/smbshare/usr/sbin"
Simple! All you need to do is type tcpdump.
Running tcpdump without any switches will just spit out all packets going in and out of the router.
The full list of command line switches for tcpdump can be found on the man page here.
The -D will list all interfaces on the router… you can capture packets from a particular interface in future commands by using the -i switch
tcpdump -s 65535 -w /tmp/dump
The above command will capture all 65535 bytes of the packets flowing in/out of the router and save it to a file called dump in the /tmp directory… by default, TCPDump only captures 96 bytes which isn’t very useful when you need to analyse the contents of the packets in Wireshark or similar.
tcpdump host 192.168.5.150 -w /tmp/dump -s 65535
This command will save all packets going in/out from the host 192.168.5.150 and save it to a dump file in the temporary directory.