This post assumes that you have SSH access configured on the router.
I’m running firmware version
22.214.171.124_617, which already includes
tcpdump. This means that monitoring the ADSL traffic is just a matter of finding the correct interface and running the binary with the correct interface and any other arguments I need.
To view the interfaces I ran the following:
# ip a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo inet6 ::1/128 scope host valid_lft forever preferred_lft forever ... 39: ppp0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1492 qdisc pfifo_fast state UNKNOWN qlen 3 link/ppp inet <redacted> peer <redacted>/32 scope global ppp0
At the bottom of the list I found the point-to-point interface used for the ADSL connection,
ppp0. I haven’t checked, but you might have more than one of these if you’re also running a USB modem for a dual WAN setup. In that case you’ll need to run the packet dump on whichever interface is the active one. Alternatively you can also check the routing table for the default route device (this will also work if you’re using an Ethernet WAN, for e.g. a fibre connection):
# ip route <redacted> dev ppp0 proto kernel scope link src <redacted> 192.168.1.0/24 dev br0 proto kernel scope link src 192.168.1.1 127.0.0.0/16 dev lo scope link 169.254.0.0/16 dev br1 proto kernel scope link src 169.254.146.96 169.254.0.0/16 dev br2 proto kernel scope link src 169.254.22.233 169.254.0.0/16 dev br3 proto kernel scope link src 169.254.193.105 169.254.0.0/16 dev br4 proto kernel scope link src 169.254.246.173 126.96.36.199/8 dev br0 scope link default via <redacted> dev ppp0
The default route device is indicated as
ppp0, which corresponds to the device chosen above in this case, since I’m using an ADSL connection.
To start monitoring traffic, I ran the following:
# tcpdump -i ppp0
This can be combined with the default route device command above to shorten the process down to:
# tcpdump -i $(ip route | grep default | cut -f 5 -d ' ') tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on ppp0, link-type LINUX_SLL (Linux cooked), capture size 65535 bytes
For convenience, here’s a listing of the binary and library versions and the parameters:
tcpdump version 4.4.0 libpcap version 1.4.0 Usage: tcpdump [-aAbdDefhHIJKlLnNOpqRStuUvxX] [ -B size ] [ -c count ] [ -C file_size ] [ -E algo:secret ] [ -F file ] [ -G seconds ] [ -i interface ] [ -j tstamptype ] [ -M secret ] [ -r file ] [ -s snaplen ] [ -T type ] [ -V file ] [ -w file ] [ -W filecount ] [ -y datalinktype ] [ -z command ] [ -Z user ] [ expression ]