Monitoring ADSL traffic on my ASUS DSL-AC52U router – Ian's notes


Monitoring ADSL traffic on my ASUS DSL-AC52U router

September 20th, 2020 by

This post assumes that you have SSH access configured on the router.

I’m running firmware version 1.1.2.3_617, which already includes tcpdump. This means that monitoring the ADSL traffic is just a matter of finding the correct interface and running the binary with the correct interface and any other arguments I need.

To view the interfaces I ran the following:

# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN 
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
...
39: ppp0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1492 qdisc pfifo_fast state UNKNOWN qlen 3
    link/ppp 
    inet <redacted> peer <redacted>/32 scope global ppp0

At the bottom of the list I found the point-to-point interface used for the ADSL connection, ppp0. I haven’t checked, but you might have more than one of these if you’re also running a USB modem for a dual WAN setup. In that case you’ll need to run the packet dump on whichever interface is the active one. Alternatively you can also check the routing table for the default route device (this will also work if you’re using an Ethernet WAN, for e.g. a fibre connection):

# ip route
<redacted> dev ppp0  proto kernel  scope link  src <redacted> 
192.168.1.0/24 dev br0  proto kernel  scope link  src 192.168.1.1 
127.0.0.0/16 dev lo  scope link 
169.254.0.0/16 dev br1  proto kernel  scope link  src 169.254.146.96 
169.254.0.0/16 dev br2  proto kernel  scope link  src 169.254.22.233 
169.254.0.0/16 dev br3  proto kernel  scope link  src 169.254.193.105 
169.254.0.0/16 dev br4  proto kernel  scope link  src 169.254.246.173 
239.0.0.0/8 dev br0  scope link 
default via <redacted> dev ppp0

The default route device is indicated as ppp0, which corresponds to the device chosen above in this case, since I’m using an ADSL connection.

To start monitoring traffic, I ran the following:

# tcpdump -i ppp0

This can be combined with the default route device command above to shorten the process down to:

# tcpdump -i $(ip route | grep default | cut -f 5 -d ' ')
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ppp0, link-type LINUX_SLL (Linux cooked), capture size 65535 bytes

For convenience, here’s a listing of the binary and library versions and the parameters:

tcpdump version 4.4.0
libpcap version 1.4.0
Usage: tcpdump [-aAbdDefhHIJKlLnNOpqRStuUvxX] [ -B size ] [ -c count ]
		[ -C file_size ] [ -E algo:secret ] [ -F file ] [ -G seconds ]
		[ -i interface ] [ -j tstamptype ] [ -M secret ]
		[ -r file ] [ -s snaplen ] [ -T type ] [ -V file ] [ -w file ]
		[ -W filecount ] [ -y datalinktype ] [ -z command ]
		[ -Z user ] [ expression ]