12
3
I have a small local network in my house that has two computers connected to a modem-router. I want to capture the packets going from the router to a specific server (I know the IP address of the server).
The router's manufacturer is D-Link.
user664174
Posted 2012-07-24T16:53:40.230
Reputation: 233
5
First you're going to have to get in between all that traffic. You could do this in a number of ways, the simplest of which is probably to identify if you truly need the traffic from both computers or just the traffic from a single computer.
If you need both, hook the computers up to a hub and then to the router. A hub will send all network traffic to all ports, where a switch will only send it to its intended destination.
If you only have a switch, I suppose you could rig one computer as a gateway and point the second computer towards it, but that's messy.
If you need all the traffic, even the router, place a hub after your router and hook a computer to it. This will probably only work if the traffic you're trying to capture doesn't originate from the machine you're using to capture the packets, otherwise you're going to run in to some more messy configuration.
Once you have all the traffic flowing past your computer's NIC, grab a packet sniffer (I actually prefer Windows Network Monitor over Wireshark) and start grabbing the packets. You'll probably want to filter the traffic to just display the server in question. Filters in Microsoft Network Monitor are very user friendly:
Tanner Faulkner
Posted 2012-07-24T16:53:40.230
Reputation: 11 948
i need to capture the comm from the router itself (it's firmware) to a server on the internet. i need to capture both directions. – user664174 – 2012-07-24T17:58:38.607
Do you need both computers to be able to generate traffic as well? If you can hook one up to the hub after the router and let it be 'dead' to the network other than capturing packets, that would probably be the way to go.
A little more detail might not hurt on what exactly you're trying to do. It seems odd that you'd need to capture this traffic. There might be a better way to accomplish your underlying goal. – Tanner Faulkner – 2012-07-24T18:06:01.667
my isp put added to the router a new user with a password only he knows. he did that so users can go to a setup page that was build by the isp and configure the router. i would want to find out that password. so the router is been logged into from the server of the isp and i want to capture the communication. i guess it's secured but still i want to check – user664174 – 2012-07-24T19:38:10.693
I thought you might be up to no good. ;) I'd be willing to bet they're not sending the password without hashing it. If you want access to your router (I mean, why wouldn't you?) you're probably better off buying your own and simply spoofing the MAC address of the old one, rather than trying to break in to that one. – Tanner Faulkner – 2012-07-24T20:24:52.173
i can login to the router but i want to findout the password. – user664174 – 2012-07-25T11:59:18.207
10
If you run DD-WRT on your home router, you can run tcpdump directly on the router, with the output brought back to your local system for later processing.
An example:
ssh root@192.168.1.1 -c "tcpdump -v -w - -i eth2" > mypackets.pcap
Just hit Ctrl-C when done, and load the capture file into your favorite analysis tool such as Wireshark.
Michael Hampton
Posted 2012-07-24T16:53:40.230
Reputation: 11 744
this command has been my favourite ever. there are many ways, you can use OPKG, IPKG or some other router-based package manager. or maybe you can just find a mips/arms compiled tcpdump (on the internet) and put in your router directory or temp filesystem. – Valerio – 2018-03-09T13:12:58.410
1How do I get tcpdump on there? – rakslice – 2013-11-08T18:38:19.827
0
Unless the packets are originating from the router itself (possible, but unlikely) the packets should be coming from one of the connected computers. In this case, you can use a packet-sniffer. SmartSniff is extremely easy to use and can be configured to capture and/or display only connections to/from a specific IP, port, etc.
Synetech
Posted 2012-07-24T16:53:40.230
Reputation: 63 242
0
With an enterprise grade router or switch, you would be able to mirror a port and use a packet capture program like wireshark or netmon to do this. With a d-link router, there's really no way to do this built it.
One solution would be to get a network hub (not a switch, but a hub) and place it on your internal network. Then plug the uplink from the hub into a port on your router. You've now created a situation where all traffic in and out of your network will hit all of your machine's NICs, because you're using a hub. If you do this, you'll be able to run wireshark or netmon in promiscuous mode and capture all of this traffic. Writing a filter to isolate traffic to/from a specific IP is trivial.
MDMarra
Posted 2012-07-24T16:53:40.230
Reputation: 19 580
1You might be able to fill the mac address table on the D-link router so that it becomes a hub, and mindlessly broadcasts all the crap out onto every port. – Tom O'Connor – 2012-07-24T17:47:33.617
There are a couple of ways to accomplish this. What kind of router? Do you have a hub (not a switch) you could put in line. Do you have access to a switch that you could do a port span on? You could use SNORT on a pc and collect the traffic by placing it inline between the router and server. There are a LOT of answers for this. – Everett – 2012-07-24T17:11:44.887
Are the connections being initiated from the router or from a system connected to the router? – Synetech – 2012-07-24T17:12:12.983
2
Install wireshark on your "server."
– HopelessN00b – 2012-07-24T16:56:53.933the connection is between the router itself and a server. on the router there is a firmware witch connect to the server – user664174 – 2012-07-24T17:26:49.393