[DD-WRT] Reading TCP-Packets via TCPDUMP trough SSH

zeroXcool · 03-05-2009, 07:09 AM

Hi everyone

I've got a "little" Problem and hope anyone could tell me why it doesn't work...or find a solution with me

I want to get the tcpdump output (Packets) from my DD-WRT-Router via SSH on my Server to Pipe the Output to a Skript and it works somehow but:

I think it's the best to Print the Commands first:

1. Via SSH, tcpdump with "host"-expression - Works fine:

ssh root@<dd-wrt-router> "export LD_LIBRARY_PATH=/lib:/usr/lib:/jffs/lib:/jffs/usr/lib:/jffs/usr/local/lib ; /jffs/usr/sbin/tcpdump -s 50000 -i br0 -w - 'host ###.###.###.###'"

2. Via SSH, tcpdump with "port"-expression - Does not work:

ssh root@<dd-wrt-router> "export LD_LIBRARY_PATH=/lib:/usr/lib:/jffs/lib:/jffs/usr/lib:/jffs/usr/local/lib ; /jffs/usr/sbin/tcpdump -s 50000 -i br0 -w - 'port ####'"

3. directly on the dd-wrt console - WORKS:

/jffs/usr/sbin/tcpdump -s 50000 -i br0 -w - 'host ###.###.###.###'

4. directly on the dd-wrt console - WORKS:

/jffs/usr/sbin/tcpdump -s 50000 -i br0 -w - 'port ####'

So my Problem is that I need 2. (above) to work but there is just no Output, but if i do the same directly on the console (4.) it works. And I don't know why ;( Now working since Hours, and I also checked all Commands with dumping to a file, with the same result ;(

So I'am Happy for any Ideas

If someone needs additional Info, just ask

Oh and I know that there is Traffic on the Port when I Capture the dump

greetz z.c

acid_kewpie · 03-05-2009, 09:08 AM

well what doesn't work about it? you've not given us any error messages or anything. you aren't dumping port 22 are you?

zeroXcool · 03-05-2009, 09:31 AM

oh I'am sorry

at first, no I'am not dumping port 22

about the error message, there is non, just no output, i'll try to post the output:

1.

<user>@<server>:~$ ssh root@<dd-wrt-router> "export LD_LIBRARY_PATH=/lib:/usr/lib:/jffs/lib:/jffs/usr/lib:/jffs/usr/local/lib ; /jffs/usr/sbin/tcpdump -s 50000 -i br0 -w - 'host ###.###.###.###'"
DD-WRT v23 SP1 std Date: 05/16/06 (c) 2006 NewMedia-NET GmbH
root@<dd-wrt-router>'s password:
tcpdump: listening on br0, link-type EN10MB (Ethernet), capture size 50000<much binary>

2.

<user>@<server>:~$ ssh root@<dd-wrt-router> "export LD_LIBRARY_PATH=/lib:/usr/lib:/jffs/lib:/jffs/usr/lib:/jffs/usr/local/lib ; /jffs/usr/sbin/tcpdump -s 50000 -i br0 -w - 'port ####'"
DD-WRT v23 SP1 std Date: 05/16/06 (c) 2006 NewMedia-NET GmbH
root@<dd-wrt-router>'s password:
tcpdump: listening on br0, link-type EN10MB (Ethernet), capture size 50000 bytes
<nothing>

acid_kewpie · 03-05-2009, 10:00 AM

well IS there any traffic on this super secret mystery port number?

zeroXcool · 03-05-2009, 10:14 AM

hey

It is no super mystery port , it's 5190

and there is traffic, i'am sure, when i use the "host"-expression or execute the command directly on the console of the wrt-router the traffic is there, any message i write, but with the "port"-expression (via SSH-Command 2.), nothing...

acid_kewpie · 03-05-2009, 12:51 PM

ok, so show us the tcpdump output showing traffic on port 5190 when you use the host statement.

zeroXcool · 03-05-2009, 01:14 PM

This is the TCPDump Output (i guess Binary-Dump is not needed):

1. directly on the DD-WRT-Router:

~ # /jffs/usr/sbin/tcpdump -s 50000 -i br0 port 5190
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on br0, link-type EN10MB (Ethernet), capture size 50000 bytes
20:07:02.527895 IP 205.188.9.242.5190 > 192.168.###.###.2781: P 2736427840:2736427878(38) ack 955586305 win 16384
20:07:02.700681 IP 192.168.###.###.2781 > 205.188.9.242.5190: . ack 38 win 65345
20:07:02.744744 IP 205.188.9.242.5190 > 192.168.###.###.2781: P 38:76(38) ack 1 win 16384
20:07:02.901987 IP 192.168.###.###.2781 > 205.188.9.242.5190: . ack 76 win 65307
20:07:04.196115 IP <workstation>.34825 > 64.12.24.252.5190: P 2740339472:2740339565(93) ack 615897945 win 63246
20:07:04.308234 IP 64.12.24.252.5190 > <workstation>.34825: P 1:210(209) ack 93 win 16384
20:07:04.308736 IP <workstation>.34825 > 64.12.24.252.5190: . ack 210 win 63246
20:07:04.311430 IP 64.12.24.252.5190 > <workstation>.34825: P 210:245(35) ack 93 win 16384
20:07:04.311864 IP <workstation>.34825 > 64.12.24.252.5190: . ack 245 win 63246

9 packets captured
18 packets received by filter
0 packets dropped by kernel

2. via SSH

user@<server>:~$ ssh root@<router> "export LD_LIBRARY_PATH=/lib:/usr/lib:/jffs/lib:/jffs/usr/lib:/jffs/usr/local/lib ; /jffs/usr/sbin/tcpdump -s 50000 -i br0 port 5190"
DD-WRT v23 SP1 std Date: 05/16/06 (c) 2006 NewMedia-NET GmbH
root@zcwrt's password:
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on br0, link-type EN10MB (Ethernet), capture size 50000 bytes
<nothing>