OpenWRT Sniff Traffic


OpenWrt Router : 192.168.9.1
Monitored Device : 192.168.9.121
Laptop w/ Wireshark : 192.168.9.183


SSH into OpenWrt installed router (usually port 22) and install “iptables-mod-tee” with below command :

opkg update

opkg install iptables-mod-tee

Run following iptables command to “forward a copy of each packet with source-IP (-s) on out interface (-o) to gateway-IP (–gateway) ”

iptables -A POSTROUTING -t mangle -o br-lan ! -s 192.168.9.121 -j TEE --gateway 192.168.9.183

Run following iptables command to “forward a copy of each packet with destination-IP (-d) on in interface (-i) to gateway-IP (–gateway) ”

iptables -A PREROUTING -t mangle -i br-lan ! -d 192.168.9.121 -j TEE --gateway 192.168.9.183

Start capturing traffic on Wireshark with below filter applied :

(ip.src == 192.168.9.121) || (ip.dst == 192.168.9.121)


Tcpdump can be installed on OpenWrt router itself. Therefore, this approach eliminates the need of having a remote Wireshark or similar listener to analyze the traffic in real-time.

SSH into OpenWrt installed router and install “tcpdump” with below command :

opkg install tcpdump

Execute below command to listen on interface (-i) and store captured information to a file (-w) and be verbose while doing so (-v).

tcpdump -i any -v -w pcap.cap

Retrieve and open the pcap.cap file with Wireshark for further analysis.

Labels: my.