Adam O'Grady

Wireshark: Capture Network Traffic

If you have a computer with two Network Interface Cards (NICs) set up, you can set them in the middle between your gateway/router and the rest of your network, by plugging an Ethernet cable from the router to said computer, then either Ethernet from computer to rest of network or use the computer to create a wireless network (with tools such as hostapd) which other clients can connect to. We don’t aim to cover this in particular, however we will give a good setup you can use if you’re router is running DD-WRT (a feature-packed distro for Linux-based consumer routers).

This setup will copy any traffic on the network through to a specified IP address (which doesn’t need to have two NICs in this use-case), in this case the host which will be running Wireshark). Log into your DD-WRT router and click on Administration up the top, you may be prompted for (and should enter) the username and password for the router. Next click on the Commands sub-tab and on this page enter the following in the Commands text area, replacing the values in square brackets with the relevant information:

iptables -t mangle -A POSTROUTING -d [NETWORK ADDRESS OF LAN]/[SUBNET IN CIDR NOTATION] -j ROUTE --tee --gw [IP OF WIRESHARK COMPUTER]
iptables -t mangle -A PREROUTING -s [NETWORK ADDRESS OF LAN]/[SUBNET IN CIDR NOTATION] -j ROUTE --tee --gw [IP OF WIRESHARK COMPUTER]

After that, click “Save Firewall” and it should save the commands to the firewall and start redirecting a copy of all traffic to our host.

On our host computer, we’ll need to install Wireshark. For Ubuntu/Debian users, type sudo apt-get install tshark, which should install the necessary dependancies. Now because we’re running a headless server in this case, we’re also choosing to install (and use) the command line tool tshark, which uses the same command line options as Wireshark for sniffing network traffic.

There are a multitude of configuration options and switches available and it behooves the user to explore them further and work out the best choices for their needs, but a simple example is tshark -a duration:30 -i [INTERFACE NAME] -P -F pcapng -w output.pcapng The -a option gives the auto-finish indicator, in this case stopping it after 30 seconds have passed while -i refers to the interface name on which to sniff traffic. -P decodes and displays a summary of the packet which is useful for working out what it’s about while -F provides the file format to use and -w gives the output file. Please note that to explore packet captures stored in pcap and pcapng filetypes you’ll need to access the files under a graphical user environment using the Wireshark GUI.

With some imagination and command line magic you could set up a system which runs in the background (perhaps in a screen process) and stores captures in files stamped with a date-time so you can peruse them later at your pleasure.

Note: Only use this tool in conjunction with any relevant laws (particularly surrounding digital/data privacy) in your local jurisdictions.