Background: On my home setup, all traffic is routed through a single TP-link router which currently has OpenWRT intalled. I set up DNS ad blocking with a pixelserv setup, so all devices on my network automatically have a rudimentary ad-block. However my Chromecast still displays YouTube ads. I'm trying to find the hostname it connects to.
I want to monitor the activity of a device on my network (a Chromecast). The most logical way to do this seems to run tcpdump on the router. I am not familiar enough with it, though, to succeed.
I used ifconfig to list my interfaces (I have wlan0 and wlan1). I tried commands like this:
tcpdump -vv -i wlan0 | grep Chromecast
expecting to see some traffic from the device to some remote site.
However, I'm not sure how to interpret the result and whether there even is useful information in it:
debian.lan.51469 > Chromecast.lan.8009: Flags [P.], cksum 0x0743 (correct), seq 3470496191:3470495026, ack 2613442937, win 1444, options [nop,nop,TS val 1863051 ecr 6696623], length 115
Chromecast.lan.8009 > debian.lan.51469: Flags [.], cksum 0xe938 (correct), seq 1, ack 115, win 411, options [nop,nop,TS val 6697122 ecr 1863050], length 0
Chromecast.lan.39457 > 74.125.8.26.https: Flags [.], cksum 0xee29 (correct), seq 1, ack 4294950448, win 214, length 0
74.125.8.26.https > Chromecast.lan.39457: Flags [.], cksum 0x7084 (correct), seq 5616:7020, ack 1, win 388, length 1404
So, I'm with these questions:
- Can I use tcpdump to find out the host the device connects to? How?
- How can you interpret the captured traffic in this case? Is there really anything useful in it?
- Is there any other/better monitoring tool?
Answer
There are a few other monitoring tools listed here: https://networkengineering.stackexchange.com/questions/10073/difference-between-sniffer-tools
Wireshark is generally a good place to start if you want to look at some more detail, do filtering for specific traffic, etc. e.g. see screenshot here
For your situation, you could try sending the tcpdump output to another machine via SSH and view the data with Wireshark. Have a look here: http://blog.nielshorn.net/2010/02/using-wireshark-with-remote-capturing/
Good luck!
No comments:
Post a Comment