Tuesday 22 May 2018

networking - Using tcpdump to monitor Chromecast activity


Background: On my home setup, all traffic is routed through a single TP-link router which currently has OpenWRT intalled. I set up DNS ad blocking with a pixelserv setup, so all devices on my network automatically have a rudimentary ad-block. However my Chromecast still displays YouTube ads. I'm trying to find the hostname it connects to.


I want to monitor the activity of a device on my network (a Chromecast). The most logical way to do this seems to run tcpdump on the router. I am not familiar enough with it, though, to succeed.


I used ifconfig to list my interfaces (I have wlan0 and wlan1). I tried commands like this:


tcpdump -vv -i wlan0 | grep Chromecast

expecting to see some traffic from the device to some remote site.


However, I'm not sure how to interpret the result and whether there even is useful information in it:


debian.lan.51469 > Chromecast.lan.8009: Flags [P.], cksum 0x0743 (correct), seq 3470496191:3470495026, ack 2613442937, win 1444, options [nop,nop,TS val 1863051 ecr 6696623], length 115
Chromecast.lan.8009 > debian.lan.51469: Flags [.], cksum 0xe938 (correct), seq 1, ack 115, win 411, options [nop,nop,TS val 6697122 ecr 1863050], length 0
Chromecast.lan.39457 > 74.125.8.26.https: Flags [.], cksum 0xee29 (correct), seq 1, ack 4294950448, win 214, length 0
74.125.8.26.https > Chromecast.lan.39457: Flags [.], cksum 0x7084 (correct), seq 5616:7020, ack 1, win 388, length 1404

So, I'm with these questions:



  • Can I use tcpdump to find out the host the device connects to? How?

  • How can you interpret the captured traffic in this case? Is there really anything useful in it?

  • Is there any other/better monitoring tool?



Answer



There are a few other monitoring tools listed here: https://networkengineering.stackexchange.com/questions/10073/difference-between-sniffer-tools


Wireshark is generally a good place to start if you want to look at some more detail, do filtering for specific traffic, etc. e.g. see screenshot here


For your situation, you could try sending the tcpdump output to another machine via SSH and view the data with Wireshark. Have a look here: http://blog.nielshorn.net/2010/02/using-wireshark-with-remote-capturing/


Good luck!


-

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Where does Skype save my contact's avatars in Linux?

I'm using Skype on Linux. Where can I find images cached by skype of my contact's avatars? Answer I wanted to get those Skype avat...