Remote connection
Perhaps you’ve used Wireshark to capture packets on your laptop, or pc. But what if you need to troubleshoot your router? A quick way to grap a dump, is a simple ssh/tcpdump combo. It’s easy to do, and can be done remotely.
First, your router must accept ssh connections for this method. In the case of EdgeMax router software, the settings to enable are in the “System” tab, found at the bottom of the web-based admin portal.
ssh and saving the pcap file.
$ ssh $(router_ip) "sudo tcpdump -s 0 -w - " > ~/Desktop/router_capture.pcap
The above command basically does it, and you can stop the capture with a Ctrl-C. Until then, you’ll be capturing packets remotely from your router, right onto you desktop. However, note that you’ll need to change $(router_ip) to your router, like 192.168.0.1, or example. You will likely be asked for passwords, both to connect to the router, and to use the sudo.
You could change the ‘~/router_capture.pcap‘ line to any path on your computer. However, I recommend saving somewhere only you can access. It may have sensitive info.
Parsing the file
This packet capture file will be readable by Wireshark, if this is all accomplished with a modern enough system. However, if you prefer to NOT have that format, and perhaps just ‘grep’ or read the text output, you can remove the ‘-w – ‘ part of the command. In addition, you could pipe the tcpdump command into a ‘grep’ first, to limit the amount of data. For instance:
$ ssh 192.168.2.1 "sudo tcpdump -s 0 | grep -e -v '192\.168\.0" > ~/router_capture.txt
The above will remove IPs that have “192.168.0” in the output. However, I don’t suggest this, as Wireshark will be much more powerful for searching and finding issues you might be having.