Capture packets using tcpdump

Description

This article describes how to log packets using tcpdump.

Installing tcpdump

Before starting, you need to install required packages. Tcpdump and Libpcap. These packages can be found attached to the article.

To install, you need to upload the packages to your WCCLite /tmp/ directory. You can achieve this by using scp or any other software that has scp compatibility, for example: WinSCP, PSCP, FileZilla.

We are going to upload using scp.

Navigate to the directory where libpcap is.
Open the command terminal in that directory.
Execute command: scp libpcap_1.7.4-1_ar71xx.ipk root@192.168.1.1:/tmp/
It will ask you for the password. Enter the default wcclite password - wcclite.

Navigate to the directory where tcpdump is.
Open the command terminal in that directory.
Execute command: scp tcpdump_4.9.2-1_ar71xx.ipk root@192.168.1.1:/tmp/
It will ask you for the password. Enter the default wcclite password - wcclite.

After uploading the packages, you need to install them.

Connect to the WCCLite using an ssh client. We recommend using putty
Execute command: opkg install /tmp/libpcap_1.7.4-1_ar71xx.ipk to install libpcap
If successful you will get this message.

Now to install tcpdump:

Execute: opkg install /tmp/tcpdump_4.9.2-1_ar71xx.ipk to install tcpdump.
If successful you will get this message.

To check if everything installed correctly, execute this command: tcpdump --v

Now Tcpdump has been successfully installed.

Running tcpdump

To run tcpdump you need to give it specific options. You can find all of them in the manual. Here are some of the more frequent ones:

Switch	Syntax	Description
-i any	tcpdump -i any	Capture from all interfaces
-i eth0	tcpdump -i eth0	Capture from specific interface
-D	tcpdump -D	Show available interfaces
-w	tcpdump -i eth0 -w capture.pcap	Save capture to file (.pcap for reading it with Wireshark or other packet analysis tools)
-c	tcpdump -i eth0 -c 100	Capture first 100 packets and exit
-n	tcpdump -n -i eth0	Do not resolve host names
port	tcpdump -i eth0 port 2404	Capture traffic from a defined port only
host	tcpdump host 192.168.1.100	Capture packets from specific host

After you write your specific command you execute it via the console.

Here is shown tcpdump -i wwan0 -n. This command shows all traffic that goes through the gsm interface.

Examples

Command	Description
tcpdump -i eth0 -n port 2404 -c 1000 -s0 -w /var/log/2404.dmp	Capture packets that are on port 2404 that go through eth0 interface.Exit after first 1000 and save them to /var/log/2404.dmp file
tcpdump -i wwan0 -w /tmp/capture-%H.pcap -G 3600 -C 10000	Capture packets that go through gsm interface and write a new file to /tmp/capture-<count>.pcap file every 3600 seconds.
tcpdump -i any -n port 2404 -w /tmp/capture-%H.pcap -G 3600	Capture packets that are on port 2404 that go through all interfaces and save a new file to /tmp/capture-<count>.pcap every 3600 seconds.

Downloading packet files

If you save your tcpdump files, you need to download them from the WCCLite. This can be achieved by using scp or any software that has scp compatibility, for example: WinSCP, PSCP, FileZilla.

We are going to use scp to download the file.

Open the command terminal on your computer.
Execute command with the location of your packet dump file and directory where to save it. scp root@192.168.1.1:/<dump directory>/<dump name> <directory where to save it>
It will ask for the WCCLite password. Enter the default password - wcclite.
If successful the file will appear in the determined location.

Example of the command.

Files

PuTTy ssh software Download
WinSCP software Download
TCPDump manual
Libpcap Download
Tcpdump Download

Connecting IOMod 16DI to the WCC Lite

Connecting two IOMod 16DI

Configuration Example With Default and Saved Values (Modbus TCP, IEC104)

Signal Delay with Lua

Mathematical Operations With Lua (FW version 1.7)

Cronjob example