Simple TCP Traffic Monitoring

Let’s say you want to monitor devices on your network to see who sends unencrypted traffic – for instance, devices like a Nest or Withings scale.

The simplest way to do this is to run a Wireless router that uses DD-WRT.

First, enable Telnet:

Then reboot the router:

You should then be able to telnet into the router:

telnet 192.168.11.1

The username will be “root” and the password will be what you chose above.

From DD-WRT, find the list of connected devices – you’ll want to identify the hostname of the address you want to watch:

Then from your telnet session you can show the output of that devices network data:

tcpdump -l | grep android-21d3

This will then let you see the network traffic:

05:08:30.914035 IP ec2-52-72-46-195.compute-1.amazonaws.com.www > android-21d3bd
787d11c058.home.34768: Flags [F.], seq 2005764907, ack 3884437729, win 136, opti
ons [nop,nop,TS val 265231201 ecr 8506691], length 0
05:08:30.954946 IP android-21d3bd787d11c058.home.34768 > ec2-52-72-46-195.comput
e-1.amazonaws.com.www: Flags [.], ack 1, win 505, options [nop,nop,TS val 851235
6 ecr 265231201], length 0
05:08:32.108698 IP ec2-107-23-112-131.compute-1.amazonaws.com.https > android-21
d3bd787d11c058.home.46161: Flags [P.], seq 199715238:199715269, ack 970139927, w
in 82, options [nop,nop,TS val 2184533249 ecr 8506780], length 31

Remember that this is also just raw TCP output, so to really use this, you’ll want to go further to reconstruct HTTP traffic.