On Mon, Feb 10, 2020 at 10:50 AM Andrew Lunn <andrew at lunn.ch> wrote: > > On Mon, Feb 10, 2020 at 09:13:17AM -0600, o1bigtenor wrote: > > On Mon, Feb 10, 2020 at 7:41 AM Andrew Lunn <andrew at lunn.ch> wrote: > > > > > > On Mon, Feb 10, 2020 at 06:48:21AM -0600, o1bigtenor wrote: > > > > Greetings > > > > > > > > I have started monitoring, in a gross kind of way, my internet usage > > > > starting by using the 24hr graph on my router software (opensource). > > > > > > OpenWRT? > > > > I wish - - - - still on dd-wrt. (Want to change but that's not as easy as it > > do as it sounds - - - - grin!) > > > > > > If so, just install tcpdump. You probably don't have disk space to > > > save an unfiltered capture file on your router, so from your Linux > > > desktop, use something like script(1) to log the console, ssh into the > > > router, and run tcpdump on the WAN port. > > > > > > You can then look at the log, and maybe narrow down the > > > source/destination, or protocol. Run tcpdump with a filter and capture > > > the frames into a pcap file. If you are worried about disk space, look > > > at the -c and -C options. Copy the capture off the router and use > > > wireshark to look at the traffic in more detail. > > > > > > > So wireshark - - - - it lets you see who or what is shipping you info > > even when you're not at the system? > > There are generally two different phases. > > 1) Capture frames: > > tcpdump -w frames.pcap > > The -w causes it to write the frames to a file, rather than decoding > them to the console. You can combine that with the usual filters > > tcpdump -w frames.pcap port not 22 > > will ignore all ssh traffic, etc. You can leave that going over > night. Just watch out for filling the disk. With OpenWRT, you could > plug in a USB stick and mount it, giving you a lot more disk space to > play with. DD-WRT, i've no idea, never used it. > > You have two places you can capture the traffic on the router. I'm > assuming it is doing NAT to the WAN port? That obfuscates things a bit > if you capture on the WAN interface. NAT will mean you won't see your > individual devices IP addresses, just the routers IP address. You can > also capture on the LAN side. But depending on the setup, you might > see lots of internal LAN traffic which is not heading out to the > Internet. LAN to WIFI traffic. You can get tcpdump to do some > filter. The man page suggests: > > To print traffic neither sourced from nor destined for local > hosts (if you gateway to one other net, this stuff should never > make it onto your local net). > > tcpdump ip and not net localnet To here I thought I was understanding what you were talking about. > > How well do you have your local IP addresses under control? Does your > DHCP server just have a pool and gives out addresses from that? Or > have you got it configured to give out specific IP addresses for > configured MAC addresses? Now I'm thinking the bright shiny Maserati just blew by me - - - - grin! This is what I'm trying to learn. I think I'm a few steps behind what you're talking about here. Any suggestions as to some pages for studying and learning and implementing own DHCP and monitoring local IP addys etc? > > 2) Analyse the frames. Grab the file of captured frames and let > wireshark decode it. You can then look at the traffic, figure out what > source/sink is. Depending on your dhcp/dns setup, it should be able to > give you hostnames, not IP addresses. > I think I have some things to work on before I'm at this step. Thanking you muchly for your advice and encouragement. (I do want to learn this stuff - - - -just don't know where to start nor a good plan for this either!.) Regards