On Mon, Feb 10, 2020 at 09:13:17AM -0600, o1bigtenor wrote: > On Mon, Feb 10, 2020 at 7:41 AM Andrew Lunn <andrew at lunn.ch> wrote: > > > > On Mon, Feb 10, 2020 at 06:48:21AM -0600, o1bigtenor wrote: > > > Greetings > > > > > > I have started monitoring, in a gross kind of way, my internet usage > > > starting by using the 24hr graph on my router software (opensource). > > > > OpenWRT? > > I wish - - - - still on dd-wrt. (Want to change but that's not as easy as it > do as it sounds - - - - grin!) > > > > If so, just install tcpdump. You probably don't have disk space to > > save an unfiltered capture file on your router, so from your Linux > > desktop, use something like script(1) to log the console, ssh into the > > router, and run tcpdump on the WAN port. > > > > You can then look at the log, and maybe narrow down the > > source/destination, or protocol. Run tcpdump with a filter and capture > > the frames into a pcap file. If you are worried about disk space, look > > at the -c and -C options. Copy the capture off the router and use > > wireshark to look at the traffic in more detail. > > > > So wireshark - - - - it lets you see who or what is shipping you info > even when you're not at the system? There are generally two different phases. 1) Capture frames: tcpdump -w frames.pcap The -w causes it to write the frames to a file, rather than decoding them to the console. You can combine that with the usual filters tcpdump -w frames.pcap port not 22 will ignore all ssh traffic, etc. You can leave that going over night. Just watch out for filling the disk. With OpenWRT, you could plug in a USB stick and mount it, giving you a lot more disk space to play with. DD-WRT, i've no idea, never used it. You have two places you can capture the traffic on the router. I'm assuming it is doing NAT to the WAN port? That obfuscates things a bit if you capture on the WAN interface. NAT will mean you won't see your individual devices IP addresses, just the routers IP address. You can also capture on the LAN side. But depending on the setup, you might see lots of internal LAN traffic which is not heading out to the Internet. LAN to WIFI traffic. You can get tcpdump to do some filter. The man page suggests: To print traffic neither sourced from nor destined for local hosts (if you gateway to one other net, this stuff should never make it onto your local net). tcpdump ip and not net localnet How well do you have your local IP addresses under control? Does your DHCP server just have a pool and gives out addresses from that? Or have you got it configured to give out specific IP addresses for configured MAC addresses? 2) Analyse the frames. Grab the file of captured frames and let wireshark decode it. You can then look at the traffic, figure out what source/sink is. Depending on your dhcp/dns setup, it should be able to give you hostnames, not IP addresses. Andrew