EdgeRouter Wireshark capture
16 Jul 2019
Ettore Dreucci
2 minute read

[recipe, troubleshooting, netadmin]: How to capture and inspect packet flow in an EdgeRouter with Wireshark


Some days ago I was troubleshooting a “slowness” issue on a procedure in a proprietary accounting software. Such procedure needs to connect with a remote server that holds some invoices, then check which of those are already synched and download the others. Mind that an invoice takes only a handful kB and there were no more than a few hundreds to check against so even with a mediocre uplink that should have taken hardly a minute. Too bad it required more or less twenty minutes to complete.

So here I am, trying to al least to narrow the amount of possible causes: maybe a local networking issue or a routing issue? To check against those possibilities I needed to capture and inspect in real time the packet flow in and out of the EdgeRouter. Luckily Ubiquiti gears all run on Linux so you can use all the handy tools like tcpdump!

Network traffic analysis

with a *nix workstation

Now, assuming that an SSH access is already configured and available to the EdgeRouter we can use tcpdump, piping and Wireshark to capture the traffic:

ssh root@ 'sudo tcpdump -n -i eth0 -w - -U not port 22' | wireshark -k -i -

Let’s walk through the various option:

  • tcpdump:
    • -n don’t convert addresses to names
    • -i eth0 specify which network interface should sniff on
    • -w - writes the raw packets on the standard output and buffers the output
    • -U make the output “packet-buffered” so that as each packet is savet it will be written on the output
    • not port 22 expression excludes the traffic generated by the ssh session
  • wireshark:
    • -k start capturing immediately
    • -i - set the capture interface to the standard input

with a Windows workstation

If instead of a unix machine you have to use a Windows OS you could use the plink utility to establish an ssh connection:

plink.exe -batch -l root -pw abc123 -P 22 "sudo tcpdump -n -i eth0 -w - -U not port 22" | "C:\Program Files\Wireshark\Wireshark.exe" -k -i -
  • plink:
    • -batch disable all the interactive prompts
    • -l connect with the specified username
    • -pw login with the specified password
    • -P specify the port to be used for the connection