Sniff iPhone traffic using Tomato router firmware
I had a need recently to sniff traffic going to an iPhone at home. Nothing nefarious; just trying to figure out why iCloud backup was not working. Anyhow, a decent (and secure) wifi router would typically only send data to the destination hardware address, meaning I could not see the iPhone’s traffic using tcpdump or Wireshark. In effect what I wanted to do is set up a SPAN port in the Tomoto wifi world. Here’s how I did it…
Enable the ipt_ROUTE module:
1 | /sbin/modprobe ipt_ROUTE |
If this doesn’t work upgrade your firmware to something more recent.
Forward the traffic:
1 | iptables -A PREROUTING -t mangle -d iptomirror -j ROUTE --gw iptosendto --tee |
Replace iptomirror
with the IP of the iPhone/wifi device you wish to listen to. Replace iptosendto
with the IP of the computer running tcpdump/Wireshark. The above 4 commands leverage the --tee
option provided by the ipt_ROUTE kernel module and will:
- Find any packet with source/destination IP of iptomirror, then
- Duplicate both of these classes of packets packet and send a copy to iptosendto
These commands should do the trick to sniff traffic not just for iPhones, but for any device on connected to a Tomato router (and possibly DD-WRT, but I haven’t tried). If you’re having problems double check the ipt_ROUTE module is loaded:
1 | lsmod | grep ipt |
And check your rules made it into the mangle tables:
1 | iptables -L -t mangle |
You should see your entries in the PREROUTING and POSTROUTING chains.
To stop the mirroring, either reboot the router or remove the entries from the chains using the same commands as creating, but replace -A (add) with -D (delete):
1 | iptables -D PREROUTING -t mangle -d iptomirror -j ROUTE --gw iptosendto --tee |
Feel free to comment below if you’re having problems, otherwise happy spying… ahem… troubleshooting!