How to monitor network traffic on my USG via Wireshark

Mon, 28 Aug 2023 00:00:00 +0000

I’m currently trying to figure out some internal network issues¹ and for that need to monitor the traffic of a specific device on my network. I’m using a Unifi USG as my router (behind the ISP’s Fritzbox that I consider hostile since it’s not mine). I found this post on reddit that explains how to capture traffic on the USG via tcpdump and send it through the SSH session to Wireshark on my laptop:

ssh admin@192.168.1.1 'sudo tcpdump -f -i eth1 -w - src 192.168.1.12' | wireshark -k -i -

I could confirm that this works and created a small script to make it easier to use by throwing this into ~/.local/bin/gatedump²:

#!/bin/bash

ARGS="$@"
TCPDUMP="sudo tcpdump -f -w - $ARGS"

ssh usg "$TCPDUMP" | wireshark -k -i -

This now allows me to easily run tcpdump remotely with custom arguments, e.g. gatedump -i eth1 host 192.168.1.123, and have it fire up Wireshark automatically. Wish me luck I’ll now be able to figure out what’s going on on my network, because it’s driving me up the wall.

Update from 2023-12-06: In case you are wondering how this story ended, the issue resolved itself with the next OS update of my partner’s iPhone. So whatever caused it, it’s gone now, and I hope for good.

The iPhone of my partner seems to do something that makes my ISP’s router freak out and drop packets every couple of minutes. No issue when he’s not here or doesn’t have it connected to the WiFi, immediate packet loss when it’s on the WiFi. It started at the start of this month and we are both currently out of explanations. ↩︎
ssh usg does automatically use the correct host, port and user thanks to an entry in ~/.ssh/config. ↩︎

About SSH escape sequences

Wed, 22 Mar 2023 00:00:00 +0000

OpenSSH’s ssh command supports a bunch of escape sequences while a session is running, by default triggered by the ~ character. According to man ssh a list of available commands can be requested with ~?. And indeed, hitting ~? within an open SSH session prints some helpful information:

$ ~?
Supported escape sequences:
 ~.   - terminate connection (and any multiplexed sessions)
 ~B   - send a BREAK to the remote system
 ~C   - open a command line
 ~R   - request rekey
 ~V/v - decrease/increase verbosity (LogLevel)
 ~^Z  - suspend ssh
 ~#   - list forwarded connections
 ~&   - background ssh (when waiting for connections to terminate)
 ~?   - this message
 ~~   - send the escape character by typing it twice
(Note that escapes are only recognized immediately after newline.)

I most commonly require ~. to disconnect from a broken SSH session (e.g. something I still had open on my laptop when I sent it to sleep).

The command line opened via ~C is quite interesting as well, as it allows configuration of port forwards on the fly, while the session is already running:

ssh> help
Commands:
      -L[bind_address:]port:host:hostport    Request local forward
      -R[bind_address:]port:host:hostport    Request remote forward
      -D[bind_address:]port                  Request dynamic forward
      -KL[bind_address:]port                 Cancel local forward
      -KR[bind_address:]port                 Cancel remote forward
      -KD[bind_address:]port                 Cancel dynamic forward

This is once again a “TIL” that I didn’t actually learn about only today, but I keep forgetting about it and then need to frantically google whenever I need it. I hope this way I’ll finally remember this stuff 😅

ssh on foosel.net

How to monitor network traffic on my USG via Wireshark

About SSH escape sequences