Become Really Paranoid By Monitoring Your Network’s Comings & Goings With WallWatcher & DD-WRT

Ads by Google

network traffic monitorIf you have access to your router, and it’s able to log activity, it’s relatively easy to watch everything that’s going on to try to find any untoward activity. Today I’d like to show you how to set that up on your DD-WRT router and some Windows-only software called WallWatcher (OSX users – you can still use this network traffic monitor software in a Parallels virtual machine just fine)

Requirements

MSVBM50.exe available from Microsoft.
The WallWatcher library files.
The WallWatcher app.
A router with DD-WRT or similar that allows remote logging.

Installing & Configuring

Download and install the VB runtime files from Microsoft first. If you can’t find the download link, check out the following screenshot of the download page.

network traffic monitor

Next, create a new folder called WallWatcher and extract the contents of both of the zip files you downloaded into the root of that folder. Run setup.exe when you’re done. If the coloured boxes on the right at the bottom of the page are all blue, click install to continue. If some have errors, make sure you check the box that says install and register library files (OCX). Windows 7 users should have no issues though.

monitor traffic on home network

Ads by Google

You now should now find an icon on your desktop.

Next up, log in to your router to configure that side of things. On the security tab, find the section labelled Log Management, and enable it at a high level. Under the options section, enable each setting too. Save and apply the settings.

monitor traffic on home network

Then, under the Services menu, scroll down to System Log and click to Enable. In the box labelled Remote Server, enter the IP address of your Windows machine.

monitor traffic on home network

If you don’t know your IP address, the easiest way to find out is to open a command prompt, and type ipconfig. With default DD-WRT addressing, you should see 192.168.1.??? (not 1). Copy and paste that number, then hit Apply.

monitor traffic on home network

Back to WallWatcher. Open it up and check the box for auto-select. It should be able to figure out what your router is automatically. If you want to enter the details manually, IP Tables is the setting for a generic DD-WRT flashed router, and the LAN address will be your router (192.168.1.1 by default), with 514 as the port number.

monitor traffic on home network

Next, click over to the Logging tab and ensure the Convert IP Addrs to URL’s is enabled, along with OK to use NetBios 137. This will ensure you can at least see some meaningful URLs in the log instead of the actual IP address of the website.

monitor traffic on home network

Click OK and you’ll be taken to the log. You should see a bunch of messages coming onscreen right now showing your entire traffic breakdown on the network. Since it can be a bit overwhelming, I found it better to go back to the Options->Logging screen and disabling everything except outbound traffic.

I had problems fully identifying URLs from the IP because I’m running DD-WRT as a sub-router in my network. If you’re having issues too, make sure that port 137 is open and forwarding correctly on your main router, as this is used to look up the URLs.

network traffic monitor

Conclusion

Using this method to watch everything going on on your network is guaranteed to make you quite paranoid. The fact that so many packets go whizzing in and out from all over the place might seem alarming, but the truth is that by loading just one website you are likely making many requests to many different IPs in order to pull in external resources such as images, javascripts, and advertising banners. It’s a good way to see if someone else is on the network as it shows originating IP too.

But now what?  Do you want to get your own back and figure out who they actually are? Stay tuned – in a few weeks time I’ll be looking at some downright dirty tools that can show you exactly what they’re looking at, and even grab some website logins they might be using. We also covered great portable network analysis tools last year.

In the meantime, if you’ve seen something that worries you or a strange originating IP address you didn’t know was active on your network, why not ask for help in the MakeUseOf support community right here?

Join live MakeUseOf Groups on Grouvi App Join live Groups on Grouvi
Awesome Websites
Awesome Websites
118 Members
Deep Web Communities
Deep Web Communities
70 Members
Best Music Services
Best Music Services
40 Members
Web for Kids
Web for Kids
31 Members
Ads by Google
Comments (6)
  • Vishwanath

    Thanks for the post james. I could not see the log management on my Dlink dir-600M router.

    Could you please help.!

  • Danial

    First off, thank you for providing this information and taking that time out of your day to help us trying to achieve system logging.

    I have this all set up thanks to your nice tutorial. However,I am trying to monitor which sites my children are visiting and I cannot get that info (or it is over my head.) I get logs, but when i try to go to that address or even look it up, I get nothing. Is there a way to have it show the site visited? For instance, if I type in http://www.aol.com, I would like the log to show ww.aol.com. I have a 13 year old boy and I fear what him and his friend may be looking up when he stays the night…

    I am running a netgear r6300 with dd-wrt and wallwatcher if you need such info.

    • James Bruce

      Apologies Danial, I don’t even remember writing this article. I would suggest the Wallwatcher documentation or support forums – if it’s not recording anything, it probably isnt set up right.

  • Hplsicpt

    Firesheep?

    • James Bruce

      Is that a question, or..? A suggestion for how to get your own back on network thieves perhaps?

      I found FireSheep sucks personally. I’ve tested it extensively, and it was able to pick up very few passwords. On my local network with lots of clients, I could only get it to pick up a single password when using safari, all other browser interactions remained undetected. Most websites it was designed to be used with are now forced into secure HTTP by default now too, mitigating the attack further. 

Affiliate Disclamer

This review may contain affiliate links, which pays us a small compensation if you do decide to make a purchase based on our recommendation. Our judgement is in no way biased, and our recommendations are always based on the merits of the items.

For more details, please read our disclosure.
Affiliate Disclamer

This review may contain affiliate links, which pays us a small compensation if you do decide to make a purchase based on our recommendation. Our judgement is in no way biased, and our recommendations are always based on the merits of the items.

For more details, please read our disclosure.