Become Really Paranoid By Monitoring Your Network’s Comings & Goings With WallWatcher & DD-WRT

featured wallwatcher   Become Really Paranoid By Monitoring Your Networks Comings & Goings With WallWatcher & DD WRTIf you have access to your router, and it’s able to log activity, it’s relatively easy to watch everything that’s going on to try to find any untoward activity. Today I’d like to show you how to set that up on your DD-WRT router and some Windows-only software called WallWatcher (OSX users – you can still use this network traffic monitor software in a Parallels virtual machine just fine)

Requirements

MSVBM50.exe available from Microsoft.
The WallWatcher library files.
The WallWatcher app.
A router with DD-WRT or similar that allows remote logging.

Installing & Configuring

Download and install the VB runtime files from Microsoft first. If you can’t find the download link, check out the following screenshot of the download page.

vb downloadlink   Become Really Paranoid By Monitoring Your Networks Comings & Goings With WallWatcher & DD WRT

Next, create a new folder called WallWatcher and extract the contents of both of the zip files you downloaded into the root of that folder. Run setup.exe when you’re done. If the coloured boxes on the right at the bottom of the page are all blue, click install to continue. If some have errors, make sure you check the box that says install and register library files (OCX). Windows 7 users should have no issues though.

config wallwatcher   Become Really Paranoid By Monitoring Your Networks Comings & Goings With WallWatcher & DD WRT

You now should now find an icon on your desktop.

Next up, log in to your router to configure that side of things. On the security tab, find the section labelled Log Management, and enable it at a high level. Under the options section, enable each setting too. Save and apply the settings.

loglevel   Become Really Paranoid By Monitoring Your Networks Comings & Goings With WallWatcher & DD WRT

Then, under the Services menu, scroll down to System Log and click to Enable. In the box labelled Remote Server, enter the IP address of your Windows machine.

enable system logging ddwrt   Become Really Paranoid By Monitoring Your Networks Comings & Goings With WallWatcher & DD WRT

If you don’t know your IP address, the easiest way to find out is to open a command prompt, and type ipconfig. With default DD-WRT addressing, you should see 192.168.1.??? (not 1). Copy and paste that number, then hit Apply.

ipconfig   Become Really Paranoid By Monitoring Your Networks Comings & Goings With WallWatcher & DD WRT

Back to WallWatcher. Open it up and check the box for auto-select. It should be able to figure out what your router is automatically. If you want to enter the details manually, IP Tables is the setting for a generic DD-WRT flashed router, and the LAN address will be your router (192.168.1.1 by default), with 514 as the port number.

wallwatcehr router   Become Really Paranoid By Monitoring Your Networks Comings & Goings With WallWatcher & DD WRT

Next, click over to the Logging tab and ensure the Convert IP Addrs to URL’s is enabled, along with OK to use NetBios 137. This will ensure you can at least see some meaningful URLs in the log instead of the actual IP address of the website.

convert ips   Become Really Paranoid By Monitoring Your Networks Comings & Goings With WallWatcher & DD WRT

Click OK and you’ll be taken to the log. You should see a bunch of messages coming onscreen right now showing your entire traffic breakdown on the network. Since it can be a bit overwhelming, I found it better to go back to the Options->Logging screen and disabling everything except outbound traffic.

outbound only   Become Really Paranoid By Monitoring Your Networks Comings & Goings With WallWatcher & DD WRT

I had problems fully identifying URLs from the IP because I’m running DD-WRT as a sub-router in my network. If you’re having issues too, make sure that port 137 is open and forwarding correctly on your main router, as this is used to look up the URLs.

logdemo   Become Really Paranoid By Monitoring Your Networks Comings & Goings With WallWatcher & DD WRT

Conclusion

Using this method to watch everything going on on your network is guaranteed to make you quite paranoid. The fact that so many packets go whizzing in and out from all over the place might seem alarming, but the truth is that by loading just one website you are likely making many requests to many different IPs in order to pull in external resources such as images, javascripts, and advertising banners. It’s a good way to see if someone else is on the network as it shows originating IP too.

But now what?  Do you want to get your own back and figure out who they actually are? Stay tuned – in a few weeks time I’ll be looking at some downright dirty tools that can show you exactly what they’re looking at, and even grab some website logins they might be using. We also covered great portable network analysis tools last year.

In the meantime, if you’ve seen something that worries you or a strange originating IP address you didn’t know was active on your network, why not ask for help in the MakeUseOf support community right here?

The comments were closed because the article is more than 180 days old.

If you have any questions related to what's mentioned in the article or need help with any computer issue, ask it on MakeUseOf Answers—We and our community will be more than happy to help.

2 Comments -

Hplsicpt

Firesheep?

James Bruce

Is that a question, or..? A suggestion for how to get your own back on network thieves perhaps?

I found FireSheep sucks personally. I’ve tested it extensively, and it was able to pick up very few passwords. On my local network with lots of clients, I could only get it to pick up a single password when using safari, all other browser interactions remained undetected. Most websites it was designed to be used with are now forced into secure HTTP by default now too, mitigating the attack further.