Network Monitoring with WallWatcher & DD-WRT

Monitoring Network Activity with DD-WRT and WallWatcher

Gaining access to your router's logging capabilities, if available, allows for straightforward monitoring of network traffic. This can be a valuable method for identifying potentially suspicious activity.

This guide details the process of configuring activity logging on a DD-WRT router. We will also explore the use of WallWatcher, a software application designed for Windows, to analyze this data.

Setting Up Logging on Your DD-WRT Router

If your router supports activity logging, enabling it is the first step towards enhanced network security. This feature records events occurring on your network, providing a historical record for analysis.

Introducing WallWatcher

WallWatcher is a Windows-based software solution specifically designed to interpret router logs. It presents the information in a user-friendly format, making it easier to detect anomalies.

For users of macOS, WallWatcher can be effectively utilized within a virtual machine environment like Parallels. This allows access to the software’s functionality without requiring a Windows installation directly on the host machine.

The combination of DD-WRT’s logging features and WallWatcher’s analytical capabilities provides a robust system for monitoring network activity and identifying potential security threats.

By leveraging these tools, you can proactively observe network traffic and address any unusual patterns that may emerge.

Prerequisites

The MSVBM50.exe file can be obtained directly from Microsoft's website.

Ensure you have access to the necessary WallWatcher library files.

The WallWatcher application itself must also be downloaded and installed.

A router supporting DD-WRT firmware, or an equivalent system enabling remote logging capabilities, is required for full functionality.

Essential Components

Successful operation depends on having the MSVBM50.exe runtime component installed.

The WallWatcher application relies on its associated library files to function correctly.

The core of the system is the WallWatcher application, which processes the logged data.

Remote logging functionality, provided by a DD-WRT-enabled router, is crucial for data collection.

Software Dependencies

MSVBM50.exe: A Microsoft-provided executable.
WallWatcher Library Files: Supporting files for the application.
WallWatcher Application: The primary software component.

Hardware Requirements

A router capable of running DD-WRT or a similar firmware is necessary.

This router must support the configuration of remote logging to a central server.

The router's ability to forward logs is a key requirement.

Setting Up the Environment

Download and install MSVBM50.exe following Microsoft’s instructions.

Locate and install the WallWatcher library files in the designated application directory.

Install the WallWatcher application, ensuring all dependencies are met.

Configure your router with DD-WRT and enable remote logging, specifying the appropriate server address.

Installation and Configuration Process

Initially, the necessary VB runtime files must be downloaded and installed from Microsoft. Should locating the download link prove difficult, refer to the accompanying screenshot of the download webpage for assistance.

paranoid-monitoring-networks-comings-goings-wallwatcher-ddwrt-2.jpg

Following this, a new folder named WallWatcher should be created. Extract the contents of both downloaded zip files into the root directory of this newly created folder. Subsequently, execute the setup.exe file.

If the colored boxes displayed at the bottom of the page are all illuminated in blue, proceed by clicking install to continue the setup. However, if errors are present in some of the boxes, ensure that the option to install and register library files (OCX) is selected. Users of Windows 7 generally should not encounter any issues.

paranoid-monitoring-networks-comings-goings-wallwatcher-ddwrt-3.jpg

An icon for the application should now be visible on your desktop.

The next step involves accessing your router’s configuration interface. Navigate to the security tab and locate the Log Management section, enabling it at a sufficiently high logging level. Also, activate each setting within the options section. Remember to save and apply these changes.

paranoid-monitoring-networks-comings-goings-wallwatcher-ddwrt-4.jpg

Then, within the Services menu, scroll down to the System Log option and click to Enable it. In the field labeled Remote Server, input the IP address of your Windows computer.

paranoid-monitoring-networks-comings-goings-wallwatcher-ddwrt-5.jpg

If your IP address is unknown, the simplest method to determine it is to open a command prompt and type ipconfig. With standard DD-WRT addressing schemes, you should observe an address beginning with 192.168.1.??? (excluding 1). Copy this number and then click Apply.

paranoid-monitoring-networks-comings-goings-wallwatcher-ddwrt-6.jpg

Returning to WallWatcher, open the application and check the box for auto-select. The program should then be capable of automatically identifying your router. Alternatively, you can manually enter the details; for a generic DD-WRT flashed router, select IP Tables, and use your router’s LAN address (typically 192.168.1.1) with port 514.

paranoid-monitoring-networks-comings-goings-wallwatcher-ddwrt-7.jpg

Next, navigate to the Logging tab and ensure that both Convert IP Addrs to URL’s and OK to use NetBios 137 are enabled. This will allow for the display of more understandable URLs in the log, rather than just the raw IP addresses of websites.

paranoid-monitoring-networks-comings-goings-wallwatcher-ddwrt-8.jpg

Click OK to access the log. You should now observe a stream of messages appearing, representing a breakdown of your network traffic. Given the potential for this to be overwhelming, it may be beneficial to return to the Options->Logging screen and disable all logging except for outbound traffic.

paranoid-monitoring-networks-comings-goings-wallwatcher-ddwrt-9.jpg

Difficulties in fully resolving URLs from IP addresses may arise if DD-WRT is being used as a sub-router within your network. If you encounter such issues, verify that port 137 is open and correctly forwarding on your primary router, as this port is utilized for URL lookups.

paranoid-monitoring-networks-comings-goings-wallwatcher-ddwrt-10.jpg

Understanding Network Activity

Employing a technique to monitor all network traffic can understandably lead to a heightened sense of caution. The sheer volume of data packets constantly flowing to and from various sources might initially appear concerning.

However, it’s important to recognize that even a single website visit often involves numerous requests to different IP addresses. This is due to the need to load external elements like images, scripts, and advertisements.

Identifying Network Users

This method proves valuable for detecting other devices connected to the network, as it displays the originating IP address of each connection.

Network analysis provides insight into who is actively using the network resources.

Further Exploration

What steps can be taken after observing unusual network activity? The desire to identify the source of such activity is natural.

Future discussions will delve into more advanced tools capable of revealing detailed information about network users, including the websites they are visiting and potentially even capturing login credentials.

Previously, we also examined a selection of excellent portable network analysis tools that can be readily deployed.