Sniffing WiFi packets on an ESP32 during development.

overview image

This blog documents the network configuration used in an ESP32 test environment with some challenges:

  • The ESP32 DUT cannot practically be configured to have a wired Ethernet interface.
  • A wired Ethernet interface is needed to insert a port-sniffing router.
  • No wired Ethernet ports are available in practical proximity to development computer.

For a simpler version of port sniffing the ESP32 with a wired connection, see the prior blog EdgeRouter-X Port Mirroring: Inspect ESP32 Network Packets.

Reminder for EsdgeRouter-X settings, lost at reboot time:

# we'll monitor from eth4. (ports start at 0, left-most when facing)
sudo /sbin/switch mirror monitor 4

# start mirroring packets from eth2 onto eth4; a value of 3 means all packets
sudo /sbin/switch mirror target 2 3

Other helpful tidbits found at community.ui: “Stale DNS issue”:

# To see current DNS stats:
show dns forwarding statistics

# To clean DNS cache:
clear dns forwarding cache

# Show dns nameservers
show dns forwarding nameservers

# To show the leases on a given network:
show dhcp leases pool net_LAN_192.168.1.0-24

# To clear the stale record for ip
clear dhcp lease ip

To add wired Ethernet to an ESP32, see prior blog: ENC28J60 ESP32

Equipment Used


We’ll connect the ESP32 Device Under Test (DUT) to the Internet:

  DUT <<--WiFi-->> Router <<--EtherNet-to-ISP-->> Internet

Although the test topology may sound complicated at first, it is actually fairly simple as shown:

DUR Actual Setup Photo


The main production network is on a completely separate LAN and ISP. That netwok uses PiHole as described in a previous blog.

The good thing about the Pi-Hole is all the DNS lookups for undesired sites are blocked. The bad thing is that during testing, a test destination address may be blocked.

The test network here will use StarLink ISP. There’s no Pi-Hole and there’s also no wired Ethernet interface. (There’s an optional Ethernet Adapter sold separately)

DUT Test Router <<-- Wired Ethernet to ISP -->> Internet

The DUT Router Setup:


The DUT Router LAN:


The DUT Router WAN:


The DUT Router Wireless:


As all on-site networking equipment acts as a switch and not a hub, some sort of port spanning or mirroring will be needed to sniff packets. See prior blog on Port Mirroring.

 Test Router <<--Wired-->> Port-Sniffer <<--Ethernet-to-ISP-->> Internet

The EdgeRouter-X will be used to help sniff WiFi packets. It will sit between the wired connection of the ISP (in this case, a bridge) and the WiFi Test Router (RT1) for the DUT. The EdgeRouter-X does not have WiFi capability, but it does have a port mirroring feature.

 DUT <<--WiFi-->> Test Router <<--Wired-->> EdgeRouter-X <<--Ethernet-to-ISP-->> Internet

EdgeRouter Dashboard:


EdgeRouter Routes:


EdgeRouter ETH0:


EdgeRouter ETH2:


EdgeRouter ETH4:


EdgeRouter Configure Port Mirror:


In order to get wired Ethernet of the EdgeRouter-X to connect to the StarLink WiFi, the AC750/RE220 is configured in bridge (extender) mode. Basically the RE220 creates a single wired-Ethernet port that is on the same subnet as the StarLink WiFi. Other network topologies may not need this.

 DUT <<-- WiFi -->> Test Router <<-- Wired -->> EdgeRouter-X <<-- Wired -->> RE220 Bridge <<-- WiFi -->> StarLink ISP -->> Internet

The RE220 home screen has this, but in reverse order (right to left):


Here are the basic RE220 settings:


There are LED indicators on the TP-Link AC750 (aka RE220) from page 4 of the manual:

RE220 LEDs

The ESP32 Device Under Test (DUT) connects to a Linksys Test Router (RT1) over WiFi. SSID = dut-test.

Note that in order to connect and see the test router configuration, the network cable will need to be moved from the EdgeRouter (192.168.75.x) to the Test Router (192.168.25.x) as the WiFi WAN port of a router typically does not allow inbound security config.

All clients, including WAN ports are configured in the default mode using DHCP. Actual IP addresses may vary:

The DUT Test Router Network is 192.168.25.x.

ESP32 DUT               <<  WiFi >>  Linksys Router RT1
  DHCP IP =              IP =
  Gateway =                RT =

The Linksys Router’s WAN port is connected to a Ubiquity EdgeRouter-X on ETH2. The sniffing network is 192.168.75.x.

Linksys Router RT1      << Wired >>  EdgeRouter-X RTX
  LAN     =               LAN     = 192.168.75.x
  WAN IP  =              WAN IP  = (DHCP)
  Gateway =               Gateway =

The EdgeRouter-X’s WAN (ETH0) port is connected to the bridge:

EdgeRouter-X RTX        << Wired >>  RE220 Bridge B1
  LAN     = 192.168.75.x               LAN     = 192.168.x
  WAN IP  =              WAN IP  = (n/a in bridge mode)
  Gateway =

The RE220 Bridge is connected to StarLink over WiFi

RE220 Bridge B1         << WiFi >>   Starlink
  IP      =               IP =
  Gateway =                RT =

The development desktop computer is on the StarLink subnet at

Admin Interfaces:

Some “special” IP addresses and names:

StarLink ==

RE220 ==

Components are added by parsing each of the directories in the components directory

See also: