Page 1 of 1

CALEA and Remote Log Server

Posted: Thu Aug 02, 2007 5:41 am
by believewireless
All of our Mikrotik router use flash drives so there is no place to dump the logs. Since we can specify another server IP, what do we need to run on a Linux or Windows box to store the data?

Re: CALEA and Remote Log Server

Posted: Thu Aug 02, 2007 7:43 am
by sergejs
I'm not sure you can accept this data on remote Linux/Windows server.

Re: CALEA and Remote Log Server

Posted: Thu Aug 02, 2007 6:04 pm
by omega-00
what about if you were to get another mikrotik that did use a hard drive and use it for primarily for logging believewireless?
Hardware should even need that much grunt.

Re: CALEA and Remote Log Server

Posted: Thu Aug 09, 2007 4:27 pm
by sergejs
Some clarification,
'ip firewall calea' provides action,
'sniff - generates a tzsp stream that can be directed to any Wireshark (Ethereal) server'.
http://wiki.mikrotik.com/wiki/Calea#Int ... acket_Flow
That should be the answer to this question.

Re: CALEA and Remote Log Server

Posted: Fri Oct 12, 2007 4:37 pm
by maxfava
'sniff - generates a tzsp stream that can be directed to any Wireshark (Ethereal) server'
what you suggest as Wireshark (Ethereal) server ?
If I am not wrong since Wireshark is only analize tool.

ciao
Max

Re: CALEA and Remote Log Server

Posted: Mon Oct 15, 2007 2:24 pm
by sergejs
Any OS, that Wireshark supports,
http://www.wireshark.org/about.html

Re: CALEA and Remote Log Server

Posted: Mon Oct 15, 2007 3:38 pm
by Letni
Using wireshark/ethereal is fine if you just need to capture or search for stuff. However, If you are doing an actual tap for a LEA, they would like it chunked up and hashed, which to my knowledge you can not do with wireshark... and if you could the LEA would not appreciate you looking at there data.

The simplest solution in my case is to create a Virtual machine with routerOS demo license and use that as the server.

-Louis

Re: CALEA and Remote Log Server

Posted: Wed Oct 17, 2007 12:27 am
by maxfava
The simplest solution in my case is to create a Virtual machine with routerOS demo license and use that as the server.
:D same for me.
thanks

Re: CALEA and Remote Log Server

Posted: Sun Dec 09, 2007 8:53 pm
by burek
Hi everybody,

In the documentation version 1.5 which applies to v2.9 of RouterOS, at this link: http://www.mikrotik.com/testdocs/ros/2. ... niffer.php there is a part regarding packet sniffer settings, which says:
Not only Ethernal (http://www.ethereal.com) and Packetyzer (http://www.packetyzer.com) can receive the sniffer's stream but also MikroTik's program trafr (http://www.mikrotik.com/download.html) that runs on any IA32 Linux computer and saves received packets libpcap file format.
also
streaming-server (IP address; default: 0.0.0.0) - Tazmen Sniffer Protocol (TZSP) stream receiver
I've installed the Wireshark (Ethereal) and I just cand find any option (not even a mention of that option in its help files) to start it as a listening server for incoming TZSP stream.

Has anyone ever tried this in a real life? To start the sniffer at the AP and to establish a stream to the remote server that will log this sniffed traffic?

Any help is more then welcome..
Thanks.

Re: CALEA and Remote Log Server

Posted: Mon Dec 10, 2007 4:08 am
by gmsmstr
Just install a RouterOS server, on a HD etc. Run a demo license for 24 hours or if you need it more, install a license (not expensive). Then you will have a CALEA server for the future as well. Also, it has been suggested to allow writing this to a secondary, non system drive.

Re: CALEA and Remote Log Server

Posted: Mon Dec 10, 2007 10:30 am
by burek
Sorry, but I'm not interested in solving a problem by avoiding to solve it.. Is there any chance to make it work, like it says in the documentation, with the Ethereal?

Re: CALEA and Remote Log Server

Posted: Mon Dec 10, 2007 10:49 am
by sergejs
It is working with Ethereal (it should work), but you have to ensure that correct configuration is used on computer with streaming server. Make sure you have followed this requirements,

1. configure sniffer to stream to device running wireshark:
/tool sniffer set streaming-enabled=yes streaming-server=ip.of.wireshark.box
/tool sniffer start

2. make sure you accept UDP in wireshark (as TZSP uses UDP to transport data)

3. if you are streaming wireless sniffer captures (interface wireless
sniffer), make sure you have newest
wireshark and newest routeros

4. you may need to disable WCCP protocol in wireshark (Analyze/Enabled
Protocols), as that collides with TZSP and by default frames may be
considered WCCP, not TZSP.

Re: CALEA and Remote Log Server

Posted: Mon Dec 10, 2007 11:07 am
by burek
so, all I need to do is start Ethereal (Wireshark), set filters to capture 'udp only'? And of course to set the analyzer to interpret those udp packets as TZSP packets, to get it all right, is that correct?

(I had got a feeling that some kind of listening server should be started, or something, but if I'm correct, wireshark is only used to intercept those udp packets and that's it)

Re: CALEA and Remote Log Server

Posted: Wed Nov 28, 2012 12:50 pm
by gkoufoud
Hi,
I have developed an IDS/IPS system for RouterOS.
It is here : http://sourceforge.net/projects/mt-fw-attack/

You need a linux machine to compile and run it.
It collects syslog messages from your's routeros device (there are instructions on how to use it) and adds the attackers on an address list which you can use to block them.
:-)

Re: CALEA and Remote Log Server

Posted: Fri Jan 10, 2014 11:29 am
by otgooneo
Hi,
I have developed an IDS/IPS system for RouterOS.
It is here : http://sourceforge.net/projects/mt-fw-attack/

You need a linux machine to compile and run it.
It collects syslog messages from your's routeros device (there are instructions on how to use it) and adds the attackers on an address list which you can use to block them.
:-)
Sounds cool. How does it work in background. How does it determine that this IP is attacker?