Community discussions

MikroTik App
 
w4rh0und
Member Candidate
Member Candidate
Topic Author
Posts: 107
Joined: Fri Oct 16, 2009 10:58 pm

Mikrotik packet sniffer

Tue May 25, 2010 12:17 pm

Hello

I tried to use the packet sniffer on the mikrotik. My question is how can i make it work with wireshark because i cannot log all the information on a RB???

I have seen the option bellow but for some reason i can make it work :(
1. configure sniffer to stream to device running wireshark:
/tool sniffer set streaming-enabled=yes streaming-server=ip.of.wireshark.box
/tool sniffer start

2. make sure you accept UDP in wireshark (as TZSP uses UDP to transport data)

3. if you are streaming wireless sniffer captures (interface wireless
sniffer), make sure you have newest
wireshark and newest routeros

4. you may need to disable WCCP protocol in wireshark (Analyze/Enabled
Protocols), as that collides with TZSP and by default frames may be
considered WCCP, not TZSP.
I have a setup like this: router 1 (192.168.2.1)<-IP Tunnel->router2(172.16.0.1)
And i have a workstation ip address 192.168.2.5
Now with wireshark i get all the useless junk layer 2/boradcasts and stuff, but if i try and add a filter like:

Host 172.16.0.5 - nothing is displayed in wireshark

I saw somewhere in the forum that i should specify : tzsp on the filter, but that will give me an error.

Can someone point me in the right direction? I am basically trying to get the packets running through the tunnel between the 2 subnets.

Thank you.
 
User avatar
janisk
MikroTik Support
MikroTik Support
Posts: 6263
Joined: Tue Feb 14, 2006 9:46 am
Location: Riga, Latvia

Re: Mikrotik packet sniffer

Tue May 25, 2010 12:36 pm

if you are having problems to set up what you want to see in wireshark, just do the following:

1) use sniffer on the router and see the results locally
2) when you are content with the results, set up remote streaming to the wireshark

look at this this way - you can filter out stuff with wireshark (a lot of options) or with router (quite limited options). If i have understood you correctly - you have already loved major configuration challenge - to see sniff results in wireshark on your workstation.
 
w4rh0und
Member Candidate
Member Candidate
Topic Author
Posts: 107
Joined: Fri Oct 16, 2009 10:58 pm

Re: Mikrotik packet sniffer

Tue May 25, 2010 1:32 pm

Yes but how can i filter out so i can see the actual traffic only from that ip tunnel? I have used wireshark/tcpdump before locally, but this is the 1st time that i use it with streaming from another device, and i have no ideea how to filter so i can see the traffic between 192.168.2.0/24 and 172.16.0.0/24 only. Cause if i use filters like net 172.16.0.0/24 nothing is displayed :(
 
changeip
Forum Guru
Forum Guru
Posts: 3830
Joined: Fri May 28, 2004 5:22 pm

Re: Mikrotik packet sniffer

Tue May 25, 2010 5:39 pm

those packets are wrapped up in tzsp headers probably, so maybe the default filter is filtering the wrapper and not the payloads. Try this. Select one packet that you know is part of the connection. Then find the row with the ip source or dest address and right click on it and choose 'Apply as filter -> Selected'. Wireshark will automatically figure out the right filter syntax and apply it above, you will probably see you need to add some extra filters to dig into the packets.

Image

Who is online

Users browsing this forum: Amazon [Bot], maciejl, NetTecture and 73 guests