trafr tool to capture packets send by Microtik sniffer doesn't work. Tested with Ubuntu Linux 6.06.1, i386. It seems to me that trafr was compiled for Linux with kernel 2.2; that is history now as most modern Linux distributions are based on kernel 2.6. Other problem is, that trafr is binary only package (no source code), and it is DYNAMICALY linked; that is really bad.

oem@scenic:~$ uname -a
Linux scenic 2.6.15-28-686 #1 SMP PREEMPT Thu May 10 09:56:30 UTC 2007 i686 GNU/Linux
oem@scenic:~$ ls -l trafr
-rwxr-xr-x 1 oem oem 4764 2004-03-17 11:35 trafr
oem@scenic:~$ file trafr
trafr: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), for GNU/Linux 2.2.0, dynamically linked (uses shared libs), for GNU/Linux 2.2.0, stripped

It doesn't work, it captures just few bytes and it finish.

oem@scenic:~$ ./trafr -s 192.168.0.133 | hexdump -C
00000000 d4 c3 b2 a1 02 00 04 00 00 00 00 00 00 00 00 00 |................|
00000010 00 10 00 00 01 00 00 00 |........|
00000018

It can help to release source code for the trafr package. It can help to release description of TZSP used for sending packets to the stream server. Ifound several notices from users running other OS (Mac OSx, NetBSD, etc) that trafr doesn't work on their system tool. Realeasing source code can help them. Is there any rocket sience in trafr code that source code has to be kept secret? I don't think so...

Manual could be updated with fresh information on this topic too, it is possible that trafr was replaced with better tool already.

http://www.mikrotik.com/testdocs/ros/2. ... niffer.php

I add information about libraries linked to trafr, it can help:

oem@scenic:~$ ldd -v trafr
linux-gate.so.1 => (0xffffe000)
libc.so.6 => /lib/tls/i686/cmov/libc.so.6 (0xb7e26000)
/lib/ld-linux.so.2 (0xb7f67000)

Version information:
./trafr:
libc.so.6 (GLIBC_2.1) => /lib/tls/i686/cmov/libc.so.6
libc.so.6 (GLIBC_2.0) => /lib/tls/i686/cmov/libc.so.6
/lib/tls/i686/cmov/libc.so.6:
ld-linux.so.2 (GLIBC_2.1) => /lib/ld-linux.so.2
ld-linux.so.2 (GLIBC_2.3) => /lib/ld-linux.so.2
ld-linux.so.2 (GLIBC_PRIVATE) => /lib/ld-linux.so.2
ld-linux.so.2 (GLIBC_2.0) => /lib/ld-linux.so.2

I have found it fails (quits early) when capturing wireless listening. It works fine for ethernet/vpn interface capturing though. Haven't tried it for a couple months. I too would like source to be able to recompile it.

hi guys.

Did you solve the problem with trafr? Or maybe find out some other program for process the tzsp?

The TZSP protocol is quite simple. It's only a basic header in front of the actual data.
I've been thinking of writing my own trafr implementation, since I need some extra features. I'll release it as open source when I do.

what language will you use? C or maybe it's will be a perl script?
maybe i could help you? mail me.

I'm thinking of doing it as a perl script, but I need to find a smart way of doing it. I need to some how open a udp socket pop some bytes in the beginning of the stream and then output it as pcap data...

maybe start with open .pcap file and work with it?

could you write to me in icq or jabber?

I wrote perl script like trafr.
It take packets from pcap file, saved with tcpdump or tshark, headoff tzsp from packets and put them to another pcap file.
There is no problem to make it listen traffic online from interface, but I have no such task yet.

Yeah, I have a ruby script that does that as well, but I want to open a udp socket and grab the stream there. I haven't quite got the time to work on it until the weekend though. If you come up with anything faster than me, please give me a shout.

hi eising,

did you have a look at netcat ? would that do the trick for you to listen on the desired UDP port ? i am really interested in a solution that i can rebuild from source for a different architecture as well but i am not the scripting guru or programmer at all.

Jan

Would you be kind enough to share these scripts ?
Both the Ruby and the Perl versions would be nice...

Thanks,

Yahel.

hi again,

is there any progress with making this sniffer capturing solution work on other platforms ? i really like to use it on my mac but so far i don't know how. does anyone possibly know a way with nc (netcat) ? it works well with tcpdump but the sniffer tool on ROS is different from what i gathered and i can not make the stream to work with wireshark if i have netcat listening to it. to clarify, i don't capture traffic with wireshark, i like it in a file and after work with it in wireshark after.

kind regards
Jan

I haven't finished my script. I had a proof of concept running though, that would just strip out the extra headers until the encapsulated traffic. However, wireshark handles TZSP fine, so what I normally do is use tcpdump to dump everything with a dst-port that equals the TZSP port (37008?) and save that to a file. I can then load it up in wireshark and it will show me the encapsulated data.

While the tcpdump or wireshark capture works, it makes certain analysis (like finding only UDP packets) almost impossible with filters. It would immensely helpful if someone could point to an online reference of a tool that would strip the packets off the tzsp headers.

this work
this part "L1 H8 H12 H8 Z* H6 Z*" is for a perl api scan that I found time ago; I'm not a ruby programmer

I hope this can help to someone