Community discussions

MikroTik App
 
believewireless
Member Candidate
Member Candidate
Topic Author
Posts: 231
Joined: Wed Jul 06, 2005 6:30 pm

CALEA and Remote Log Server

Thu Aug 02, 2007 5:41 am

All of our Mikrotik router use flash drives so there is no place to dump the logs. Since we can specify another server IP, what do we need to run on a Linux or Windows box to store the data?
 
User avatar
sergejs
MikroTik Support
MikroTik Support
Posts: 6695
Joined: Thu Mar 31, 2005 3:33 pm
Location: Riga, Latvia
Contact:

Re: CALEA and Remote Log Server

Thu Aug 02, 2007 7:43 am

I'm not sure you can accept this data on remote Linux/Windows server.
 
User avatar
omega-00
Forum Guru
Forum Guru
Posts: 1167
Joined: Sat Jun 06, 2009 4:54 am
Location: Australia
Contact:

Re: CALEA and Remote Log Server

Thu Aug 02, 2007 6:04 pm

what about if you were to get another mikrotik that did use a hard drive and use it for primarily for logging believewireless?
Hardware should even need that much grunt.
 
User avatar
sergejs
MikroTik Support
MikroTik Support
Posts: 6695
Joined: Thu Mar 31, 2005 3:33 pm
Location: Riga, Latvia
Contact:

Re: CALEA and Remote Log Server

Thu Aug 09, 2007 4:27 pm

Some clarification,
'ip firewall calea' provides action,
'sniff - generates a tzsp stream that can be directed to any Wireshark (Ethereal) server'.
http://wiki.mikrotik.com/wiki/Calea#Int ... acket_Flow
That should be the answer to this question.
 
maxfava
Member Candidate
Member Candidate
Posts: 224
Joined: Mon Oct 17, 2005 12:30 am

Re: CALEA and Remote Log Server

Fri Oct 12, 2007 4:37 pm

'sniff - generates a tzsp stream that can be directed to any Wireshark (Ethereal) server'
what you suggest as Wireshark (Ethereal) server ?
If I am not wrong since Wireshark is only analize tool.

ciao
Max
 
User avatar
sergejs
MikroTik Support
MikroTik Support
Posts: 6695
Joined: Thu Mar 31, 2005 3:33 pm
Location: Riga, Latvia
Contact:

Re: CALEA and Remote Log Server

Mon Oct 15, 2007 2:24 pm

Any OS, that Wireshark supports,
http://www.wireshark.org/about.html
 
User avatar
Letni
Member
Member
Posts: 376
Joined: Tue Dec 05, 2006 5:16 am
Location: South Carolina

Re: CALEA and Remote Log Server

Mon Oct 15, 2007 3:38 pm

Using wireshark/ethereal is fine if you just need to capture or search for stuff. However, If you are doing an actual tap for a LEA, they would like it chunked up and hashed, which to my knowledge you can not do with wireshark... and if you could the LEA would not appreciate you looking at there data.

The simplest solution in my case is to create a Virtual machine with routerOS demo license and use that as the server.

-Louis
 
maxfava
Member Candidate
Member Candidate
Posts: 224
Joined: Mon Oct 17, 2005 12:30 am

Re: CALEA and Remote Log Server

Wed Oct 17, 2007 12:27 am

The simplest solution in my case is to create a Virtual machine with routerOS demo license and use that as the server.
:D same for me.
thanks
 
burek
just joined
Posts: 22
Joined: Sun Dec 09, 2007 8:42 pm

Re: CALEA and Remote Log Server

Sun Dec 09, 2007 8:53 pm

Hi everybody,

In the documentation version 1.5 which applies to v2.9 of RouterOS, at this link: http://www.mikrotik.com/testdocs/ros/2. ... niffer.php there is a part regarding packet sniffer settings, which says:
Not only Ethernal (http://www.ethereal.com) and Packetyzer (http://www.packetyzer.com) can receive the sniffer's stream but also MikroTik's program trafr (http://www.mikrotik.com/download.html) that runs on any IA32 Linux computer and saves received packets libpcap file format.
also
streaming-server (IP address; default: 0.0.0.0) - Tazmen Sniffer Protocol (TZSP) stream receiver
I've installed the Wireshark (Ethereal) and I just cand find any option (not even a mention of that option in its help files) to start it as a listening server for incoming TZSP stream.

Has anyone ever tried this in a real life? To start the sniffer at the AP and to establish a stream to the remote server that will log this sniffed traffic?

Any help is more then welcome..
Thanks.
 
User avatar
gmsmstr
Trainer
Trainer
Posts: 982
Joined: Fri Jun 04, 2004 2:22 am
Location: St. Louis, MO
Contact:

Re: CALEA and Remote Log Server

Mon Dec 10, 2007 4:08 am

Just install a RouterOS server, on a HD etc. Run a demo license for 24 hours or if you need it more, install a license (not expensive). Then you will have a CALEA server for the future as well. Also, it has been suggested to allow writing this to a secondary, non system drive.
 
burek
just joined
Posts: 22
Joined: Sun Dec 09, 2007 8:42 pm

Re: CALEA and Remote Log Server

Mon Dec 10, 2007 10:30 am

Sorry, but I'm not interested in solving a problem by avoiding to solve it.. Is there any chance to make it work, like it says in the documentation, with the Ethereal?
 
User avatar
sergejs
MikroTik Support
MikroTik Support
Posts: 6695
Joined: Thu Mar 31, 2005 3:33 pm
Location: Riga, Latvia
Contact:

Re: CALEA and Remote Log Server

Mon Dec 10, 2007 10:49 am

It is working with Ethereal (it should work), but you have to ensure that correct configuration is used on computer with streaming server. Make sure you have followed this requirements,

1. configure sniffer to stream to device running wireshark:
/tool sniffer set streaming-enabled=yes streaming-server=ip.of.wireshark.box
/tool sniffer start

2. make sure you accept UDP in wireshark (as TZSP uses UDP to transport data)

3. if you are streaming wireless sniffer captures (interface wireless
sniffer), make sure you have newest
wireshark and newest routeros

4. you may need to disable WCCP protocol in wireshark (Analyze/Enabled
Protocols), as that collides with TZSP and by default frames may be
considered WCCP, not TZSP.
 
burek
just joined
Posts: 22
Joined: Sun Dec 09, 2007 8:42 pm

Re: CALEA and Remote Log Server

Mon Dec 10, 2007 11:07 am

so, all I need to do is start Ethereal (Wireshark), set filters to capture 'udp only'? And of course to set the analyzer to interpret those udp packets as TZSP packets, to get it all right, is that correct?

(I had got a feeling that some kind of listening server should be started, or something, but if I'm correct, wireshark is only used to intercept those udp packets and that's it)
 
gkoufoud
just joined
Posts: 13
Joined: Tue Apr 15, 2008 11:22 pm

Re: CALEA and Remote Log Server

Wed Nov 28, 2012 12:50 pm

Hi,
I have developed an IDS/IPS system for RouterOS.
It is here : http://sourceforge.net/projects/mt-fw-attack/

You need a linux machine to compile and run it.
It collects syslog messages from your's routeros device (there are instructions on how to use it) and adds the attackers on an address list which you can use to block them.
:-)
 
User avatar
otgooneo
Trainer
Trainer
Posts: 581
Joined: Tue Dec 01, 2009 3:24 am
Location: Mongolia
Contact:

Re: CALEA and Remote Log Server

Fri Jan 10, 2014 11:29 am

Hi,
I have developed an IDS/IPS system for RouterOS.
It is here : http://sourceforge.net/projects/mt-fw-attack/

You need a linux machine to compile and run it.
It collects syslog messages from your's routeros device (there are instructions on how to use it) and adds the attackers on an address list which you can use to block them.
:-)
Sounds cool. How does it work in background. How does it determine that this IP is attacker?

Who is online

Users browsing this forum: brunoemmels, gigabyte091, htdbnbj, kub1x, menyarito and 99 guests