2.9.14 packet sniffer

changeip · March 1, 2006, 5:55pm

Anyone else having major issues with Packet Sniffer in 2.9.14? It seems as thought its not capturing all packets and other oddities. 20-30 entries show up and then disappear. After moving the pcap to ethereal I see that it only captured about 10% of the traffic. Just curious if anyone else noticed this.

I also notice when filtering on specifics you still get ICMP and non-IP from everywhere included in the pcap.

Sam

dsdee · March 19, 2006, 3:09am

i’m having a similar issue here. It’s starting, and then dying. I created a script, below, that restarts it every 5 minutes in case it’s not running, since I’m running snort on my server that it is supposed to be streaming to. Anyways, every 5 it runs, it logs that the sniffer is not running. It used to stay up all the time in 2.9.13 before I upgraded…

Anyone else seeing similar ???

restart script:

:if ( ! [tool sniffer get running] ) do={:log  info "Sniffer IS NOT RUNNING at Start of script"
/tool sniffer stop
:delay 2s
/tool sniffer start} else={:log  info "Sniffer is running at Start of script"}

:if ( [tool sniffer get running] ) do={:log  info "Sniffer is running at End of script"} else={:log  info "Sniffer IS NOT RUNNING at End of script"}

and a snippet of my syslog:

Mar 18 19:36:00 sentry script,info Sniffer IS NOT RUNNING at Start of script
Mar 18 19:36:02 sentry script,info Sniffer is running at End of script
Mar 18 19:41:00 sentry script,info Sniffer IS NOT RUNNING at Start of script
Mar 18 19:41:02 sentry script,info Sniffer is running at End of script
Mar 18 19:46:00 sentry script,info Sniffer IS NOT RUNNING at Start of script
Mar 18 19:46:02 sentry script,info Sniffer is running at End of script
Mar 18 19:51:00 sentry script,info Sniffer IS NOT RUNNING at Start of script
Mar 18 19:51:02 sentry script,info Sniffer is running at End of script
Mar 18 19:56:00 sentry script,info Sniffer IS NOT RUNNING at Start of script
Mar 18 19:56:02 sentry script,info Sniffer is running at End of script

Eugene · March 20, 2006, 2:50pm

You should upgrade to the latest version to fix this issue.

Eugene

dsdee · March 20, 2006, 2:55pm

i’m already on 2.9.17, and it’s doing it there. 2.9.13 was fine…

Eugene · March 20, 2006, 3:29pm

I meant 2.9.18 when it becomes available

dsdee · March 20, 2006, 3:31pm

… just need to make sure MikroTik knows it’s a problem, since it was something that was broken along the way, they need to know it’s now broken so that it can be fixed…

cmit · March 20, 2006, 3:32pm

I meant 2.9.18 when it becomes available

Which will be soon I suppose (given that it already is on the demo systems)?

Best regards,
Christian Meis

Eugene · March 20, 2006, 3:38pm

right.

dsdee · March 21, 2006, 6:22pm

ok, so now that i’ve upgraded to 2.9.18, the Sniffer starts as it should, and stays started. Yeay !

ok, now I have a problem that the CPU load shoots up to 55 and stays there. This didn’t happen in previous versions.

Here’s my sniffer config:

> /tool sniffer print
          interface: int_if
       only-headers: no
       memory-limit: 0
          file-name: ""
         file-limit: 0
  streaming-enabled: yes
   streaming-server: 192.168.200.3
      filter-stream: yes
    filter-protocol: ip-only
    filter-address1: 0.0.0.0/0:0-65535
    filter-address2: 0.0.0.0/0:0-65535
            running: yes
>

thoughts?