BUG: RouterOS packet sniffer shows messed up raw data

RouterOS General
1

It seems that RouterOS embedded packet sniffer shows incorrect/messed up data into the “Raw data” window.

In winbox:

  • select Tools/Packet Sniffer: the “Packet Sniffer Settings” window opens
  • with proper settings, start/stop capturing some packets
  • click “Packets”: the “Packet Sniffer Packets” window opens
  • double-click on a row corresponding to a captured packet: the “Sniffer Packet <SRC_IP → DST_IP>” window opens
  • click on the “Packet” tab: the “Raw Data” pane appears
  • verify the data

Following is a sample ICMP ECHO-REQUEST (“ping”) packet sent from RouterOS to a linux machine, as it is shown by both the embedded packet sniffer and by tcpdump on the receiving host:

Raw Data (RouterOS Packet Sniffer)

0000 00a0 c5XX XXXX 000c 42XX XXXX 0800  .....xxx..Bxxx..
4500 0000 0000 0b00 000e 0001 0000 327c  E.............2|
0900 00ff 012d 72c0 a8c8 fcc0 a800 0000  .....-r.........
0000 0000 0000 0200 c801 0800 5743 013a  ............WC.:
0000 aaaa ab80 5556 0000 0000 0000 0000  ......UV........
0003 002c d6ab 8304 012e 8706 57b5 8d5e  ...,........W..^
6fce ca00 0000 0000 0000 00              o..........




Same packet, as displayed by tcpdump

0:c:42:XX:XX:XX 0:a0:c5:XX:XX:XX 0800 64: 192.168.200.252 > 192.168.200.1: icmp: echo request (ttl 255, id 31753, len 50)
0x0000   4500 0032 7c09 0000 ff01 2d72 c0a8 c8fc        E..2|.....-r....
0x0010   c0a8 c801 0800 5743 013a 0000 aaaa ab80        ......WC.:......
0x0020   5556 2cd6 ab83 0401 2e87 0657 b58d 5e6f        UV,........W..^o
0x0030   ceca

Note:

  • RouterOS tested version is 5.14 (I’m not able to test a different version, right now)
  • MAC addresses are hidden to “protect the innocent”
  • tcpdump prepends the packet’s data offset at the beginning of each line (starting from the ethernet payload, as it shows the ethernet header in its decoded form only)
  • first line of raw data reported by ROS packet sniffer is the ethernet header, and is correct (apart of the first 2 bytes “0000” which are spurious and should not appear)
  • ethernet payload (IP/ICMP datagram) is totally messed up, and there are 91 bytes shown instead of 50 (41 spurious -mostly “00”- bytes inserted here and there)
  • packet’s values are anyway correctly decoded into the “General” and “IP” panes (btw, see below comment about “TOS”)
  • if saved into a file, packets captured by ROS packet sniffer appear to be in “libpcap” format and can be correctly decoded (e.g. by wireshark)

Comment about the “TOS” field (“Sniffer Packet”, “IP” pane):
The field’s label is definitely misleading: the value actually shown is the DSCP value (that is, the numerical value 0..63 stored into the high-order 6-bits of the “ToS/DS” byte of the IP header). The same inaccuracy is found in other places of the winbox interface (namely, the firewall section) and could be (actually: was) source of several headaches in checking cross-vendor DS/QoS configurations.

Regards,
rock

2

http://forum.mikrotik.com/t/packet-sniffer-in-winbox/51586/1