Can't seem to catch FIN/SYN/RST in mangle

Xtreme512 · August 30, 2017, 9:14pm

Hi guys, I’m catching ACK traffic just fine but I have 0 packets catched so far for the fin, syn, rst traffic. Below is my rules, am I doing it wrong? How to make it work?

add action=mark-packet chain=prerouting in-interface=ether1 new-packet-mark=ACK_D passthrough=no protocol=tcp tcp-flags=ack packet-size=0-123 comment="ACK"
add action=mark-packet chain=postrouting new-packet-mark=ACK_U out-interface=ether1 passthrough=no protocol=tcp tcp-flags=ack packet-size=0-123
add action=mark-packet chain=prerouting in-interface=ether1 new-packet-mark=ACK_D passthrough=no protocol=tcp tcp-flags=fin,syn,rst 
add action=mark-packet chain=postrouting new-packet-mark=ACK_U out-interface=ether1 passthrough=no protocol=tcp tcp-flags=fin,syn,rst

Thanks.

Xtreme512 · September 1, 2017, 8:48pm

No comment? Little help here, please.

Xtreme512 · September 2, 2017, 10:24pm

OK, it seems like routeros checks if all of the tcp-flags you put matches in a packet (like “and” logic). Therefore, not a single packet contains both syn, fin, rst at the same time and result is a no catch.
I seperated each and single tcp-flags in seperate mangle rules and it is fine now.