I’m taking a ton of port scan attempts on the WAN input - consuming 4-20 Mb of bandwidth for the last month. They haven’t gotten through the firewall, but I want to reach out to the ISP’s that the scanners are originating from. The only logical way I can do this is to figure out how to capture the data I see on Torch - but there is no option to export or aggregate that data.
Suggestions?
Use Packet Sniffer, you can stream the packets to Wireshark on your PC, then save them for further filtering.
Packet Sniffer - RouterOS - MikroTik Documentation
Sniffer catches packets before they go into the firewall (direction=rx) or after they leave it (direction=tx).
I was told that I can’t use the Packet Sniffer because the traffic doesn’t go ‘through’ the router - it is blocked by the firewall. Do you agree?
i think torch and packet sniffer are very related
Just as the documentation says, packets blocked by the firewall are still caught by the sniffer.
Sniffer catches packets before they go into the firewall (direction=rx) or after they leave it (direction=tx).
Yeah torch is more a “quick view” of current flows, but AFAIK there is no “print as-value” or “monitor” in CLI for it that allow some “export”.
You can use /tool/sniffer to save packets and then use Wireshark to extract flow (like torch) & more.
But there is also “streaming mode” in /tool/sniffer that lets you forward packets to a PC running Wireshark. It uses the TZSP protocol, so in Wireshark you typically use BPF filter on the TZSP port so you see just the router “streaming” traffic, not all traffic on PC interface.
And if you can actually use the firewall action action=sniff-tzsp in mangle rule which will do same a /tool/sniffer but streaming only packets matched by the mangle rule. This let you only capture packets that “would be” blocked if the mangle rule was put in right spot for your config.