I have the default firewall rules that drop packets on the input chain. While I know I can logging these I would like to be able to forward them to a computer running wireshark.
Is there a combination of mangle and firewall rules that would allow me to redirect packets from the input chain to a computer on the LAN - the packets are those that would be normally have been dropped by the standard drop rule.
Hello,
Just add a NAT rule that will dstnat the input traffic to the wireshark computer. Be add specific as you can to be certain what traffic is affected and that it does not go anywhere else by mistake.
Also add a fw filter that allows that traffic to that computer.
Again, make sure not to leave wholes in your security.
Sent from Tapatalk
Mangle rules support action=sniff-tzsp, which is specifically made for sniffing packets and sending them elsewhere. The trouble is, mangle happens before filter, so if you have several rules there and you’re only interested in packets that get to last drop rule, you’d have to duplicate the whole filtering logic in mangle.
Mangle can work in prerouting, input, forward, output or postrouting chains…
Sent from my iPhone using Tapatalk
Mangle does work in input chain, but still before input’s filter. So if I have e.g.:
/ip firewall filter
add chain=input connection-state=established,related
add action=drop chain=input connection-state=invalid
add chain=input in-interface=ether1
add chain=input src-address-list=Trusted
add chain=input protocol=icmp
<several other rules>
add action=drop chain=input
… and I’m only interested in packets dropped by the last rule, I don’t see a way how to do it easily.
I asked nearly the exact same question - how to TZSP packets on the last drop rules - and was promptly chastised & nearly got into an argument on the mikrotik channel on freenode.
Whoever i was talking with acted like i was an idiot for asking, couldn’t possibly understand the need, essentially told me I should already be able to define the traffic being dropped, and then went down some weird path of *cap scripting suggestions.
The question & need seems simple though, to me.
Earlier today I read a thread on Splunk and how it can accept logs from Mikrotik, of which it worked with logging specifics of policies. It appeared there may be a way to pull something off there, but it wouldn’t be TZSP. Not quite sure.
So yeah i have pretty much the same question. I’d like to be able to TZSP dropped packets over to Wireshark.
There’s option log=yes (and related log-prefix=…) that you can add to any rule. You can also send logs to syslog on another machine, so you can use this to get some basic info about dropped packets (when you add logging to drop rule). But if you’re interested in whole packet, this won’t help you.
You can play in mangle and add same/similar rules as in filter, to finally end up with same packets that in filter get to last drop rule. It may be doable (I’m not sure about all more complex rules), but it would be huge mess.
I don’t know how hard it would be for MikroTik to add it, but I can surely imagine TZSP sniffing as same global option like log=yes is, so that it could be used with any rule.