logging trafic

QpoX · August 28, 2008, 5:17pm

By Danish law i need to log every 500. packets or the start og stop packet of a session…
It is a stupid law, yes… but hey what can i do… i may get a ticket or jail time?

But can this be done by RouterOS? to log every 500. packet to a file?
I use a RB333 atm. but upgrading to RB433 or x86 in time…

Chupaka · August 31, 2008, 8:23pm

what does it mean - ‘every 500.’? every 500th packet?

normis · September 1, 2008, 7:20am

I think he means “first 500 packets of every session” or something like that. OP - have you looked into the CALEA or into the packet sniffer features? Both of them are meant for capture of streams for similar purposes.

sergejs · September 1, 2008, 12:20pm

Normis is right, you may to go with Calea,

it has option,
sniff - generates a tzsp stream that can be directed to any Wireshark (Ethereal) server

you may use,
pcap-file-stop-count - maximal packet count
when to stop current tzsp stream.

More information about Calea,
http://wiki.mikrotik.com/wiki/Calea

QpoX · September 3, 2008, 2:46am

It’s every 500th packet’s and not per session…

Never hear about CALEA…
But It looks like the thing i need… Thanks normis and sergejs…

normis · September 3, 2008, 8:22am

what is the use to log every 500th packet ???

QpoX · September 3, 2008, 6:48pm

Danish terror law… it’s so stupid…
They can’t track anything…

It says that i need to log:
protocol - dst ip+port - source ip+port - date/time

There is two ways… start/stop packet of a session or every 500th packet…
And only if there is over 100 users on my network…

So what they say is that 1 of a 100 is a terrorist?

Chupaka · September 7, 2008, 8:05pm

Stop, stop!
What exactly do you need to log - “protocol - dst ip+port - source ip+port - date/time” OR “every 500th packet”? If first - it’s just NetFlow information! NetFlow data contains address/ports, protocol and start/stop time of every IP stream - it is what we use when law machinery approaches us about another misdeed

QpoX · September 7, 2008, 9:18pm

I need to log “protocol + dst ip/port + src ip/port + date/time” on every 500th packet…
(drop 499 packets and log 1 then drop 499 again and log 1)

Chupaka · September 7, 2008, 10:58pm

well, NetFlow give you more information than you need =) so you may rely on it. you will know all packets, not only every 500th

sergejs · September 8, 2008, 12:35pm

You may use option ‘nth’ and action=log.

Add to nth=1,501 action=log, that should log every 500 packet, it will give you src/dst address and port, time as well.

alex_rhys-hurn · September 11, 2008, 8:43pm

Chupaka,

I hear what you say about the netflow, but maybe with such a stupid law they makeit worse by saying that if you take a 100% netflow you are infringing on peoples privacy by logging ALL data!

You never know.

Move to africa, we dont have laws…

Chupaka · September 12, 2008, 9:20am

you do not log all data, you only log connection information, w/o stream data - all clear =)

QpoX · September 13, 2008, 6:14am

On my way