packet sniffer and filter-operator-between-entries

ghormoon · November 9, 2015, 1:19am

Hi,

I’m trying to set up packet sniffer with filter like ((arp) or (host ) or (ether host )) on mikrotik sniffer.
I’ve noticed that on console, there’s option “filter-operator-between-entries”, but even on “or”, having:
filter-mac-protocol: arp
filter-ip-address: /32
won’t give me any captured traffic. if I leave out the arp, it will.
the point is, it seems I’ve got a device on the network that tries to arp-poison from time to time (roommates potentially compromised android phone), so we’re trying to catch it when it happens. therefore filter to catch all arp, and traffic from the phones ip and mac.
can it be done or do I need to span all traffic and filter it later?

Gh.

pe1chl · November 9, 2015, 8:46am

Maybe it is not a good idea to try matching IP address in an ARP packet. Not sure if that works.
Try matching on MAC address only.

ghormoon · November 9, 2015, 9:30am

thet’s the reason for OR. I want to capture ALL arp traffic + ALL traffic of the infected phone to check, if it sends something interesting out to the inet when it starts poisoning.
Worst case I’ll catch all traffic and filter it later, but that will be quite a performance punch and I’ll need a device to filter it.