Packet Sniffer stops after 45 minutes

RouterOS General
1

I am using a CCR1072 with ROS 6.45.7, and I noticed that after 45 minutes, Packet Sniffer stops streaming packets to the preset server, although in Winbox it still indicates that it is “running”. The same happens if I select a file instead of streaming.

Can someone tell me if this is the “expected” behavior, or this is a bug? Maybe the packet sniffer tool is not designed to be used for relatively long captures. In this case, can someone tell me what other options do I have with ROS? The amount of data I need to capture is really small (100-200MB a day, all of it is signalling), but the capture might need to run for a week or so.

Thanks in advance!

2

For a more permanent sniffing solution, you might take a look at firewall mangle, action sniff-tzsp:

https://wiki.mikrotik.com/wiki/Manual:IP/Firewall/Mangle

3

Thanks! I already set up the “sniff TZSP” mangle rule. My only problem is that the output is “half sided”. It means I receive only one direction of the packets (the incoming direction). How can I set this up to get the full bidirectional traffic? The protocol is SCTP by the way.

4

Not sure about sctp, but remember that there are multiple chains in the firewall (prerouting/postrouting and input/output/forward).

This example sniffs ssh connections, both packets to the server (dst-port=22) and back to client (src-port=22).


/ip firewall mangle
add action=sniff-tzsp chain=prerouting dst-port=22 protocol=tcp sniff-target=192.168.88.x sniff-target-port=37008
add action=sniff-tzsp chain=postrouting protocol=tcp sniff-target=192.168.88.x sniff-target-port=37008 src-port=22
5

What I did is something similar: just added a second preroute sniff rule for the other interface, so now both sides are captured:

chain=prerouting action=sniff-tzsp sniff-target=192.168.1.100 sniff-target-port=37008 protocol=sctp in-interface=sfp-sfpplus5 log=no log-prefix=“”
chain=prerouting action=sniff-tzsp sniff-target=192.168.1.100 sniff-target-port=37008 protocol=sctp in-interface=sfp-sfpplus6 log=no log-prefix=“”