Packet sniffer - where it sniffs?

RouterOS General
1

Hello,
Documentation of the packet flow (https://wiki.mikrotik.com/wiki/Manual:Packet_Flow) is probably the most visiting by me page on MikroTik Wiki :slight_smile:. Question is where in the diagram should we locate such tools like Packet sniffer and Ping?
Why I asked? I would like to analyse IPsec traffic. From the router A I threw ICMP packets to the host behind the router B (with source address of the packet set as local router A address). Routers are connected by VPN IPSec tunnel. Looking at the log from the Packet sniffer, I see ESP traffic in both directions as well as ICMP replies from the local address of the queried host behind router B (so after decapsulating), but I donā€™t see any ICMP queries with routerā€™s A local source address. Why is it?

2

bump

3

Iā€™d say ping starts ā€œRouter Processesā€ LOCAL OUT, so likely get escape before sniffer would see it unencrypted. On router B itā€™s ā€œforwardedā€, NOT a local process as on router A ā€” so it itā€™s see the reply before encap.

4

When you configure plain IPsec tunnel policies, you are asking for this kind of troubleā€¦

5

If this thread is only about best practices for using Packet Sniffer on IPsec traffic, then this answer is OT.

Plain IPsec usually doesnā€™t pose any significant issues. If your IPsec peer is active (ie established SA for each ip), it typically involves routing problems like forgetting to set ā€˜src-nat=acceptā€™ for the respective subnets or the IPsec policy not matching the subnets. In this perspective, I believe ā€˜VTIā€™ would simplify the management of IPsec routing a lotā€¦

6

Yes but with IPsec tunnel interfaces it is always unclear where to sniff. On a plain Linux system the issue is exactly the same.
Because the plaintext traffic and the encrypted traffic is assigned to the same interface.
Indeed, with VTI it would be better, but MikroTik has no VTI. Instead you can use an encrypted IPIP or GRE tunnel and this issue will be solved (and a lot of other issues as well).

7

If you want to be specific where and what to sniff then better use sniffer in Mangle. When pinging from local through to WireGuard then that traffic passes the sniffed Output twice. Once exiting as ping out and then as being encrypted, and not recognizable as ping anymore.

/ip firewall mangle
add action=sniff-tzsp chain=output comment="Sniffer - ping" protocol=icmp sniff-target=192.168.88.100 sniff-target-port=37008

Sending it to WireShark, listening on IP address 192.168.88.100:37008 UDP, and there you can analyze it of save it to a file.