Packet Sniffer

Lonecrow · July 28, 2009, 3:56pm

We have some MT bridges we use in certain areas in which I need to use the packet sniffer.

In our office router I can stream the output to my laptop and accept the information into wireshark.

This is easy because i’m inside the same subnet and network.

What I’d like to do is somehow have data outside from one of the mikrotik bridges stream some packets to my office mikrotik router.

Does the streaming actually send the data as it is (meaning all ports/protocols etc) or does it use a specific port?

I need to somehow set up my laptop on the DMZ of this particular mikrotik office router to accept the stream from the bridge in another network… How would i do this without interrupting other port forwards and office traffic?

Lonecrow · July 29, 2009, 5:48pm

Nobody has tried this?

I’ve tried to see what port the actual stream of data comes in on but it only shows the winbox port. So I port forwarded the winbox port on my mikrotik router into my laptop and tried to send data from outside directly to my laptop with no luck.

When Mikrotik streams the sniffer data which port / protocol does it use?

changeip · July 29, 2009, 5:53pm

its using tzsp encapsulation… so everything is wrapped inside of a tzsp packet and then forwarded via udp I believe. it should be on a single port. make sure the remote side isn’t sending icmp rejects because that port isn’t listening - that happens on windows wireshark for some reason.

http://en.wikipedia.org/wiki/TZSP

Lonecrow · July 29, 2009, 6:20pm

Oh great thanks. I was forwarding TCP I think that might be part of it..

Lonecrow · July 29, 2009, 6:40pm

Hmm no luck on UDP either. I am receiving packets from the router but only from the actual bridge’s IP. Not the actual payload of data. When I finish the sniff the mikrotik source of data (the bridge) does show its connections and packets etc.

I changed my office router to forward all udp packets on port 8291 (winbox port) to me on the same port 8291.

Lonecrow · August 6, 2009, 7:27pm

Anyone else been able to successfully use the sniffer to stream data through routers and then behind a nat to a computer?

changeip · August 6, 2009, 7:47pm

I’ve used this many times before. It works as expected.

You can see while packet sniffer is streaming data its sending on port 44194 to the remote machine. The second line is ICMP rejects because the remote machine isn’t listening on port 44194, but it’s at least sending them. Wireshark will not open up port 44194 on it’s own so you have to setup netcat or something else so they don’t get ICMP rejected.

Try turning on TORCH and looking for the stream while its running. It might not be 44194 on your system possibly.

Sam

Lonecrow · August 7, 2009, 4:12pm

Thanks for the info I’ll give it a try.