I have a quick question about how (and whether) packet sniffing on MikroTik that is used just as a switch works.
This is my setup:
IP device (192.168.2.3) → eth → MikroTik RB952Ui-5ac2nD (eth1-eth5 bridged) (192.168.2.2) → eth → MikroTik RB750Gr3 (eth2-eth5 bridged, eth1 WAN, NAT) (192.168.2.1) → eth (WAN) → modem → internet
Using MK 192.168.2.1’s packet sniffer, I can see some communication between 192.168.2.3 and internet. However, using same filter rules, I am unable to see this packets in MK 192.168.2.2, even though they surely had to pass through that switch.
I have tried TCP/UDP/ICMP from 192.168.2.3 to internet, but I can see nothing in MK 192.168.3.2. All I can see are the broadcasts & multicasts. Works same when using interface->torch instead of packet sniffer.
So I have tried to set it using WinBox GUI by going to Switch->Rule->New switch rule, setting “Ports” to my ethernet port and in “Action” checked “Copy to CPU”/“Redirect to CPU”/“Mirror”, but I am getting “not supported for this switch(6)” error for all three action options. Is it really not supported or am I doing something wrong? Or is there some other way to achieve this?
I was hoping that there is some way to force the packets to be handled by CPU as well. But according to this page https://help.mikrotik.com/docs/display/ROS/Switch+Chip+Features , I would need a MikroTik with switch chip that supports “Rule table” if I understood it right.
Yes…
In a CRS3xxx for example you could either use port mirroring or copy to cpu rules so that you can then sniff the packets using the packet sniffer…
On Atheros 8227, you can copy all traffic of one port to another port by a special setting rather than using switch chip rules, e.g: /interface ethernet switch set mirror-source=ether1 mirror-target=ether5
This is useful when you want to connect an external sniffing device (a computer running tcpdump or Wireshark, or possibly another Mikrotik).
If the volume of the traffic running through the port you want to sniff at by the Mikrotik directly is so low that the CPU will not get overloaded from just sniffing it, chances are high that it won’t get overloaded from bridging it either. So if you set hw=no on the appropriate /interface bridge port row, traffic to/from this port will run through the CPU and you can sniff it normally.
Oh I see, so the RB952Ui-5ac2nD has “Atheros 8227” switch chip and the “QCA9531 SoC” is just wifi chip .. that’s why I have not found it ..
And yes, with WireShark and port mirroring it’s working nicely, thank you very much The /hw=no works too, and it’s probably even better for me now, since there is minimal traffic.
Also have found a third partial solution - use port mirroring and set mirror-target to CPU. Packet sniffer can be used, but it sniffs only outgoing packets.
If I read it right, AR8227 is a silicon functional block that can be packaged separately or bundled in the same case with other functional blocks. So in this particular case, it is a part of the QCA9531 SoC.
Also have found a third partial solution - use port mirroring and set mirror-target to CPU. Packet sniffer can be used, but it sniffs only outgoing packets.
I did tested on hardware offloaded ports and port mirroring copies both ingress and egress traffic to the target port as it is supposed to do… For example, connecting my computer to the source port and initiating an ICMP message with the router, then from the Target port, which i was capturing the traffic with Wireshark, i could see the received and send ICMP packets of the source port and the router, which ofcorse otherwise you can’t…
yes, I confirm again that if I mirror the port I want to sniff to another port, it works for me too and I can see both ways traffic with WireShark. (that’s the “solution 1”)
Solution 2 is just setting the hardware offload to false and sniff using MikroTik => also works both ways.
Then I noticed that the mirror target can be set to “CPU” instead of ethernet port, so I can sniff it using MikroTik even with port mirroring (but probably performance wise it’s comparable to setting the HW offload to false). And with this setting, I can only sniff one-way communication using packet sniffer in MikroTik. Have you tested that too? But it’s just for curiosity, since the first 2 solutions work perfectly fine.
The /hw=no works too, and it’s probably even better for me now, since there is minimal traffic.