Hi there,
I want to analyze network traffic - http, https and other tcp protocols and I need to capture first 10 packets from each connection, is that possible anyhow? For now, I can stream capture to another machine, or capture everything and download the capture files, but it woult be nice it that can be limited.
My objective is to see http host and https tls-host for each connection to make a log of http and https access and I dont want to use proxy.
Do you have any idea?
Best regards,
Jan
It would be great if I can sniff only marked packets, but it is not possible, am I right?
You can use action=sniff-tzsp in mangle rules. So you can either set the match conditions directly in that rule, or you can assign packet-marks in preceding rules and then match on them in the sniff-tzsp rule. To sniff into a file on Mikrotik this way, you’d have to send the TZSP packets to some existing destination (it must respond to ARP requests) and sniff on the output port, matching on the destination address and maybe UDP. You can not match on the TZSP port because there is no port in fragments, and large packets will get fragmented due to the additional ether+IP+UDP+TZSP headers.
Wow! Thank you!