A Cisco sourced contribution:
https://github.com/Cisco-Talos/Winbox_Protocol_Dissector
Background:
https://arstechnica.com/information-technology/2018/09/unpatched-routers-being-used-to-build-vast-proxy-army-spy-on-networks/
https://arstechnica.com/information-technology/2018/09/researchers-find-russian-vpnfilter-malware-was-a-swiss-army-hacking-knife/
Very nice, this will make finding vulnerabilities in the protocol much easier!
I loaded up the dissector and captured a small bit of traffic. My understanding from the Cisco article is that it will only work on unencrypted sessions. I believe all newer versions of Winbox use encryption, and my small capture didn’t seem to have any readable data. I spent less than 5 minutes trying though, so if someone got it to work, I’d love to know what I missed.