This is the first time I work on a Mikrotik router. I'm actually a student, and I work on a little French ISP.
My job is to analysed the traffic to see who make p2p (we receive warning letter from “Hadopi”).
(Also, I want to make statistic, like the IP address who is used the most bandwidth)
And to do so, I just want to get the IP address of the client. I just want to get their IP address to then make a script to automatically send an email to him, thanks to the database of our client.
I work in that case since five days, read a lot of MikroTik documentation, install graylog to look at the syslog-ng server log (which it receives from the MikroTik router).
So, here I am : I'm completely lost.
First :
Use a proxy onto the mikroTik (proxylizer), to see the domain name and, why not, make a blacklist ? IDK. And I think it’s not legal… so, I forget it.
Second :
Use Wireshark with sniffer tool on MK to capture all of the traffic. Then read .cap Wireshark packet with TCPDUMP, filter to see p2p, the length of packet (a good indicator to see if the client is actually download something),… But I don’t understand if sniffer tool save file in the MikroTik, despite of the stream option. My MK have not a lot of memory and I have not the permission to use it.
Third :
Maybe “port mirroring” ? Like duplicate all of the traffic to a specific port of the MikroTik router which it will be capture and read by a Linux server with TCPDUMP ?
Thank you for your answer.
And I'm sorry for my bad English! (I’m french, this is why
)Noémie.
) 