Community discussions

MikroTik App
 
User avatar
mutluit
Forum Veteran
Forum Veteran
Topic Author
Posts: 821
Joined: Wed Mar 25, 2020 4:04 am

Ethernet traffic capture/analysis of a whole MAC subnet

Thu May 07, 2020 4:48 pm

Hi, can an expert tell me which tool to use for filtering/capturing/analyzing Ethernet packets of a whole MAC subnet?
Ie. I have on a MT CRS326 switch some ports with MAC addresses like these:
c4:ad:34:78:d1:21
c4:ad:34:78:d1:22
c4:ad:34:78:d1:23
c4:ad:34:78:d1:24
c4:ad:34:78:d1:25
c4:ad:34:78:d1:26
c4:ad:34:78:d1:27
c4:ad:34:78:d1:28
...
On a router attached to the uplink port of this switch I want to capture the traffic from/to all these switch ports in a single capture-session.
How to do that?

On the said router I tried "tcpdump -nn -xe -vv ether net c4:ad:34:78:d1:21/40", but it gives an error:
tcpdump: ethernet address used in non-ether expression

Same error happens if I write the subnet mask in these formats:
tcpdump -nn -xe -vv ether net c4:ad:34:78:d1:21/ff:ff:ff:ff:ff:00
or
tcpdump -nn -xe -vv ether net c4:ad:34:78:d1:21 mask ff:ff:ff:ff:ff:00
tcpdump: ethernet address used in non-ether expression

Does any expert here know how to do that and could kindly help me?

Thx.
 
User avatar
mutluit
Forum Veteran
Forum Veteran
Topic Author
Posts: 821
Joined: Wed Mar 25, 2020 4:04 am

Re: Ethernet traffic capture/analysis of a whole MAC subnet

Thu May 07, 2020 8:56 pm

I did some more research on the web and it seems tcpdump accepts a subnet mask only with IP addresses, but not with MAC addresses.
Would be glad to hear if there's any other tool that can capture packets from/to a MAC subnet.
Last edited by mutluit on Thu May 07, 2020 9:58 pm, edited 1 time in total.
 
User avatar
jvanhambelgium
Forum Veteran
Forum Veteran
Posts: 985
Joined: Thu Jul 14, 2016 9:29 pm
Location: Belgium

Re: Ethernet traffic capture/analysis of a whole MAC subnet  [SOLVED]

Thu May 07, 2020 9:18 pm

There is no such thing as a "MAC subnet" and if you have several MAC's almost identical is this pure luck or by intent because eg these are VM's of which you can craft the MAC's.
Just create the list you want filtered :


tcpdump ether src D0:50:99:84:01:36 or ether src D0:50:99:84:01:36 or ether src XX:XX:XX:XX:XX:XX and so on.
 
User avatar
mutluit
Forum Veteran
Forum Veteran
Topic Author
Posts: 821
Joined: Wed Mar 25, 2020 4:04 am

Re: Ethernet traffic capture/analysis of a whole MAC subnet

Thu May 07, 2020 10:02 pm

There is no such thing as a "MAC subnet" and if you have several MAC's almost identical is this pure luck or by intent because eg these are VM's of which you can craft the MAC's.
Just create the list you want filtered :

tcpdump ether src D0:50:99:84:01:36 or ether src D0:50:99:84:01:36 or ether src XX:XX:XX:XX:XX:XX and so on.
Ok, that will work indeed. Thx.

But, I could swear I read somewhere about MAC subnet addressing, but can't find where it was... :-(
 
User avatar
jvanhambelgium
Forum Veteran
Forum Veteran
Posts: 985
Joined: Thu Jul 14, 2016 9:29 pm
Location: Belgium

Re: Ethernet traffic capture/analysis of a whole MAC subnet

Thu May 07, 2020 10:19 pm

But, I could swear I read somewhere about MAC subnet addressing, but can't find where it was... :-(
I guess that's why ;-)
MAC addresses only have "local significance" on the same segment. Sure there are broadcast & multicast concepts at the ethernet-level.
IEEE also has a concept of a registry with "blocks" of MAC-addresses, but again local significance (within the same L2 broadcast domain) nor is there and "hierarchy"
For sure I've been around network-land quite some years and never seen it.
 
User avatar
mutluit
Forum Veteran
Forum Veteran
Topic Author
Posts: 821
Joined: Wed Mar 25, 2020 4:04 am

Re: Ethernet traffic capture/analysis of a whole MAC subnet

Thu May 07, 2020 10:48 pm

@jvanhambelgium, yes, of course I'm talking of local MACs and their local relevance in LAN or within the same L2 broadcast domain.
For example all switches usually assign such sequencing MACs for their many ports, at least my CRS326 has such MACs by factory default.
 
User avatar
mutluit
Forum Veteran
Forum Veteran
Topic Author
Posts: 821
Joined: Wed Mar 25, 2020 4:04 am

Re: Ethernet traffic capture/analysis of a whole MAC subnet

Sat May 09, 2020 3:45 pm

But, I could swear I read somewhere about MAC subnet addressing, but can't find where it was... :-(
I guess that's why ;-)
MAC addresses only have "local significance" on the same segment. Sure there are broadcast & multicast concepts at the ethernet-level.
IEEE also has a concept of a registry with "blocks" of MAC-addresses, but again local significance (within the same L2 broadcast domain) nor is there and "hierarchy"
For sure I've been around network-land quite some years and never seen it.

@jvanhambelgium, I finally found the example where a MAC subnet mask (netmask) is used:
/interface ethernet switch rule
add copy-to-cpu=yes dst-mac-address=4C:5E:0C:4D:12:4B/FF:FF:FF:FF:FF:FF ports=ether1 switch=switch1
on this page https://wiki.mikrotik.com/wiki/Manual:L ... Solution_2 .
What do you say now? :-)
 
User avatar
jvanhambelgium
Forum Veteran
Forum Veteran
Posts: 985
Joined: Thu Jul 14, 2016 9:29 pm
Location: Belgium

Re: Ethernet traffic capture/analysis of a whole MAC subnet

Sat May 09, 2020 4:01 pm

But, I could swear I read somewhere about MAC subnet addressing, but can't find where it was... :-(
I guess that's why ;-)
MAC addresses only have "local significance" on the same segment. Sure there are broadcast & multicast concepts at the ethernet-level.
IEEE also has a concept of a registry with "blocks" of MAC-addresses, but again local significance (within the same L2 broadcast domain) nor is there and "hierarchy"
For sure I've been around network-land quite some years and never seen it.

@jvanhambelgium, I finally found the example where a MAC subnet mask (netmask) is used:
/interface ethernet switch rule
add copy-to-cpu=yes dst-mac-address=4C:5E:0C:4D:12:4B/FF:FF:FF:FF:FF:FF ports=ether1 switch=switch1
on this page https://wiki.mikrotik.com/wiki/Manual:L ... Solution_2 .
What do you say now? :-)
Well ... definitely some relic from SwitchOS. This "mask" is something to probably make it quicker to craft your filter if you need something to do with eg. 10 consecutive MAC's but serves no other purpose.
And I can perhaps understand its use here because eg. on a CRS box, probably all port have MAC's (like you write in your post) from a block and only the last digit increases.

So yes you are right, I will remember this one :D 8)
 
User avatar
mutluit
Forum Veteran
Forum Veteran
Topic Author
Posts: 821
Joined: Wed Mar 25, 2020 4:04 am

Re: Ethernet traffic capture/analysis of a whole MAC subnet

Sat May 09, 2020 4:28 pm

@jvanhambelgium, thx for the explanation. Exactly the very same use-case I was meaning.

Btw, in the said example, the ACL action copy-to-cpu=yes is used.
Do you happen to know what this action or the other one named redirect-to-cpu=yes practically means?
I try to understand these two ACL CPU actions of the switch chip on the CRS3xx devices.
It obviously indicates that one can copy or redirect a packet to the CPU and process it there any further. But how exactly is this then done? Is there any documentation/example somewhere? Or does it rather mean the packet gets copied/redirected to the normal firewall under "/ip firewall filter"?
Can you or anybody else kindly tell me how in practice I could make use of these two actions?
A brief description and/or a simple practical example would be very helpful and very much appreciated.
Thx.
 
User avatar
jvanhambelgium
Forum Veteran
Forum Veteran
Posts: 985
Joined: Thu Jul 14, 2016 9:29 pm
Location: Belgium

Re: Ethernet traffic capture/analysis of a whole MAC subnet

Sat May 09, 2020 6:10 pm

@jvanhambelgium, thx for the explanation. Exactly the very same use-case I was meaning.

Btw, in the said example, the ACL action copy-to-cpu=yes is used.
Do you happen to know what this action or the other one named redirect-to-cpu=yes practically means?
I try to understand these two ACL CPU actions of the switch chip on the CRS3xx devices.
It obviously indicates that one can copy or redirect a packet to the CPU and process it there any further. But how exactly is this then done? Is there any documentation/example somewhere? Or does it rather mean the packet gets copied/redirected to the normal firewall under "/ip firewall filter"?
Can you or anybody else kindly tell me how in practice I could make use of these two actions?
A brief description and/or a simple practical example would be very helpful and very much appreciated.
Thx.
Looking at the docs there is indeed these :

copy-to-cpu=yes/no - clones matching packets and sends them to cpu port;
redirect-to-cpu=yes/no - redirects matching packets to cpu port;

My own logic tells me the difference is :

copy-to-cpu => really a copy of the ethernet-frame ends up at the cpu-port. Now WHAT can be done with that I have no clue ? Perhaps more advanced operation L3/L4/L7 inspections or something?
But I think the original frame continues on its way, so a COPY is send to the CPU.

redirect-to-cpu=yes/no - redirects matching packets to cpu port; => the actual frame is redirected to cpu-port. Again the same story...I don't have enough Mikrotik-specific harware knowledge to understand what could be the usage of this.

Other "functions" like "mirror yes/no" is a more practical example to capture traffic from 1 port and copy/mirror them out another port where you connected a sniffer.
 
User avatar
mutluit
Forum Veteran
Forum Veteran
Topic Author
Posts: 821
Joined: Wed Mar 25, 2020 4:04 am

Re: Ethernet traffic capture/analysis of a whole MAC subnet

Sat May 09, 2020 8:56 pm

@jvanhambelgium, thx for the explanation. Exactly the very same use-case I was meaning.

Btw, in the said example, the ACL action copy-to-cpu=yes is used.
Do you happen to know what this action or the other one named redirect-to-cpu=yes practically means?
Looking at the docs there is indeed these :

copy-to-cpu=yes/no - clones matching packets and sends them to cpu port;
redirect-to-cpu=yes/no - redirects matching packets to cpu port;

My own logic tells me the difference is :

copy-to-cpu => really a copy of the ethernet-frame ends up at the cpu-port. Now WHAT can be done with that I have no clue ? Perhaps more advanced operation L3/L4/L7 inspections or something?
But I think the original frame continues on its way, so a COPY is send to the CPU.

redirect-to-cpu=yes/no - redirects matching packets to cpu port; => the actual frame is redirected to cpu-port. Again the same story...I don't have enough Mikrotik-specific harware knowledge to understand what could be the usage of this.

Other "functions" like "mirror yes/no" is a more practical example to capture traffic from 1 port and copy/mirror them out another port where you connected a sniffer.
Thx, yes. Logically thought it can only mean that such "ACL CPU packets" can only mean that these packets will be copied/redirected to the input of the "normal" firewall(s) (IMHO there are at least 4 firewalls in this device under different locations, me counting the ACL as a FW as well).
Ok, I'll give this idea/thought a try and see what happens... :-)

Update: re-reading the above link with the said example, I think it's indeed meaning the other "normal firewalls" (ie. "CPU firewalls"), as it says:
If you do need to send certain packets to the CPU for packet analyser or for Firewall, then it is possible to copy or redirect the packet to the CPU by using ACL rules.

Who is online

Users browsing this forum: kevinds and 13 guests