Community discussions

MUM Europe 2020
 
abjornson
newbie
Topic Author
Posts: 27
Joined: Tue Mar 05, 2013 5:39 am

CCR packet-sniffer streaming stops for unknown reason?

Sat Jul 09, 2016 12:46 am

I just recently started using tools like ntop to do traffic analysis of the traffic flowing through my core router.  I had originally planned to use port mirroring, but by core router is a CCR1036 and I realized that without a switch chip, it is unable to perform port mirroring.  I found the recommendation across the mikrotik forums and mikrotik documentation was to use the packet-sniffer's TZSP streaming feature as an alternative. (http://wiki.mikrotik.com/wiki/Manual:To ... er#Example)

This is working great:  I am streaming all my ~150Mbps of traffic to my analysis server, and the performance load on the router is impressively low!  However, I'm finding that the streaming periodically disables itself....something like every 1-2 days I find that the analysis server just stops receiving traffic.  When i login to the CCR1036, I just find that packet-sniffer is "stopped".  I restart it, and everything goes back to normal until it happens again.

I'm not finding anything in the logs, or any error messages that indicate why it's stopping....so I don't really know where to start trying to troubleshoot.  Has anyone experienced this before and been able to resolve it?  Any suggestions greatly appreciated!
 
pe1chl
Forum Guru
Forum Guru
Posts: 5969
Joined: Mon Jun 08, 2015 12:09 pm

Re: CCR packet-sniffer streaming stops for unknown reason?

Sat Jul 09, 2016 8:43 am

I don't know why the packet sniffer stops, but when you only want to do flow analysis (like ntop) wouldn't it
be sufficient to use "traffic flow" instead of "packet sniffer"?
 
andriys
Forum Guru
Forum Guru
Posts: 1192
Joined: Thu Nov 24, 2011 1:59 pm
Location: Kharkiv, Ukraine

Re: CCR packet-sniffer streaming stops for unknown reason?

Sat Jul 09, 2016 10:01 am

Traffic flow is a good thing, indeed.

However if you are sure you need the packet stream to be mirrored, consider using /ip firewall mangle rules with action=sniff-tzsp instead of sniffer. You can find more info here.
 
abjornson
newbie
Topic Author
Posts: 27
Joined: Tue Mar 05, 2013 5:39 am

Re: CCR packet-sniffer streaming stops for unknown reason?

Tue Jul 12, 2016 2:56 am

Thanks for the suggestions - I will try this.

Can you comment on any performance difference between using tool sniffer for the streaming and using the mangle rule for this?

Also - regarding traffic streaming vs netFlow....I think that the L7 analysis capabilities of ntopng are less if ntopng doesn't have access to the full traffic streams, is this correct?  I have tried a similar setup with netflow before, and I believe I am seeing much better identification of traffic with streaming than I was seeing with netflow.
 
andriys
Forum Guru
Forum Guru
Posts: 1192
Joined: Thu Nov 24, 2011 1:59 pm
Location: Kharkiv, Ukraine

Re: CCR packet-sniffer streaming stops for unknown reason?

Tue Jul 12, 2016 7:17 am

Can you comment on any performance difference between using tool sniffer for the streaming and using the mangle rule for this?
I expect it to be the same, but I have never really measured it myself.
I think that the L7 analysis capabilities of ntopng are less if ntopng doesn't have access to the full traffic streams, is this correct?
I guess that's correct, though an important question is which exact L7 details do you need? Keep in mind that NetFlow reports different amount of data depending on the NetFlow version you choose (Mikrotik supports v1, v5 and v9).
 
pe1chl
Forum Guru
Forum Guru
Posts: 5969
Joined: Mon Jun 08, 2015 12:09 pm

Re: CCR packet-sniffer streaming stops for unknown reason?

Tue Jul 12, 2016 11:29 am

Netflow provides only the peer addresses and port numbers, and the amount of traffic for the session.
It cannot peek inside the session to see what is really going on.
So a port 443 session will always be identified as https even when in reality it is something completely different.
Software that looks at the actual session data can do a better identification, but of course at the price of requiring
much more processing and load of the network between router and analyzer.
 
abjornson
newbie
Topic Author
Posts: 27
Joined: Tue Mar 05, 2013 5:39 am

Re: CCR packet-sniffer streaming stops for unknown reason?

Tue Jul 12, 2016 4:12 pm

Yes - this is what I thought, thank you for confirming pe1chl.

Doing only "known port" analysis leaves out a lot of powerful tools to identify the protocols and applications being used.  For example bittorrent and other p2p protocols that don't stick to known ports will be identified by L7 analysis tools in ntopng, which wouldn't be possible with netflow.

It's this detailed data I'm after.
 
ropeba
Member Candidate
Member Candidate
Posts: 220
Joined: Sat Jul 29, 2006 4:13 pm

Re: CCR packet-sniffer streaming stops for unknown reason?

Thu Sep 15, 2016 4:27 pm

Hi, I have same problem with packet sniffer, but in my case status of sniffer is running but stream doesn't go. Mangle is not solution for me, because I need only packet headers, with mangle this is not possible.

Who is online

Users browsing this forum: No registered users and 125 guests