Community discussions

MikroTik App
Topic Author
Posts: 26
Joined: Thu May 02, 2013 4:37 am

Where does packet capture happen?

Tue May 07, 2019 7:37 pm

I'm looking at the packet flow diagram here:

For the life of me, I can't find anything in there that describes where in that flow packet capture happens. I'm trying to debug a VoIP issue and when capturing on an internal and then an external interface, I'm not seeing replies from the VoIP provider's side. But I'm not sure if my captures on the outside interface are happening before or after any firewall filtering...
Forum Guru
Forum Guru
Posts: 6326
Joined: Mon Dec 04, 2017 9:19 pm

Re: Where does packet capture happen?  [SOLVED]

Tue May 07, 2019 10:17 pm

Sniffing takes place between the wire (or air) and the firewall. So if you cannot see the packets to come in via the external interface, you can be sure that they really haven't arrived from outside (provided that an overly narrow sniffing filter hasn't prevented them from being shown). When you can see the packets leaving out via the external interface, you can be sure that your firewall has let them out.

A case of its own is IPsec, which shows the decrypted and decapsulated packets on the same interface like the transport ones from which they have been decrypted and decapsulated, and to make life more colorful, the decrypted and decapsulated packets sometims appear in the capture earlier than the matching transport ones. On the other hand, packets to be encrypted by IPsec are not shown at all, only the resulting transport packets are.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.

Who is online

Users browsing this forum: avious, gkoleff and 216 guests