I am using a CCR1072 with ROS 6.45.7, and I noticed that after 45 minutes, Packet Sniffer stops streaming packets to the preset server, although in Winbox it still indicates that it is "running". The same happens if I select a file instead of streaming.

Can someone tell me if this is the "expected" behavior, or this is a bug? Maybe the packet sniffer tool is not designed to be used for relatively long captures. In this case, can someone tell me what other options do I have with ROS? The amount of data I need to capture is really small (100-200MB a day, all of it is signalling), but the capture might need to run for a week or so.

Thanks in advance!

For a more permanent sniffing solution, you might take a look at firewall mangle, action sniff-tzsp:

https://wiki.mikrotik.com/wiki/Manual:I ... all/Mangle

Thanks! I already set up the "sniff TZSP" mangle rule. My only problem is that the output is "half sided". It means I receive only one direction of the packets (the incoming direction). How can I set this up to get the full bidirectional traffic? The protocol is SCTP by the way.

Not sure about sctp, but remember that there are multiple chains in the firewall (prerouting/postrouting and input/output/forward).

This example sniffs ssh connections, both packets to the server (dst-port=22) and back to client (src-port=22).

What I did is something similar: just added a second preroute sniff rule for the other interface, so now both sides are captured:

chain=prerouting action=sniff-tzsp sniff-target=192.168.1.100 sniff-target-port=37008 protocol=sctp in-interface=sfp-sfpplus5 log=no log-prefix=""
chain=prerouting action=sniff-tzsp sniff-target=192.168.1.100 sniff-target-port=37008 protocol=sctp in-interface=sfp-sfpplus6 log=no log-prefix=""