Community discussions

MikroTik App
 
strarsis
just joined
Topic Author
Posts: 10
Joined: Tue May 24, 2016 7:28 pm

Torch vs. Packet Sniffer

Wed Jun 23, 2021 9:28 pm

Do I understand this correctly?:
The Torch tool will capture and list all packets that somehow reach the Mikrotik device (similar to "promiscuous mode"),
while the Packet Sniffer tool will only capture packets that actually go through the Mikrotik device (e.g. routing) and are processed by it?

This is important for me because the Torch tool shows that the IPCam indeed sends ICMP response packets, while the Packet Sniffer will not list them (only the ICMP request packets going to the IPCamera).
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19100
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Torch vs. Packet Sniffer

Thu Jun 24, 2021 2:07 pm

I was told once that torch is simplified sniff but it's just good to see whether something is moving across the interface.
Sorry that is all I know.
 
mikeeg02
Member Candidate
Member Candidate
Posts: 162
Joined: Fri Mar 30, 2018 2:28 am
Location: Pennsylvania

Re: Torch vs. Packet Sniffer  [SOLVED]

Thu Jun 24, 2021 2:30 pm

The packet sniffer is far more powerful, it generates an actual wireshark capture file you can copy to your computer, and open with wireshark, and see every piece of info on every packet. Just like you captured it locally with your computer. You can also specify tx, rx or both on an interface which is very handy if you have high throughput on links and only really are looking for something that's being forwarded or received.

It is important to note, if using bridge ports utilizing hardware mode, during the capture, you will need to disable hardware mode on the bridge port, perform the capture, then re-enable hardware mode. Otherwise you will only capture cpu generated packets such as rstp and so on.
 
Zacharias
Forum Guru
Forum Guru
Posts: 3459
Joined: Tue Dec 12, 2017 12:58 am
Location: Greece

Re: Torch vs. Packet Sniffer

Thu Jun 24, 2021 11:14 pm

Packet sniffer is realy useful especially when used with Wireshark as the previous post indicates...
 
User avatar
vecernik87
Forum Veteran
Forum Veteran
Posts: 882
Joined: Fri Nov 10, 2017 8:19 am

Re: Torch vs. Packet Sniffer

Fri Jun 25, 2021 7:16 am

Personally, I prefer to use mangle action "sniff tzsp" because it is clear when it gets executed and you can actually choose - prerouting, forward, postrouting ... (look at packet flow). You can even sniff the same packet multiple times (once in prerouting, once in postrouting) and send them to different ports (so you can have multiple wiresharks running on the same computer and watching it simultaneously). Another advantage is that it is more stable than sniffer (e.g. sniffer stops when your router restarts). Finally - thanks to really powerful matching in mangle, you can filter very precisely, what you want to sniff.

Obvious disadvantage is, that you need to fully understand what you are matching, otherwise you may miss something.
 
Zacharias
Forum Guru
Forum Guru
Posts: 3459
Joined: Tue Dec 12, 2017 12:58 am
Location: Greece

Re: Torch vs. Packet Sniffer

Sun Jun 27, 2021 2:01 pm

@vecernik87 i wasn't aware of sniff TZSP, just tested and works great...
 
justanotherhuman
just joined
Posts: 4
Joined: Sat Jun 16, 2018 10:57 pm

Re: Torch vs. Packet Sniffer

Thu Apr 13, 2023 3:39 am

Hello there!

The solution you describe works nicely and I agree with you on the matter, BUT I found something very weird which I do not understand.

So I have this mangle rule which gets executed in postrouting and only sniff the traffic sniff-TZSP to a server. All seems to work ok with one observation:

Only when the rule is active (sniffing takes place) I see ICMP traffic being generated from the server (that is processing the tzsp traffic) back to the router.
Basically i see invalid ICMP connection (in both INPUT and FORWARD chains) coming from the server back to the router. I'm runnning on the latest 7.8 ROS.

Any clues why is this happening?

Thank you in advance!



Personally, I prefer to use mangle action "sniff tzsp" because it is clear when it gets executed and you can actually choose - prerouting, forward, postrouting ... (look at packet flow). You can even sniff the same packet multiple times (once in prerouting, once in postrouting) and send them to different ports (so you can have multiple wiresharks running on the same computer and watching it simultaneously). Another advantage is that it is more stable than sniffer (e.g. sniffer stops when your router restarts). Finally - thanks to really powerful matching in mangle, you can filter very precisely, what you want to sniff.

Obvious disadvantage is, that you need to fully understand what you are matching, otherwise you may miss something.
Last edited by justanotherhuman on Fri Apr 14, 2023 2:17 am, edited 1 time in total.
 
User avatar
Buckeye
Forum Veteran
Forum Veteran
Posts: 887
Joined: Tue Sep 11, 2018 2:03 am
Location: Ohio, USA

Re: Torch vs. Packet Sniffer

Thu Apr 13, 2023 7:44 am

I'm runnning on the latest 8.7 ROS.
I think you meant 7.8? No way to send a PM.
 
justanotherhuman
just joined
Posts: 4
Joined: Sat Jun 16, 2018 10:57 pm

Re: Torch vs. Packet Sniffer

Fri Apr 14, 2023 2:18 am

Hey, thanks for your reply. I edited my previous post.

Do you have any clues on the issues I have described please?
I'm runnning on the latest 8.7 ROS.
I think you meant 7.8? No way to send a PM.

Who is online

Users browsing this forum: Ahrefs [Bot], rogerioqueiroz and 108 guests