Community discussions

MikroTik App
 
eXS
newbie
Topic Author
Posts: 47
Joined: Fri Apr 14, 2017 4:01 am

TZSP, Wireshark, 7zip, Windows, long term PCAP packet storage.

Sat Aug 07, 2021 7:04 am

No one ever seems to talk about TZSP or getting in the weeds a little bit, so I figured I'd share this

Disclaimer: I'm not the best at scripting, i'm old and literally started on DOS before Windows, can sometimes pull things off in powershell but sometimes still avoid it. I apologize in advance for any mistake here and will attempt to edit/correct if needed. These are re-written samples and not exactly what i use, so hopefully there aren't any mistakes. If anyone wants to contribute or convert anything into powershell here that's fine.

On one of the networks i manage i use a few simple, free things to keep packet storage going. This is super handy, and when it's 24/7 you can always watch it live without referring to stored PCAP files too.

Here's what's needed:

- Dedicated (Windows) workstation for captures
- Wireshark
- TZSP rules
- 7zip
- Batch file scripts -->

The Mangle rule:

chain: prerouting
action: sniff TZSP
sniff target: 192.168.x.x - (IP of dedicated workstation)
sniff target port: 37008

This is the simplest to get started, but in some cases you might want to avoid capturing certain things, and things can get a little more tricky.

When it comes to anticipated large file transfers on a windows network, for example, you could specify tcp, but avoid port !445 - you then might also want to capture UDP with its own prerouting sniff rule etc. When capturing anything more specific than just a simple sniff tzsp prerouting, you kinda have to think ahead as to what might end up missing.

Wireshark:

You need to figure out which Windows Network Interface to listen on, and Windows SOMETIMES likes to play musical chairs if you have multiple NICs (but not too often) - so keep an eye on it particularly when inserting or disconnecting NICS or full Windows version upgrades.

Identify which NIC interface to listen on:
C:\Program Files\Wireshark\tshark.exe -D

Once you have the correct interface, you can start working on the .bat files:

- WSHARK.BAT
"C:\Program Files\Wireshark\tshark.exe" -i 4 -b filesize: 250000 -w C:\PCAP\TZSP.PCAP

- Listening on interface #4
- File size ~250MB per PCAP file.
- Wireshark will start automatically naming .PCAP files in a date+time format.
- Using Task Scheduler, you could launch this at system startup, but i recommend adding a 3min+ delay.

I've found 250MB is about the right size to keep files snappy enough to open up, take a peek and do searches. I probably wouldn't recommend more than 500MB - but if you're running a fast CPU/SSD maybe.

Next, 7zip

Disk space can be valuable and with small .7z (ie 250mb PCAPs) scheduling a compression script daily seems to work out for me:

- COMPRESS.BAT
SET PATH02="C:\Progra~1\7-zip\7z.exe"
forfiles /d -1 /p "C:\PCAP" /m *.PCAP /c ^"cmd /c ^
&%PATH02% a -bb2 -t7z -mx9 -sdel @path.7z @path^" >>C:\PCAP\SEVEN.TXT

Now, eventually even with 7zip's great compression you're going to be running out of disk space.

- DELETER.BAT
forfiles /p "C:\PCAP" /m *.7z /c "cmd /c Del @path && echo Removing: @path >>C:\PCAP\SEVEN.TXT" /d -29

Using Task scheduler and running daily, this will delete any *.7z files older than 29 days.

Now, let's say you've really got your .7z/.PCAP storage system figured out and you're thinking of something crazy like, what else could i stuff in those PCAP files?

Well, how about syslogs?

Using the Log Action in ROS:

Name: WSHARK
type: remote
Remote Address: 192.168.x.x (IP of dedicated workstation)
Remote Port: 37009
Src Address: 0.0.0.0
[x] BSD Syslog
Syslog Facility: 3 (daemon)

Wait, 37009 is that a mistake? No it's not. This way you can apply a specific filter in Wireshark: udp.port==37009 - to pull just those logs, and it's kinda magical

Okay enough of that nonsense, back to PCAP files.

Because i rarely have to do this i'm a little rusty, but you can automate decompressing and searching the PCAPs within the .7z files.

On a mechanical drive that kinda becomes a nightmare though, so tread lightly if you're going to take a stab at this.

- DECOMP.BAT
SET PATH02="C:\Progra~1\7-Zip\7z.exe"
forfiles /p "C:\PCAP" /m *.7z /c ^"cmd /c ^
ECHO Decompressing: @path^
&%PATH02% x @path -oC:\PCAP^" >>C:\PCAP\SEVEN.TXT

Here is an example of a search:

- FINDER.BAT
SET PATH01="C:\Progra~1\Wireshark\tshark.exe"
forfiles /p "C:\PCAP" /m *.PCAP /c ^"cmd /c ^
ECHO Searching File: @path^
&%PATH01% -r @path -Y 0x22ip.addr==8.8.8.0/240x22 -Ebom=y^" >>C:\PCAP\SEVEN.TXT

This will search the .PCAP files within C:\PCAP for 8.8.8.0/24 and give you a clue which PCAP file to start looking at.
Basically get familiar with what will/will not work within the boundries of 0x22wiresharkfilter0x22

- another example:
 0x22udp.port==37009 and !ip.addr==192.168.x.x0x22

- Don't forget about the built-in "tzsp" wireshark filter - (i only use it in the GUI) (using it is optional depending on scenario)

Okay well i guess that will be it for now, i think some will laugh at this and i don't think i'll be able to provide much support but if anything comes to mind i'll chime in.
 
jo2jo
Forum Guru
Forum Guru
Posts: 1003
Joined: Fri May 26, 2006 1:25 am

Re: TZSP, Wireshark, 7zip, Windows, long term PCAP packet storage.

Wed Oct 26, 2022 7:51 pm

very nice! thanks for posting this.

Its also worth noting, that one can use standard tcpdump and then over in wireshark (when analyizing) use the TZSP "decode as" function.
tcpdump -i vmx0 -tttt 'udp port 37002' -w capture.pcap
this site does a good job of outlining this option:
https://elundivided.wordpress.com/2021/ ... rk-tshark/

one other method is this linux app (that you must make first, it does offer auto .pcap file rotation based on size or time).
https://github.com/thefloweringash/tzsp2pcap

Who is online

Users browsing this forum: loloski and 86 guests