Community discussions

MUM Europe 2020
 
multipath
newbie
Topic Author
Posts: 43
Joined: Fri Sep 17, 2010 4:42 pm

Feature Request: CALEA update

Wed Feb 16, 2011 6:40 am

Not a big issue, but since major updates are happening with the RoS software, I thought I would request an update to the CALEA package. Maybe bring it out from the terminal only window? Perhaps, giving a place under tools and simplify the procedures to perform the capture and save to pcap? CALEA works now, but it would be nice to have an updated version, easier to reach from within winbox, especially for us that run RouterOs on x86 hardware and have the space to spare. Thank you.
 
FIPTech
Member
Member
Posts: 469
Joined: Tue Dec 22, 2009 1:53 am

Thu Feb 24, 2011 10:23 pm

I've found CALEA usefull for remote capture for servicing a distant Network.

Would be nice to have it inside Winbox.



Are there any CALEA compatible loging software available ? Seems difficult to find those softwares.
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 24422
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Feature Request: CALEA update

Fri Feb 25, 2011 3:13 pm

calea is what the US government uses for their data audits (http://wiki.mikrotik.com/wiki/CALEA) so I can imagine why they don't give you their software.

basically for your own needs you could use the sniffer tool and wireshark.
No answer to your question? How to write posts
 
krakenant
Member Candidate
Member Candidate
Posts: 136
Joined: Sat Feb 06, 2010 6:32 am

Re: Feature Request: CALEA update

Mon Feb 28, 2011 6:55 pm

Could you also add SRC-MAC address to the available options. We want to be able to set rules so that once a MAC address comes on the network, all traffic to and from that MAC address are automatically captured. Currently only the SRC-MAC is an option.
 
changeip
Forum Guru
Forum Guru
Posts: 3804
Joined: Fri May 28, 2004 5:22 pm

Re: Feature Request: CALEA update

Mon Feb 28, 2011 7:06 pm

calea is what the US government uses for their data audits (http://wiki.mikrotik.com/wiki/CALEA) so I can imagine why they don't give you their software.

basically for your own needs you could use the sniffer tool and wireshark.
Normis - pretend CALEA is renamed to Packet Sniffer Daemon. It's use is not 100% calea, its just a great packet sniffer tool that can use marks, etc. Makes sniffing much more handy. Please keep improving it (please).
Colo and Wholesale Bandwidth Available! Sales at SanDiegoBroadband dot com
 
fewi
Forum Guru
Forum Guru
Posts: 7734
Joined: Tue Aug 11, 2009 3:19 am

Re: Feature Request: CALEA update

Mon Feb 28, 2011 7:08 pm

calea is what the US government uses for their data audits (http://wiki.mikrotik.com/wiki/CALEA) so I can imagine why they don't give you their software.

basically for your own needs you could use the sniffer tool and wireshark.
Normis - pretend CALEA is renamed to Packet Sniffer Daemon. It's use is not 100% calea, its just a great packet sniffer tool that can use marks, etc. Makes sniffing much more handy. Please keep improving it (please).
I've never played with CALEA. How do you capture at the other end? Any special software?
Specific answers require specific questions. When in doubt, post the output of "/ip address print detail", "/ip route print detail", "/interface print detail", "/ip firewall export", and an accurate network diagram.
 
changeip
Forum Guru
Forum Guru
Posts: 3804
Joined: Fri May 28, 2004 5:22 pm

Re: Feature Request: CALEA update

Mon Feb 28, 2011 7:36 pm

routeros has a calea capture server (package) and a calea client (built in already). It's a little advertised gem I think.
Colo and Wholesale Bandwidth Available! Sales at SanDiegoBroadband dot com
 
FIPTech
Member
Member
Posts: 469
Joined: Tue Dec 22, 2009 1:53 am

Re: Feature Request: CALEA update

Mon Feb 28, 2011 8:31 pm

Actually i tried capturing with wireshark with TZSP protocol.


But filtering is not so evident in this mode, because Windows generate lots of "port unreachable" if you are using the same port than the one used for Windows Networking.

Even with the right filter to avoid this, it is not easy to filter what you want to see in the Wireshark Display, because for example the UDP wireshark filter apply on the UDP carrying the TZSP protocol, not on the encapsulated UDP packets inside the TZSP frames.


Wireshark would need some improvements to correctly capture, filter and display TZSP frames.
 
multipath
newbie
Topic Author
Posts: 43
Joined: Fri Sep 17, 2010 4:42 pm

Re: Feature Request: CALEA update

Mon Feb 28, 2011 11:31 pm

routeros has a calea capture server (package) and a calea client (built in already). It's a little advertised gem I think.
Yes CALEA capturing on the mikrotik server is very good. We've tried using a wireshark server to capture packets but it breaks often (it sometimes will not even send to the wireshark or rather the wireshark will not connect) , the built-in mikrotik works great just takes a little longer to setup and run.

After some thought, it would be nice if one could set CALEA to capture all packets based on a Usermanager login that way no matter what computer is used the traffic is still captured.
 
fewi
Forum Guru
Forum Guru
Posts: 7734
Joined: Tue Aug 11, 2009 3:19 am

Re: Feature Request: CALEA update

Mon Feb 28, 2011 11:36 pm

Dunno much about CALEA or User Manager, but User Manager is just RADIUS - can you send the Address List attribute to dynamically add a user to an address list? You can with other RADIUS servers. Then you can maybe just have CALEA capture all traffic to/from that address list to get the result you want.

Just a random thought.
Specific answers require specific questions. When in doubt, post the output of "/ip address print detail", "/ip route print detail", "/interface print detail", "/ip firewall export", and an accurate network diagram.
 
FIPTech
Member
Member
Posts: 469
Joined: Tue Dec 22, 2009 1:53 am

Re: Feature Request: CALEA update

Mon Feb 28, 2011 11:57 pm

For remote capture, there is a simpler and better tool than Calea.

This is the remote capture tool directly usable from Wireshark.


It needs implementation on the remote machine, using Winpcap 4.0 (deamons availlable for Windows and Linux).


See : http://wiki.wireshark.org/CaptureSetup/WinPcapRemote


The biggest advantage of this, is that if you have access rights to the remote machine, you can configure wich interface and capture filter you want directly from Wireshark.


This is really simpler and faster than configuring Calea rules on the capturing machine.

Who is online

Users browsing this forum: eworm, Google [Bot], jebz and 103 guests