Community discussions

MikroTik App
 
steen
Member
Member
Topic Author
Posts: 470
Joined: Sat Oct 23, 2010 2:15 am
Location: Sweden
Contact:

wireless sniffer streaming to a server

Sat Apr 11, 2015 11:03 am

Hello Folks!

I try to setup a wireless sniffer using mikrotik and send the stream to a linux box for further processing. Idea is to find stolen items, even if they are not registered to our access points.

I managed to stream to wireshark, no problem at all, but that does not solve my problem.
Ultimately I need to "log" filtered traffic down to mysql database for further processing, in real time, or almost real time.

I tried trafr which seems to be able get the stream out, but it immediate exits after receiving the first packages of data from mikrotik sniffer stream.

Staring trafr:
[root@lina ~]# ./trafr -s | tcpdump -r - -n
reading from file -, link-type EN10MB (Ethernet)

It looks fine!
Now start the wireless sniffer in mikrotik, and trafr just exits...
[root@lina ~]#

Hmmm....

Anyone who know what is problem with trafr, maybe it was not designed for wireless sniffing, only ethernet who knows ?

Is there another linux "server" that can receive the stream correctly and remove the encapsulating TZSP and log it to a file or a socket in a way. Can tcpdump do such magics or tshark/wireshark ?
 
tatsugot
just joined
Posts: 22
Joined: Tue Jul 26, 2016 8:16 pm

Re: wireless sniffer streaming to a server

Wed Aug 24, 2016 3:23 pm

I am trying to do something similar and facing same problem , what did you do?
 
Sob
Forum Guru
Forum Guru
Posts: 5415
Joined: Mon Apr 20, 2009 9:11 pm

Re: wireless sniffer streaming to a server

Thu Aug 25, 2016 3:45 pm

Another program that can receive TZSP is tzsp2pcap.
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply. Not intended as incentive for masochists.
 
jo2jo
Forum Veteran
Forum Veteran
Posts: 971
Joined: Fri May 26, 2006 1:25 am

Re: wireless sniffer streaming to a server

Sat Nov 26, 2016 7:38 am

hey, look into this:

https://gist.github.com/jabberd/b9d6a29098a5b8f1ee45

The last step allowed me to convert tzsp captures (streaming from a mikrotik doing a streaming wireless sniff to a machine running wireshark/tcpdump , and capturing on its eth interface ) into .cap files that a fully readable by all apps.

thanks to the author of the github doc/how to, and to the author of "bittwiste" app (http://bittwist.sourceforge.net/)
and mikrotik!
(prior to finding this doc, i had spent nearly 12 hours trying to strip out the tzsp data manually from my captures via various methods, inculding using bittwiste (i was leaving out the "-M 105" option), unsuccessfully too.... :( )


edit: incase that github file disappears one day, here is the command to use with bittwiste (note the "e" there are 2 apps , bittwist and bittwiste )
1. Set up streaming server:
/interface wireless sniffer set streaming-server=X.X.X.X
/interface wireless sniffer set streaming-enabled=yes
/interface wireless sniffer set multiple-channels=yes

2. Set up scan list or specific channel(s) (frequencies in MHz):
/interface wireless set scan-list=default

3. Start up the sniffer:
/interface wireless sniffer sniff interface=wlan1

4. Catch the traffic at X.X.X.X with tcpdump:
tcpdump -i eth0 -w in.pcap

You can also use trafr or wireshark for this purpose.

5. Convert in.pcap into usable format:
bittwiste -M 105 -I in.pcap -O out.pcap -D 1-63

-M 105 — IEEE 802.11
-D 1-63 — remove leading TZSP headers
source: user "jabberd"
https://gist.github.com/jabberd/b9d6a29098a5b8f1ee45
:beep :beep :beep
 
User avatar
jabberd
newbie
Posts: 25
Joined: Tue Feb 28, 2017 1:10 pm
Contact:

Re: wireless sniffer streaming to a server

Tue Feb 28, 2017 2:17 pm

The gist mentioned above has been updated (e.g. listening to UDP 37008 explicitly, not all the interface traffic, and a note on Ethernet TZSP conversion).
 
R1CH
Forum Veteran
Forum Veteran
Posts: 919
Joined: Sun Oct 01, 2006 11:44 pm

Re: wireless sniffer streaming to a server

Wed Mar 01, 2017 1:41 am

I made a quick fork of tzsp2pcap that adds a fake radiotap header and uses DLT_IEEE802_11_RADIO link layer type. This makes the output immediately usable in tcpdump, aircrack-ng, etc.

https://github.com/notr1ch/tzsp2pcap

Who is online

Users browsing this forum: No registered users and 63 guests