Community discussions

MikroTik App
 
tomikaco
just joined
Topic Author
Posts: 14
Joined: Fri Aug 14, 2020 10:45 pm

packet sniffing on MK working as switch

Thu Jan 13, 2022 2:55 pm

Hello,

I have a quick question about how (and whether) packet sniffing on MikroTik that is used just as a switch works.

This is my setup:
IP device (192.168.2.3) -> eth -> MikroTik RB952Ui-5ac2nD (eth1-eth5 bridged) (192.168.2.2) -> eth -> MikroTik RB750Gr3 (eth2-eth5 bridged, eth1 WAN, NAT) (192.168.2.1) -> eth (WAN) -> modem -> internet

Using MK 192.168.2.1's packet sniffer, I can see some communication between 192.168.2.3 and internet. However, using same filter rules, I am unable to see this packets in MK 192.168.2.2, even though they surely had to pass through that switch.

I have tried TCP/UDP/ICMP from 192.168.2.3 to internet, but I can see nothing in MK 192.168.3.2. All I can see are the broadcasts & multicasts. Works same when using interface->torch instead of packet sniffer.

While writing this post, I have found this topic viewtopic.php?t=97768 and it looks like the reason is that the packets are not sent from switch to CPU. However the topic is outdated and not solved + I am getting syntax errors for the advised commands.

So I have tried to set it using WinBox GUI by going to Switch->Rule->New switch rule, setting "Ports" to my ethernet port and in "Action" checked "Copy to CPU"/"Redirect to CPU"/"Mirror", but I am getting "not supported for this switch(6)" error for all three action options. Is it really not supported or am I doing something wrong? Or is there some other way to achieve this?
 
Zacharias
Forum Guru
Forum Guru
Posts: 3459
Joined: Tue Dec 12, 2017 12:58 am
Location: Greece

Re: packet sniffing on MK working as switch

Thu Jan 13, 2022 4:19 pm

In a Hardware offloaded bridge, you cant capture packets using the Packet sniffer, except some type of unicast, multicast and broadcast traffic..
https://wiki.mikrotik.com/wiki/Manual:T ... et_Sniffer
 
tomikaco
just joined
Topic Author
Posts: 14
Joined: Fri Aug 14, 2020 10:45 pm

Re: packet sniffing on MK working as switch

Thu Jan 13, 2022 4:29 pm

I was hoping that there is some way to force the packets to be handled by CPU as well. But according to this page https://help.mikrotik.com/docs/display/ ... p+Features , I would need a MikroTik with switch chip that supports "Rule table" if I understood it right.

The MK RB952Ui-5ac2nD has "QCA 9531 SoC" chip ( https://i.mt.lv/cdn/product_files/hAP_a ... 180505.png ) and is not even mentioned on that page.
 
Zacharias
Forum Guru
Forum Guru
Posts: 3459
Joined: Tue Dec 12, 2017 12:58 am
Location: Greece

Re: packet sniffing on MK working as switch

Thu Jan 13, 2022 4:47 pm

Yes...
In a CRS3xxx for example you could either use port mirroring or copy to cpu rules so that you can then sniff the packets using the packet sniffer....
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: packet sniffing on MK working as switch  [SOLVED]

Thu Jan 13, 2022 8:16 pm

is there some other way to achieve this?
On Atheros 8227, you can copy all traffic of one port to another port by a special setting rather than using switch chip rules, e.g:
/interface ethernet switch set mirror-source=ether1 mirror-target=ether5

This is useful when you want to connect an external sniffing device (a computer running tcpdump or Wireshark, or possibly another Mikrotik).

If the volume of the traffic running through the port you want to sniff at by the Mikrotik directly is so low that the CPU will not get overloaded from just sniffing it, chances are high that it won't get overloaded from bridging it either. So if you set hw=no on the appropriate /interface bridge port row, traffic to/from this port will run through the CPU and you can sniff it normally.
 
tomikaco
just joined
Topic Author
Posts: 14
Joined: Fri Aug 14, 2020 10:45 pm

Re: packet sniffing on MK working as switch

Fri Jan 14, 2022 3:57 pm

Oh I see, so the RB952Ui-5ac2nD has "Atheros 8227" switch chip and the "QCA9531 SoC" is just wifi chip .. that's why I have not found it ..

And yes, with WireShark and port mirroring it's working nicely, thank you very much :) The /hw=no works too, and it's probably even better for me now, since there is minimal traffic.

Also have found a third partial solution - use port mirroring and set mirror-target to CPU. Packet sniffer can be used, but it sniffs only outgoing packets.
Last edited by tomikaco on Fri Jan 14, 2022 4:48 pm, edited 2 times in total.
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: packet sniffing on MK working as switch

Fri Jan 14, 2022 4:43 pm

If I read it right, AR8227 is a silicon functional block that can be packaged separately or bundled in the same case with other functional blocks. So in this particular case, it is a part of the QCA9531 SoC.
 
Zacharias
Forum Guru
Forum Guru
Posts: 3459
Joined: Tue Dec 12, 2017 12:58 am
Location: Greece

Re: packet sniffing on MK working as switch

Sat Jan 15, 2022 7:44 pm

Also have found a third partial solution - use port mirroring and set mirror-target to CPU. Packet sniffer can be used, but it sniffs only outgoing packets.
Port mirroring copies the traffic going in and out of the source port and sends it to the target port... https://help.mikrotik.com/docs/display/ ... Mirroring
So it should copy both ingress and egress traffic...

I did tested on hardware offloaded ports and port mirroring copies both ingress and egress traffic to the target port as it is supposed to do... For example, connecting my computer to the source port and initiating an ICMP message with the router, then from the Target port, which i was capturing the traffic with Wireshark, i could see the received and send ICMP packets of the source port and the router, which ofcorse otherwise you can't...
 
tomikaco
just joined
Topic Author
Posts: 14
Joined: Fri Aug 14, 2020 10:45 pm

Re: packet sniffing on MK working as switch

Wed Feb 02, 2022 9:44 pm

Also have found a third partial solution - use port mirroring and set mirror-target to CPU. Packet sniffer can be used, but it sniffs only outgoing packets.
Port mirroring copies the traffic going in and out of the source port and sends it to the target port... https://help.mikrotik.com/docs/display/ ... Mirroring
So it should copy both ingress and egress traffic...

I did tested on hardware offloaded ports and port mirroring copies both ingress and egress traffic to the target port as it is supposed to do... For example, connecting my computer to the source port and initiating an ICMP message with the router, then from the Target port, which i was capturing the traffic with Wireshark, i could see the received and send ICMP packets of the source port and the router, which ofcorse otherwise you can't...
yes, I confirm again that if I mirror the port I want to sniff to another port, it works for me too and I can see both ways traffic with WireShark. (that's the "solution 1")

Solution 2 is just setting the hardware offload to false and sniff using MikroTik => also works both ways.

Then I noticed that the mirror target can be set to "CPU" instead of ethernet port, so I can sniff it using MikroTik even with port mirroring (but probably performance wise it's comparable to setting the HW offload to false). And with this setting, I can only sniff one-way communication using packet sniffer in MikroTik. Have you tested that too? But it's just for curiosity, since the first 2 solutions work perfectly fine.

Who is online

Users browsing this forum: Amazon [Bot], Bing [Bot], CGGXANNX and 79 guests