Do I understand this correctly?:
The Torch tool will capture and list all packets that somehow reach the Mikrotik device (similar to "promiscuous mode"),
while the Packet Sniffer tool will only capture packets that actually go through the Mikrotik device (e.g. routing) and are processed by it?
This is important for me because the Torch tool shows that the IPCam indeed sends ICMP response packets, while the Packet Sniffer will not list them (only the ICMP request packets going to the IPCamera).
Re: Torch vs. Packet Sniffer
I was told once that torch is simplified sniff but it's just good to see whether something is moving across the interface.
Sorry that is all I know.
Sorry that is all I know.
Re: Torch vs. Packet Sniffer [SOLVED]
The packet sniffer is far more powerful, it generates an actual wireshark capture file you can copy to your computer, and open with wireshark, and see every piece of info on every packet. Just like you captured it locally with your computer. You can also specify tx, rx or both on an interface which is very handy if you have high throughput on links and only really are looking for something that's being forwarded or received.
It is important to note, if using bridge ports utilizing hardware mode, during the capture, you will need to disable hardware mode on the bridge port, perform the capture, then re-enable hardware mode. Otherwise you will only capture cpu generated packets such as rstp and so on.
It is important to note, if using bridge ports utilizing hardware mode, during the capture, you will need to disable hardware mode on the bridge port, perform the capture, then re-enable hardware mode. Otherwise you will only capture cpu generated packets such as rstp and so on.
Re: Torch vs. Packet Sniffer
Packet sniffer is realy useful especially when used with Wireshark as the previous post indicates...
-
-
vecernik87
Forum Veteran
- Posts: 891
- Joined:
Re: Torch vs. Packet Sniffer
Personally, I prefer to use mangle action "sniff tzsp" because it is clear when it gets executed and you can actually choose - prerouting, forward, postrouting ... (look at packet flow). You can even sniff the same packet multiple times (once in prerouting, once in postrouting) and send them to different ports (so you can have multiple wiresharks running on the same computer and watching it simultaneously). Another advantage is that it is more stable than sniffer (e.g. sniffer stops when your router restarts). Finally - thanks to really powerful matching in mangle, you can filter very precisely, what you want to sniff.
Obvious disadvantage is, that you need to fully understand what you are matching, otherwise you may miss something.
Obvious disadvantage is, that you need to fully understand what you are matching, otherwise you may miss something.
Re: Torch vs. Packet Sniffer
@vecernik87 i wasn't aware of sniff TZSP, just tested and works great...
-
-
justanotherhuman
just joined
- Posts: 4
- Joined:
Re: Torch vs. Packet Sniffer
Hello there!
The solution you describe works nicely and I agree with you on the matter, BUT I found something very weird which I do not understand.
So I have this mangle rule which gets executed in postrouting and only sniff the traffic sniff-TZSP to a server. All seems to work ok with one observation:
Only when the rule is active (sniffing takes place) I see ICMP traffic being generated from the server (that is processing the tzsp traffic) back to the router.
Basically i see invalid ICMP connection (in both INPUT and FORWARD chains) coming from the server back to the router. I'm runnning on the latest 7.8 ROS.
Any clues why is this happening?
Thank you in advance!
The solution you describe works nicely and I agree with you on the matter, BUT I found something very weird which I do not understand.
So I have this mangle rule which gets executed in postrouting and only sniff the traffic sniff-TZSP to a server. All seems to work ok with one observation:
Only when the rule is active (sniffing takes place) I see ICMP traffic being generated from the server (that is processing the tzsp traffic) back to the router.
Basically i see invalid ICMP connection (in both INPUT and FORWARD chains) coming from the server back to the router. I'm runnning on the latest 7.8 ROS.
Any clues why is this happening?
Thank you in advance!
Personally, I prefer to use mangle action "sniff tzsp" because it is clear when it gets executed and you can actually choose - prerouting, forward, postrouting ... (look at packet flow). You can even sniff the same packet multiple times (once in prerouting, once in postrouting) and send them to different ports (so you can have multiple wiresharks running on the same computer and watching it simultaneously). Another advantage is that it is more stable than sniffer (e.g. sniffer stops when your router restarts). Finally - thanks to really powerful matching in mangle, you can filter very precisely, what you want to sniff.
Obvious disadvantage is, that you need to fully understand what you are matching, otherwise you may miss something.
Last edited by justanotherhuman on Fri Apr 14, 2023 2:17 am, edited 1 time in total.
Re: Torch vs. Packet Sniffer
I think you meant 7.8? No way to send a PM.I'm runnning on the latest 8.7 ROS.
-
-
justanotherhuman
just joined
- Posts: 4
- Joined:
Re: Torch vs. Packet Sniffer
Hey, thanks for your reply. I edited my previous post.
Do you have any clues on the issues I have described please?
Do you have any clues on the issues I have described please?
I think you meant 7.8? No way to send a PM.I'm runnning on the latest 8.7 ROS.