Tool: Realtime per IP traffic monitor for home/office

danielm · Fri Sep 27, 2013 1:27 pm

Hi there Mikrotik fans!

I have something to share that I've been working on for the office. When the Internet seems slow I like to be able to see who is doing what, and that is what this little Windows app does. It looks like this:

It is also extremely useful to see the traffic shaping effects when playing around with shaping rules on your Mikrotik router. It uses the Accounting feature of your router.

The tool with basic instructions is attached to this post or you can download it from the links below.

I hope this can be of use to someone! Comments welcome.

Daniel

PS: I know this is technically not a 'sniffer' but it actually started off as one so the name stuck.

EDIT:
I added a new version to this post (V1.0.3). Download the service and viewer from the links below. I had to split them because the forum does not allow files larger than 1 MB any more.
Change Log:
V1.0.3 (2014-06-24)
Download: Viewer and Service

Ability to specify service name
Use keepalive on service
Added code to help plink.exe start up the first time
Added more FAQ's to readme.txt

V1.0.2 (2014-01-15)

Added ability to track multiple subnets
Fixed and improved logging for service
Removed 'Save to CSV' button which was not working
Fixed typo in readme.txt instructions
Added some FAQ's to readme.txt

efaden · Fri Sep 27, 2013 2:36 pm

Link doesn't seem to work? But it looks cool.

Sent from my SCH-I545 using Tapatalk 4

danielm · Fri Sep 27, 2013 2:58 pm

Link doesn't seem to work? But it looks cool.

Odd, it works in my browser. The zipfile is also attached to the message if the link does not work for some reason.

kashifmac2005 · Fri Sep 27, 2013 3:48 pm

Hi there Mikrotik fans!

I have something to share that I've been working on for the office. When the Internet seems slow I like to be able to see who is doing what, and that is what this little Windows app does. It looks like this:

brother is there any solution for realtime traffic monitor for LAN to internet side (WAN) which also resolve address to host like sniffer

danielm · Fri Sep 27, 2013 4:03 pm

Hi there Mikrotik fans!

I have something to share that I've been working on for the office. When the Internet seems slow I like to be able to see who is doing what, and that is what this little Windows app does. It looks like this:
brother is there any solution for realtime traffic monitor for LAN to internet side (WAN) which also resolve address to host like sniffer

Not sure I understand the question. This tool shows all traffic going through the router (Lan to Internet) and shows host names. Sounds like that is what you need?

01101110110110 · Sun Sep 29, 2013 6:32 pm

This looks really useful, I'll give it a try and report back.

01101110110110 · Sun Sep 29, 2013 6:51 pm

Works great, I really like it. The colorscheme is abit hard to get used to but its quite handy I love it. However if I may make some suggestions, perhaps a way to sort/filter the IP's for future versions ? You have all these columns but I can't use them to sort the list and see which user has the highest send/receive or total download...etc. Or the ability to filter, i.e monitor a few specific IP's, known downloaders and such, perhaps a list ? Anyways, great work, I've been looking for something like this for a while, and its fairly simple to get working.

edit:
you may wanna double check the numbers, for some reason its reporting some of my IP's over their 1mb limit, but I have winbox opened and its barely close to the limit

danielm · Sun Sep 29, 2013 9:41 pm

Works great, I really like it. The colorscheme is abit hard to get used to but its quite handy I love it. However if I may make some suggestions, perhaps a way to sort/filter the IP's for future versions ? You have all these columns but I can't use them to sort the list and see which user has the highest send/receive or total download...etc. Or the ability to filter, i.e monitor a few specific IP's, known downloaders and such, perhaps a list ? Anyways, great work, I've been looking for something like this for a while, and its fairly simple to get working.

edit:
you may wanna double check the numbers, for some reason its reporting some of my IP's over their 1mb limit, but I have winbox opened and its barely close to the limit

Thanks for the feedback, glad you like it! The colour scheme is the same as the one used in munin. The columns are sorted by total transfer size (sum of up and down traffic) i.e. your top users will be listed first. Active users (>= 100kbps up or down) will be marked in bold so they will stand out anyway. Our office is only 16 people so showing the 30 most active ones is really sufficient. On a Lan with more than 30 machines all IP's generating traffic are always shown but all the ones more than 30 are summed together as 'other' on the graph.

I'm surprised to hear your numbers are out because I find it very accurate. I do use a 5 second running average, however, so you will see some smoothing out. But a sustained load should be reflected quite accurately. I would be curious what other users experience.

kashifmac2005 · Mon Sep 30, 2013 7:37 am

Hi there Mikrotik fans!

I have something to share that I've been working on for the office. When the Internet seems slow I like to be able to see who is doing what, and that is what this little Windows app does. It looks like this:
brother is there any solution for realtime traffic monitor for LAN to internet side (WAN) which also resolve address to host like sniffer
Not sure I understand the question. This tool shows all traffic going through the router (Lan to Internet) and shows host names. Sounds like that is what you need?

yes and host names of internet ip address i knw not all the ips are resolvable 100% but can help who is surfing what thanks brother

stmx38 · Mon Sep 30, 2013 10:42 am

danielm,
Thank you for nice tool!
Do you have any plans to add browsers support as viewers ?

danielm · Mon Sep 30, 2013 10:52 am

danielm,
Thank you for nice tool!
Do you have any plans to add browsers support as viewers ?

Thanks. No, sorry, no such plans at this time.

eXtremer · Thu Oct 24, 2013 3:43 pm

Great app, thank you!
Karma +1

Is it possible to add sorting by day, week, month ?

danielm · Thu Oct 24, 2013 4:00 pm

Is it possible to add sorting by day, week, month ?

eXtremer, do you mean having a daily/weekly/monthly graph?

eXtremer · Thu Oct 24, 2013 4:43 pm

Is it possible to add sorting by day, week, month ?
eXtremer, do you mean having a daily/weekly/monthly graph?

Yes.

And BTW the *.csv file isn't saved. I click save but I don't see the file.

danielm · Thu Oct 24, 2013 6:19 pm

Yes.

And BTW the *.csv file isn't saved. I click save but I don't see the file.

Hmm, you're right about the CSV. I actually never use it but I'll fix/remove it for a next version. Does anyone need it?

The viewer app has no history capability, only real-time. I do have a (slightly crude but working) munin plugin that will plot the same details for day/week/month/year if anyone is interested. It connects to the same service as the viewer does. Of course you will need a working munin setup.

eXtremer · Fri Oct 25, 2013 10:24 am

Yes.

And BTW the *.csv file isn't saved. I click save but I don't see the file.
Hmm, you're right about the CSV. I actually never use it but I'll fix/remove it for a next version. Does anyone need it?

The viewer app has no history capability, only real-time. I do have a (slightly crude but working) munin plugin that will plot the same details for day/week/month/year of anyone is interested. It connects to the same service as the viewer does. Of course you will need a working munin setup.

Post the plugin please, I installed the munin Windows version, I hope I will have no troubles configuring it.

danielm · Fri Oct 25, 2013 2:17 pm

Yes.

And BTW the *.csv file isn't saved. I click save but I don't see the file.
Hmm, you're right about the CSV. I actually never use it but I'll fix/remove it for a next version. Does anyone need it?

The viewer app has no history capability, only real-time. I do have a (slightly crude but working) munin plugin that will plot the same details for day/week/month/year of anyone is interested. It connects to the same service as the viewer does. Of course you will need a working munin setup.
Post the plugin please, I installed the munin Windows version, I hope I will have no troubles configuring it.

Here you go. Note that it is written in python so you will need that too.
I'm no python programmer, so it can probably be done much cleaner. But it does the job.

The daily graph looks like this:

jp · Fri Oct 25, 2013 11:06 pm

Neat looking tool, does the munin plugin connect to the mikrotik or the windows box running your software? I've downloaded and am playing with it.

danielm · Sat Oct 26, 2013 9:32 pm

Neat looking tool, does the munin plugin connect to the mikrotik or the windows box running your software? I've downloaded and am playing with it.

It connects to the service on the Windows box.

ctng · Sun Dec 08, 2013 10:05 pm

Good day,
please can anyone assist in setting up attrix5. i configured it to listen on port 85 and i get this message on the snifferservice.txt file on the service PC
cannot get traffic:connect timeout. (172.0.0.1:80)
the viewer screen is blank.

please assist

danielm · Mon Dec 16, 2013 9:41 am

Good day,
please can anyone assist in setting up attrix5. i configured it to listen on port 85 and i get this message on the snifferservice.txt file on the service PC
cannot get traffic:connect timeout. (172.0.0.1:80)
the viewer screen is blank.

please assist

Is 172.0.0.1 your mikrotik? Did you enable accounting? You should get traffic info when you enter 172.0.0.1 in your browser.

jemp · Tue Dec 17, 2013 5:34 pm

Hi Daniel
Tnx for this program.. works great..
I need more of these tools..
Indeed also for Saving and monitoring for month statistics.. per user, or per IP...
Keep up the good work
Do you have a website , where we can follow this ?
Tnx

JP

Stillhard · Tue Dec 17, 2013 7:58 pm

thx danielm, this tool working great here.

Can you make this tool to accept different subnet too?
I want to capture for ex. 192.168.0.0/24 and 10.100.100.0/24

danielm · Wed Dec 18, 2013 11:27 am

Indeed also for Saving and monitoring for month statistics.. per user, or per IP...

JP,

Glad you like it. To keep track of monthly usage you can set this setting in the SnifferService.ini file:

ClearSchedule=monthly

This will store the usage for the whole month (instead of just one week) and also write out a CSV file i.e.
201312.txt (yyyymm.txt) in the service folder.

Sorry, there is no website at this time.

Daniel

jemp · Wed Dec 18, 2013 2:05 pm

Daniel
tnx for tip..
the Save File does not work.. like said, one can choose a folder, but nothing is saved..
Would there be an update ?
Tnx in advance
JP

danielm · Wed Dec 18, 2013 2:53 pm

JP,

I'd rather remove that feature since it saves the values as "34.66 GB and "12.34 MB" instead of byte values. Best would be let the service create the file.

danielm · Wed Dec 18, 2013 2:54 pm

thx danielm, this tool working great here.

Can you make this tool to accept different subnet too?
I want to capture for ex. 192.168.0.0/24 and 10.100.100.0/24

Anything is possible

I'll see if I can add capability to accept comma delimited values for network and mask.

ircome · Tue Dec 24, 2013 12:30 pm

hi dear danielm
i try to use this bud don't work
can help me?
when start sniffer service in mikrotik log shown me ssh user log in but rapidly in the next line shown ssh user log out!!!!!!
also me can't see http://192.168.88.1/accounting/ip.cgi
i use mikrotik hotspot also

ircome · Wed Dec 25, 2013 10:05 am

ohhhh
no any bodi there?
i really need this app!!!!
plz help me

scracha · Fri Dec 27, 2013 3:30 am

Service log has following:-
"Error: Cannot execute C:\Program Files\Sniffer\Service\plink.exe"

Win XP home so can't be UAC. Any ideas anyone?

ircome · Tue Jan 07, 2014 2:29 pm

hi dear danielm
i try to use this bud don't work
can help me?
when start sniffer service in mikrotik log shown me ssh user log in but rapidly in the next line shown ssh user log out!!!!!!
also me can't see http://192.168.88.1/accounting/ip.cgi
i use mikrotik hotspot also

i can make this software to do but i usage with mikrotik hotspot so viewer can only shown to me any ip that added to ip bindig:(
i wanna find what port usage with this app to allow to this.
help me

imaljko4 · Sun Jan 12, 2014 1:39 am

This is a great utility, just what i needed.
Is it also somehow possible to see the hosts name, next to the Ip address (in my case the hosts name dont always show up)?
Also how do i now disable the logs in mikrotik router, for the ssh sniffer user ( now my logs are full with the "sniffer" user, log-in and log-out?

Thank you

danielm · Mon Jan 13, 2014 4:52 pm

This is a great utility, just what i needed.
Is it also somehow possible to see the hosts name, next to the Ip address (in my case the hosts name dont always show up)?
Also how do i now disable the logs in mikrotik router, for the ssh sniffer user ( now my logs are full with the "sniffer" user, log-in and log-out?

Thank you

imaljko4,

If you use DHCP and/or DNS on the mikrotik the host names should show (that is what you see in the logs - the dns entries being downloaded)
Not sure how to disable logging in mikrotik

danielm · Mon Jan 13, 2014 4:57 pm

hi dear danielm
i try to use this bud don't work
can help me?
when start sniffer service in mikrotik log shown me ssh user log in but rapidly in the next line shown ssh user log out!!!!!!
also me can't see http://192.168.88.1/accounting/ip.cgi
i use mikrotik hotspot also

i can make this software to do but i usage with mikrotik hotspot so viewer can only shown to me any ip that added to ip bindig:(
i wanna find what port usage with this app to allow to this.
help me

Hi ircome

Did you manage to get http://192.168.88.1/accounting/ip.cgi to show in a browser? If so how because I have the same problem at a particular site where hotspot is used and I don't know how to get around it (I cannot access the mikrotik accounting page from a browser or from the sniffer)

danielm · Mon Jan 13, 2014 4:59 pm

Service log has following:-
"Error: Cannot execute C:\Program Files\Sniffer\Service\plink.exe"

Win XP home so can't be UAC. Any ideas anyone?

Can you run plink.exe from cmd line?

imaljko4 · Mon Jan 13, 2014 6:13 pm

If you use DHCP and/or DNS on the mikrotik the host names should show (that is what you see in the logs - the dns entries being downloaded)
Not sure how to disable logging in mikrotik

You are wright, the host-names do show up, just they sometimes get lost when my server-computer(with sniffer service running) resumes from standby.
So when my computer resumes from standby i had to stop/start the sniffer service, and then i got the host-names again.

Thanks

imaljko4 · Mon Jan 13, 2014 8:56 pm

One more question; is it possible to monitor Ip addresses for 2 networks?

On my Mikrotik router i have :
network 1 : 192.168.1.0/24
network 2: 10.0.0.0/24

I would like to monitor Ip addresses on both networks.

So how do i need to change the values in the SnifferService.ini file?
Something like this or?

#Capture packets from this network (ignore internal traffic) - network 1
Network=192.168.1.0
Mask=255.255.255.0

#Capture packets from NETWORK 2

Network=10.0.0.0
Mask=255.255.255.0

#Mikrotik Server
Mikrotik=192.168.1.1
MikrotikSSHUser=sniffer
MikrotikSSHPassword=XXXXX

Thank you for help

danielm · Mon Jan 13, 2014 10:13 pm

If you use DHCP and/or DNS on the mikrotik the host names should show (that is what you see in the logs - the dns entries being downloaded)
Not sure how to disable logging in mikrotik
You are wright, the host-names do show up, just they sometimes get lost when my server-computer(with sniffer service running) resumes from standby.
So when my computer resumes from standby i had to stop/start the sniffer service, and then i got the host-names again.

Thanks

It should refresh every 5 mins. Just give it a while.

danielm · Wed Jan 15, 2014 11:21 am

One more question; is it possible to monitor Ip addresses for 2 networks?

Now you can

. I have added this feature and added all the info below to the first post of this thread.

Changes are

Added ability to track multiple subnets
Fixed and improved logging for service
Removed 'Save to CSV' button which was not working
Fixed typo in readme.txt instructions
Added some FAQ's to readme.txt

Download link: Sniffer-2014-01-15.zip

imaljko4 · Wed Jan 15, 2014 11:45 am

Great! Thank you very much!

omega-00 · Thu Jan 16, 2014 4:36 am

Tested on 3 different Windows 7 machines and all I see in the log is:

2014/01/16 12:26:07 - Info: Starting up sniffer service
2014/01/16 12:26:07 - Info: Mikrotik user: sniffer
2014/01/16 12:26:07 - Info: Mikrotik IP: 172.16.0.1

Then nothing in the viewer. It doesn't seem as though the SnifferService.exe continues running after that point?
Is there any way to see more debug info?

danielm · Thu Jan 16, 2014 8:37 am

omega-00,

There are a number of checks described in readme.txt that you can do. Basically you want to check:
- you can access the traffic info on the mikrotik from a browser running on the machine where the sniffer service runs
- when you start the service you want to see that the user 'sniffer' logs in on the mikrotik (check mikrotik logs)
- then check you can see traffic and ips using a browser to connect to the service
- then start the viewer

Does the service crash at that point or is it still running?

jemp · Thu Jan 16, 2014 7:55 pm

Tnx Daniel and Happy 2014
Love this new version... works great, monitoring 2 network segments..
Keep U the good work
JP, Antwerp

omega-00 · Fri Jan 17, 2014 3:24 am

- can access the traffic page from the machine running the sniffer service (http://ipaddress/accounting/ip.cgi loads, can see traffic listed)
- can't see user 'sniffer' login to the mikrotik (user account is present on the mikrotik) no user login error shows in the log either
telnet and ssh are available from the machine running the sniffer service to the mikrotik

service crashes before the login process it seems.
I run avast antivirus/security suite on my machine but tried disabling that before starting the service too to ensure it wasn't trying to block/intercept anything.

danielm · Fri Jan 17, 2014 8:32 am

Firstly, is plink.exe available in the same folder as snifferservice.exe? Can you execute it successfully from command line?

Otherwise it may be a config issue - the app does not tolerate an invalid config very well (I guess I can improve that at some stage). Can you perhaps post your snifferservice.ini file?

lucianog · Sat Jan 18, 2014 3:05 am

Firstly, is plink.exe available in the same folder as snifferservice.exe? Can you execute it successfully from command line?

Otherwise it may be a config issue - the app does not tolerate an invalid config very well (I guess I can improve that at some stage). Can you perhaps post your snifferservice.ini file?

I have the same problem, since I can run the console plink.exe and is in the same folder where is stored snifferservice.exe.
This is my configuration snifferservice.ini

[Settings]

#Required settings are uncommented
#Defaults are shown

#Capture packets from this network (ignore internal traffic)
#Comma-separated values are accepted.  Specify a mask for each network even if they are the same.
Network=192.168.80.0
Mask=255.255.255.0
#Match everything BUT the above (only for special custom situations):
#InverseMatch=0

#Mikrotik Server
Mikrotik=192.168.80.1:8292
MikrotikSSHUser=sniffer
MikrotikSSHPassword=sniffer
#This is combined with the Mikrotik IP address to create the accounting URL:
AccountingPath=/accounting/ip.cgi

#Alternative service port to listen on
#ServicePort=80

#Convert static DNS names to uppercase
#UppercaseStatic=1

#Trim trailing text from DNS and DHCP names
#DeleteSuffix=.mycompany.com

#Clear values weekly (default) or monthly
#ClearSchedule=weekly

Thanks for your suggestions

imaljko4 · Sat Jan 18, 2014 4:41 am

I have the same problem, since I can run the console plink.exe and is in the same folder where is stored snifferservice.exe.

Can you make sure that the sniffer service is running (after install i had to manually start the "sniffer service" under control panel- "services")?
Also can you access the http://ipaddress/accounting/ip.cgi page?
if yes, then "danielm" will have to help you out

But would be good if you can also post the "SnifferService.log" file.

lucianog · Sat Jan 18, 2014 6:22 am

Can you make sure that the sniffer service is running (after install i had to manually start the "sniffer service" under control panel- "services")?

Yes!!!

Also can you access the http://ipaddress/accounting/ip.cgi page?

Yes!!!

if yes, then "danielm" will have to help you out But would be good if you can also post the "SnifferService.log" file.

My SnifferService.log file:

2014/01/17 21:37:58 - Info: Starting up sniffer service
2014/01/17 21:37:58 - Info: Mikrotik user: sniffer
2014/01/17 21:37:58 - Info: Mikrotik IP: 192.168.80.1:8292
2014/01/17 21:38:33 - Info: Starting up sniffer service
2014/01/17 21:38:33 - Info: Mikrotik user: sniffer
2014/01/17 21:38:33 - Info: Mikrotik IP: 192.168.80.1:8292
2014/01/17 21:38:43 - Info: Starting up sniffer service
2014/01/17 21:38:43 - Info: Mikrotik user: sniffer
2014/01/17 21:38:43 - Info: Mikrotik IP: 192.168.80.1:8292
2014/01/17 21:39:07 - Info: Starting up sniffer service
2014/01/17 21:39:07 - Info: Mikrotik user: sniffer
2014/01/17 21:39:07 - Info: Mikrotik IP: 192.168.80.1:8292
2014/01/17 21:41:43 - Info: Starting up sniffer service
2014/01/17 21:41:43 - Info: Mikrotik user: sniffer
2014/01/17 21:41:43 - Info: Mikrotik IP: 192.168.80.1:8292
2014/01/17 21:41:57 - Info: Starting up sniffer service
2014/01/17 21:41:57 - Info: Mikrotik user: sniffer
2014/01/17 21:41:57 - Info: Mikrotik IP: 192.168.80.1:8292
2014/01/17 21:41:57 - Info: Networks specified: 1
2014/01/17 21:41:57 - Info: Monitoring network: 192.168.80.0/255.255.255.0
2014/01/17 21:41:57 - Info: SnifferService Port: 80
2014/01/17 21:41:57 - Info: Service started
2014/01/17 21:41:57 - Error: Cannot execute C:\Service\plink.exe 
2014/01/17 21:58:02 - Info: Starting up sniffer service
2014/01/17 21:58:02 - Info: Mikrotik user: sniffer
2014/01/17 21:58:02 - Info: Mikrotik IP: 192.168.80.1:8292
2014/01/17 21:58:09 - Info: Starting up sniffer service
2014/01/17 21:58:09 - Info: Mikrotik user: sniffer
2014/01/17 21:58:09 - Info: Mikrotik IP: 192.168.80.1:8292
2014/01/17 21:58:09 - Info: Networks specified: 1
2014/01/17 21:58:09 - Info: Monitoring network: 192.168.80.0/255.255.255.0
2014/01/17 21:58:09 - Info: SnifferService Port: 80
2014/01/17 21:58:09 - Info: Service started
2014/01/17 21:58:09 - Error: Cannot execute C:\Program Files (x86)\Sniffer\plink.exe 
2014/01/18 01:05:45 - Info: Service stopped
2014/01/18 01:16:14 - Info: Starting up sniffer service
2014/01/18 01:16:14 - Info: Mikrotik user: sniffer
2014/01/18 01:16:14 - Info: Mikrotik IP: 192.168.80.1:8292
2014/01/18 01:16:14 - Info: Networks specified: 1
2014/01/18 01:16:14 - Info: Monitoring network: 192.168.80.0/255.255.255.0
2014/01/18 01:16:14 - Info: SnifferService Port: 80
2014/01/18 01:16:14 - Info: Service started
2014/01/18 01:16:14 - Error: Cannot execute C:\Program Files (x86)\Sniffer\plink.exe 
2014/01/18 01:16:14 - Error: Cannot execute C:\Program Files (x86)\Sniffer\plink.exe

We add the following information:
OS: Windows XP Pro SP3 x86 (Spanish Edition)
Firewall OS: Off
Antivirus: None
.Net Framework: None

Thanks in advance

danielm · Sat Jan 18, 2014 8:31 am


#Mikrotik Server
Mikrotik=192.168.80.1:8292

I see a problem. The 'mikrotik' setting does not support a port. At the moment it defaults to port 80.

Edit: it defaults to port 80 for web traffic and port 22 for ssh.

lucianog · Mon Jan 20, 2014 3:35 am

Hello danielm foremost appreciate your response.
I mention that I changed the port Mikrotik Web service, from 8292 to 80.
I verify that I can access via browser http://192.168.80.1/accounting/ip.cgi

With the following results:

I also keep seeing in the log file indicating that the line can not run the program plink.exe located in the same folder as SnifferService.exe

Of course I appreciate your comments

danielm · Mon Jan 20, 2014 11:45 am

lucianog,

Please try the attached service (just replace the existing exe file). It has some extra debugging info. Upload your logfile again.

lucianog · Mon Jan 20, 2014 2:16 pm

Hi Danielm:
This is the information requested:

Thanks in advance!

lucianog · Mon Jan 20, 2014 2:36 pm

SOLVED!!
Hi Danielm
The problem was on the SSH port, I changed it to 222 of 22

Thanks for the support!

Stillhard · Mon Jan 20, 2014 2:55 pm

Code: Select all
#Mikrotik Server
Mikrotik=192.168.80.1:8292
I see a problem. The 'mikrotik' setting does not support a port. At the moment it defaults to port 80.

Edit: it defaults to port 80 for web traffic and port 22 for ssh.

Weird, im my conf, it works fine with other port other than the default just like lucianog's conf

danielm · Mon Jan 20, 2014 4:32 pm

Weird, im my conf, it works fine with other port other than the default just like lucianog's conf

Hmm, it turns out you can indeed specify a port in the .ini file. It is used for http but ignored for SSH (by plink.exe). So if you specify 192.168.88.1:8080 it will be used as follows

- to get traffic, sniffer will connect to http://192.168.88.1:8080
- to get DNS and DHCP, sniffer will connect to 192.168.88.1:22 using ssh

So you MUST use port 22 for SSH (in the current version), as lucianog discovered

danielm · Tue Jan 21, 2014 8:13 am

service crashes before the login process it seems.
I run avast antivirus/security suite on my machine but tried disabling that before starting the service too to ensure it wasn't trying to block/intercept anything.

Omega-00, do give the updated snifferservice.exe a try. If it still fails you can execute plink.exe from the command line using the same parameters as in the logfile to see what results you get.

rodasram · Thu Jan 23, 2014 5:43 pm

Hello. Can you create a list with the names of host? how works the ips.txt file? Thank you.

rodasram · Thu Jan 23, 2014 5:45 pm

Hello. Can you create a list with the names of host? how works the ips.txt file? Thank you.

danielm · Fri Jan 24, 2014 11:53 am

Hello. Can you create a list with the names of host? how works the ips.txt file? Thank you.

Easiest and best option is to add them as DNS entries on your Mikrotik. The app will then display them correctly if the ssh setup is done as described in the readme.

Alternatively create a file and specify it in IPSource entry for Sniffer.ini
i.e. ips.txt

192.168.1.1=firewall
192.168.1.2=server1
192.168.1.20=my pc

However, this would ignore all DNS and DHCP info from the mikrotik server.

rodasram · Fri Jan 24, 2014 5:11 pm

Thanks! the equals sign is the clue!

bax · Sat Feb 08, 2014 5:50 pm

Avira - antivirus is also complain ... but it works ...

danielm · Wed Feb 12, 2014 12:04 pm

Avira - antivirus is also complain ... but it works ...

I have submitted a false positive notification to Avira

danielm · Fri Feb 14, 2014 4:43 pm

Response from Avira:

Please find a detailed report concerning each individual sample below:

Filename Result
SnifferService.exe FALSE POSITIVE

The file 'SnifferService.exe' has been determined to be 'FALSE POSITIVE'. In particular this means that this file is not malicious but a false alarm. Detection is removed from our virus definition file (VDF) with the version: 7.11.131.42.

silversword · Fri Feb 14, 2014 5:08 pm

Of course if you have a MikroTik...the easiest way to view live data is:
Tools | Torch
LAN traffic use bridge-local interface
Internet traffic use ether1-gateway

danielm · Mon Feb 17, 2014 1:21 pm

palindrom · Thu Mar 20, 2014 8:51 am

hello daniel, i got these messages in snifferservice.log
2014.03.20 12:37:14 - Error: Cannot execute C:\Program Files (x86)\Sniffer\plink.exe
2014.03.20 12:42:14 - Error: Cannot execute C:\Program Files (x86)\Sniffer\plink.exe
2014.03.20 12:47:14 - Error: Cannot execute C:\Program Files (x86)\Sniffer\plink.exe
what is plink.exe?

danielm · Thu Mar 20, 2014 5:07 pm

hello daniel, i got these messages in snifferservice.log
2014.03.20 12:37:14 - Error: Cannot execute C:\Program Files (x86)\Sniffer\plink.exe
2014.03.20 12:42:14 - Error: Cannot execute C:\Program Files (x86)\Sniffer\plink.exe
2014.03.20 12:47:14 - Error: Cannot execute C:\Program Files (x86)\Sniffer\plink.exe
what is plink.exe?

plink.exe does the ssh comms with your mikrotik.

Try to run it from the command line e.g.:
plink.exe sniffer@192.168.88.1

You should be able to connect to the mikrotik.

KiyasMocha · Mon Apr 07, 2014 8:06 am

I've the same problem here >_<

I can't see from MikroTik logs that user: sniffer logging in. but I can see http://ipaddress/accounting/ip.cgi

please guide me

I'm new to this great things, I really am thank you anyway

KiyasMocha · Tue Apr 08, 2014 10:22 am

this is my screenshot

KiyasMocha · Thu Apr 10, 2014 3:40 pm

I always get this error ><

pukkita · Sat Apr 12, 2014 2:56 pm

works awesome, thanks for sharing!!!!!!

florianGinier · Tue Apr 22, 2014 6:01 pm

Hello everyone.

I'm a French student in computer networks and I must admit that you have done an amazing job.
Nevertheless, I would like to know if there is a possibility to export a daily basis of the real time capture without using munin ?
The goal is to find which IP uses more bandwidth in the day.

If you know any other scripts/tools/programs that can do that, I'm interested !

Thank you everyone and goodbye !

himawarichan · Tue Apr 29, 2014 6:31 am

Hi Daniel,

I am so happy that I found this tool you made. Thanks for your effort, great effort

It's the tool which I've been searched for a while, and now I found it.

I successfully set this tool on my computer, and the service runs well.
I just do not have understanding about the munin plugin you post. How does that plugin applied to the tool?

Please enlighten me.

Again, many thanks for your great effort

Cheers

dw5304 · Thu May 01, 2014 5:08 pm

tool works great.
I have a small request seeing that we have multiple mikrotik devices can you make it so u can install the service as another name so we have unique instances of the service running to "segment" the bandwidth? thanks.

omega-00 · Mon May 05, 2014 4:35 am

service crashes before the login process it seems.
I run avast antivirus/security suite on my machine but tried disabling that before starting the service too to ensure it wasn't trying to block/intercept anything.
Omega-00, do give the updated snifferservice.exe a try. If it still fails you can execute plink.exe from the command line using the same parameters as in the logfile to see what results you get.

I'm using the new snifferservice.exe.

Executing/logging in via plink.exe manually works fine. Gives me the MT command prompt as expected.

Executing the new snifferservice.exe just generates the following 3 lines; from command line the app appears to start then stop straight away.

2014/05/05 11:17:31 - Info: Starting up sniffer service
2014/05/05 11:17:31 - Info: Mikrotik user: sniffer
2014/05/05 11:17:31 - Info: Mikrotik IP: 192.168.252.1

danielm · Mon May 05, 2014 6:39 pm

Hello everyone.

I'm a French student in computer networks and I must admit that you have done an amazing job.
Nevertheless, I would like to know if there is a possibility to export a daily basis of the real time capture without using munin ?
The goal is to find which IP uses more bandwidth in the day.

If you know any other scripts/tools/programs that can do that, I'm interested !

Thank you everyone and goodbye !

You can just interrogate the sniffer service using rest to get realtime traffic info. Just go to the snifferservice ip address using a browser. The headers are at the top.

danielm · Mon May 05, 2014 6:40 pm

tool works great.
I have a small request seeing that we have multiple mikrotik devices can you make it so u can install the service as another name so we have unique instances of the service running to "segment" the bandwidth? thanks.

Ah, good idea. Will look into that.

danielm · Mon May 05, 2014 6:43 pm

I'm using the new snifferservice.exe.

Are you using the service exe posted in this thread on 14 March 2013 (top of page 2)?

maxkomp · Sun May 11, 2014 1:48 pm

Thanks daniel, It So Works beautiful

KiyasMocha · Mon May 12, 2014 6:20 am

please anyone, help me!!! >_<

tussockland · Fri Jun 13, 2014 3:36 pm

Hi Daniel, been trying to get it to work on my RB750UP, but it is set up as a basic Switch (bridge) not using DHCP etc, should it still work somehow? Is there any extra settings I need to consider?
-Currently i can get service running, login etc, but error in log file of "Cannot get traffic: Connect timed out."
-Also i get nothing when I try web browser http://192.168.178.14:80/accounting/ip.cgi
-have checked and allowed port 80 on firewall.
I note you say in the file "The setup works best when you use the miktorik router for DCHP and optionally DNS" ... so it gives me hope it may still work for me??

SETTINGS:
[Settings]
#Required settings are uncommented
#Defaults are shown
#Capture packets from this network (ignore internal traffic)
#Comma-separated values are accepted. Specify a mask for each network even if they are the same.
Network=192.168.178.0
Mask=255.255.255.0
#Match everything BUT the above (only for special custom situations):
#InverseMatch=0
#Mikrotik Server
Mikrotik=192.168.178.14
MikrotikSSHUser=sniffer
MikrotikSSHPassword=sniffer
#This is combined with the Mikrotik IP address to create the accounting URL:
AccountingPath=/accounting/ip.cgi
#Alternative service port to listen on
#ServicePort=80
#Convert static DNS names to uppercase
#UppercaseStatic=1
#Trim trailing text from DNS and DHCP names
#DeleteSuffix=.mycompany.com
#Clear values weekly (default) or monthly
ClearSchedule=weekly

SNIFFER LOG:
2014/06/14 00:26:02 - Info: Starting up sniffer service
2014/06/14 00:26:02 - Info: Mikrotik user: sniffer
2014/06/14 00:26:02 - Info: Mikrotik IP: 192.168.178.14
2014/06/14 00:26:02 - Info: Networks specified: 1
2014/06/14 00:26:02 - Info: Monitoring network: 192.168.178.0/255.255.255.0
2014/06/14 00:26:02 - Info: SnifferService Port: 80
2014/06/14 00:26:02 - Info: Service started
2014/06/14 00:28:40 - Error: Cannot get traffic: Connect timed out. (192.168.178.14:80)
2014/06/14 00:28:41 - Error: Cannot get traffic: Connect timed out. (192.168.178.14:80)

Webpage 192.168.178.55/ip from an External computer:
DHCP Leases:
=
Static DNS:
192.168.1.1=localrouter
208.67.220.220=opendns2
208.67.222.222=opendns
DHCP: 1
Static: 3
---------------
Total: 4

Looks like this is the problem?? but i've no idea how to fix it...

Regards, Richard

Cliff · Mon Jun 16, 2014 4:33 am

Hello, I have the issue.
Can you help me?

Mikrotik http port: 81
Using Windows 8.1 Pro (x86)
Using Mikrotik 6.14

SnifferService.ini file:

[Settings]

#Required settings are uncommented
#Defaults are shown

#Capture packets from this network (ignore internal traffic)
#Comma-separated values are accepted.  Specify a mask for each network even if they are the same.
Network=172.29.10.0
Mask=255.255.255.0
#Match everything BUT the above (only for special custom situations):
#InverseMatch=0

#Mikrotik Server
Mikrotik=172.29.10.1
MikrotikSSHUser=admin
MikrotikSSHPassword=xxx
#This is combined with the Mikrotik IP address to create the accounting URL:
#AccountingPath=/accounting/ip.cgi

#Alternative service port to listen on
ServicePort=81

#Convert static DNS names to uppercase
#UppercaseStatic=1

#Trim trailing text from DNS and DHCP names
#DeleteSuffix=.mycompany.com

#Clear values weekly (default) or monthly
#ClearSchedule=weekly

SnifferService.log file:

2014.06.16 12:23:56 - Info: Starting up sniffer service
2014.06.16 12:23:56 - Info: Mikrotik user: admin
2014.06.16 12:23:56 - Info: Mikrotik IP: 172.29.10.1
2014.06.16 12:23:56 - Info: Networks specified: 1
2014.06.16 12:23:56 - Info: Monitoring network: 172.29.10.0/255.255.255.0
2014.06.16 12:23:56 - Info: SnifferService Port: 81
2014.06.16 12:23:56 - Info: Service started
2014.06.16 12:23:59 - Error: Cannot get traffic: Socket Error #10054, Connection reset by peer.
2014.06.16 12:24:01 - Error: Cannot get traffic: Socket Error #10054, Connection reset by peer.
2014.06.16 12:24:04 - Error: Cannot get traffic: Socket Error #10054, Connection reset by peer.
etc

Winbox log:

Jun/16/2014 12:24:10 user admin logged in from x.x.x.x via ssh
Jun/16/2014 12:24:10 user admin logged out from x.x.x.x via ssh

danielm · Thu Jun 19, 2014 4:17 pm

OK, I have finally found the trick to get plink.exe working. The problem lies in the fact that plink does not yet trust the ssh connection to the mikrotik box. The first time you connect plink asks you to add the host key to your registry and you must answer yes.

SO, open a command prompt and execute the following command from your snifferservice folder (specify the mikrotik router ip):

plink 192.168.88.1

The output looks like this:

C:\Program Files\Sniffer\Service>plink 192.168.88.1
The server's host key is not cached in the registry. You have no guarantee that the server is the computer you
think it is.
The server's dss key fingerprint is:
ssh-dss 1024 xxxxxxxxx
If you trust this host, enter "y" to add the key to PuTTY's cache and carry on connecting.
If you want to carry on connecting just once, without adding the key to the cache, enter "n".
If you do not trust this host, press Return to abandon the connection.
Store key in cache? (y/n) y
login as: sniffer

That's it. Just Ctrl-C to exit. Now restart the sniffer service and confirm you see the user sniffer log in to the router.

edi1979 · Wed Jun 25, 2014 9:57 pm

Hi. I just want to know if it is possible to monitor more than 1 mikrotik on the same viewer ?

danielm · Thu Jun 26, 2014 3:34 pm

Hi. I just want to know if it is possible to monitor more than 1 mikrotik on the same viewer ?

No, you can't

danielm · Thu Jun 26, 2014 3:42 pm

Hi All,

V1.0.3 is available and includes the following changes:

Ability to specify service name
Use keepalive on service
Added code to help plink.exe start up the first time
Added more FAQ's to readme.txt

Download: Viewer and Service

danielm · Thu Jun 26, 2014 4:32 pm

Hi Daniel, been trying to get it to work on my RB750UP, but it is set up as a basic Switch (bridge) not using DHCP etc, should it still work somehow? Is there any extra settings I need to consider?
-Currently i can get service running, login etc, but error in log file of "Cannot get traffic: Connect timed out."
-Also i get nothing when I try web browser http://192.168.178.14:80/accounting/ip.cgi
-have checked and allowed port 80 on firewall.
I note you say in the file "The setup works best when you use the miktorik router for DCHP and optionally DNS" ... so it gives me hope it may still work for me??

Richard,

If you don't use DHCP that should not be an issue - you just won't see names next to the IP's. your problem lies in the fact that you cannot access http://192.168.178.14:80/accounting/ip.cgi. If you can't then the sniffer can't. I assume 192.168.178.14 is your mikrotik?

danielm · Thu Jun 26, 2014 4:35 pm

Hi Daniel,

I am so happy that I found this tool you made. Thanks for your effort, great effort
It's the tool which I've been searched for a while, and now I found it.

I successfully set this tool on my computer, and the service runs well.
I just do not have understanding about the munin plugin you post. How does that plugin applied to the tool?

Please enlighten me.

Again, many thanks for your great effort

Cheers

The munin plugin is just to keep track of traffic for longer than 100 seconds. Draws graphs etc. If you are not familiar with munin i'd give it a skip.

danielm · Thu Jun 26, 2014 4:38 pm

I always get this error ><

KiyasMocha, post your snifferservice.ini file. From the screenshot it looks like there it is incorrectly configured.

danielm · Fri Jun 27, 2014 4:37 pm

Hello, I have the issue.
Can you help me?

Mikrotik http port: 81
Using Windows 8.1 Pro (x86)
Using Mikrotik 6.14

Cliff,

You need to specify the custom http port 81 in the following setting in snifferservice.ini.

Mikrotik=172.29.10.1:81

The setting 'ServicePort' is for the sniffer service to listen on a different port than 80.

nabeelryk · Fri Jun 27, 2014 4:43 pm

hi I have installed snifferservice.exe and configured snifferservice.ini successfully.

as I am using hotspot on LAN interface so port 80 is used by my hotspot and I have changed router service port to 88.
so my accounting address is http://192.168.0.1:88/accounting/ip.cgi and I can see log in my browser. So I have changed accounting path in services.ini

AccountingPath=http://192.168.0.1:88/accounting/ip.cgi

but still I an getting this error, the problem is its still looking for traffic at port 80 I don't know why. I did specified port and address. Will you please help me thanks.

2014/06/27 18:27:38 - Error: Cannot get traffic: Connect timed out. (192.168.0.1http:80)

just changed

Mikrotik=192.168.0.1

to

Mikrotik=192.168.0.1:88

and its working now thanks
just a quick question how can I see a whole month log at once ?

Bigfoot · Fri Jun 27, 2014 5:10 pm

Hi

Can not get the SnifferService.exe to run , If I run the SnifferService.exe I don't see the Service "Sniffer" in Services Manage
Pc is running on Windows 7
The log file ol has this in:
2014/06/27 16:05:15 - Info: Mikrotik user: sniffer
2014/06/27 16:05:15 - Info: Mikrotik IP: 192.168.0.1

Bigfoo

danielm · Fri Jun 27, 2014 5:40 pm

..and its working now thanks
just a quick question how can I see a whole month log at once ?

Glad its sorted. The accountingpath gets appended to the ip address of the "Mikrotik" setting.

Do you mean the whole month as a graph or the whole month in text (how much data per ip)?

danielm · Fri Jun 27, 2014 5:43 pm

Hi

Can not get the SnifferService.exe to run , If I run the SnifferService.exe I don't see the Service "Sniffer" in Services Manage
Pc is running on Windows 7
The log file ol has this in:
2014/06/27 16:05:15 - Info: Mikrotik user: sniffer
2014/06/27 16:05:15 - Info: Mikrotik IP: 192.168.0.1

Bigfoot

It is a service, you can't just double-click it. You must install it as per instructions in the readme file.

Bigfoot · Fri Jun 27, 2014 6:12 pm

Sorry missed that one got the service to work

Now I get:

2014/06/27 16:56:17 - Info: Starting up sniffer service
2014/06/27 16:56:17 - Info: Mikrotik user: sniffer
2014/06/27 16:56:17 - Info: Mikrotik IP: 192.168.0.1
2014/06/27 16:57:00 - Info: Starting up sniffer service
2014/06/27 16:57:00 - Info: Mikrotik user: sniffer
2014/06/27 16:57:00 - Info: Mikrotik IP: 192.168.0.1
2014/06/27 17:00:05 - Info: Starting up sniffer service
2014/06/27 17:00:06 - Info: Mikrotik user: sniffer
2014/06/27 17:00:06 - Info: Mikrotik IP: 192.168.0.1
2014/06/27 17:00:07 - Error: Cannot get traffic: HTTP/1.0 504 Gateway Timeout
2014/06/27 17:00:27 - Info: Starting up sniffer service
2014/06/27 17:00:27 - Info: Mikrotik user: sniffer
2014/06/27 17:00:27 - Info: Mikrotik IP: 192.168.0.1
2014/06/27 17:00:27 - Info: Networks specified: 1
2014/06/27 17:00:27 - Info: Monitoring network: 192.168.0.1/255.255.255.0
2014/06/27 17:00:27 - Info: SnifferService Port: 81
2014/06/27 17:00:27 - Info: Service started
2014/06/27 17:00:29 - Error: Cannot get traffic: HTTP/1.0 504 Gateway Timeout

danielm · Fri Jun 27, 2014 6:29 pm

Sorry missed that one got the service to work

Now I get:

2014/06/27 17:00:27 - Info: Starting up sniffer service
2014/06/27 17:00:27 - Info: Mikrotik user: sniffer
2014/06/27 17:00:27 - Info: Mikrotik IP: 192.168.0.1
2014/06/27 17:00:27 - Info: Networks specified: 1
2014/06/27 17:00:27 - Info: Monitoring network: 192.168.0.1/255.255.255.0
2014/06/27 17:00:27 - Info: SnifferService Port: 81
2014/06/27 17:00:27 - Info: Service started
2014/06/27 17:00:29 - Error: Cannot get traffic: HTTP/1.0 504 Gateway Timeout

So can you connect to http://192.168.0.1/accounting/ip.cgi with a browser? If not you have not set up accounting correctly on mikrotik. Follow readme.txt

Bigfoot · Fri Jun 27, 2014 6:47 pm

Yes, I use http://192.168.0.1:81/accounting/ip.cgi

213.199.179.167 192.168.0.48 97 2 * *
192.168.0.16 194.27.183.245 296 6 * *
172.24.73.229 192.168.0.48 953 9 * *
192.168.0.16 207.46.194.8 3457 22 * *
172.25.97.219 192.168.0.48 320 5 * *
192.168.0.15 157.55.56.141 63 1 * *
197.79.14.150 192.168.0.16 404 7 * *
172.25.98.34 192.168.0.19 691 5 * *
172.24.80.54 192.168.0.48 1596 20 * *
85.200.100.228 192.168.0.16 232 4 * *

Bigfoot · Fri Jun 27, 2014 6:53 pm

I see traffic text - http://localhost:82/ip
DHCP Leases:
192.168.0.10=*****************
192.168.0.11=*****************
192.168.0.12=*****************
192.168.0.13=*****************
192.168.0.14=*****************
192.168.0.15=*****************
192.168.0.157=*****************
192.168.0.16=*****************
192.168.0.17=*****************
192.168.0.19=*****************
192.168.0.20=*****************
192.168.0.21=*****************
192.168.0.22=*****************
192.168.0.23=*****************
192.168.0.24=*****************
192.168.0.25=*****************
192.168.0.33=*****************
192.168.0.34=*****************
192.168.0.36=*****************
192.168.0.37=*****************
192.168.0.48=*****************
192.168.0.52=*****************
192.168.0.84=*****************
Static DNS:
192.168.0.1=*****************

DHCP: 23
Static: 1
---------------
Total: 24

Bigfoot · Fri Jun 27, 2014 7:01 pm

Thx, Got it working.
changed :
#Mikrotik Server
Mikrotik=192.168.0.1:81

danielm · Fri Jun 27, 2014 9:50 pm

Thx, Got it working.
changed :
#Mikrotik Server
Mikrotik=192.168.0.1:81

Great, tx for sharing

nabeelryk · Sat Jun 28, 2014 12:43 am

..and its working now thanks
just a quick question how can I see a whole month log at once ?
Glad its sorted. The accountingpath gets appended to the ip address of the "Mikrotik" setting.

Do you mean the whole month as a graph or the whole month in text (how much data per ip)?

whole month as a graph, and is there any way to record the websites users view, as I am using Radius so sorry to say that but radius is doing all the job of accounting and loging of user data per session and I have almost 3 years data per user now in my radius I was kind of searching some thing that can record or show what websites users visited (this is now required due to government policy for all WISP to keep 1 year record of user activity).

danielm · Sat Jun 28, 2014 10:15 pm

..and its working now thanks
just a quick question how can I see a whole month log at once ?
Glad its sorted. The accountingpath gets appended to the ip address of the "Mikrotik" setting.

Do you mean the whole month as a graph or the whole month in text (how much data per ip)?
whole month as a graph, and is there any way to record the websites users view, as I am using Radius so sorry to say that but radius is doing all the job of accounting and loging of user data per session and I have almost 3 years data per user now in my radius I was kind of searching some thing that can record or show what websites users visited (this is now required due to government policy for all WISP to keep 1 year record of user activity).

For a graph you'll have to take a look at the munin script I posted earlier in this thread. It talks to the snifferservice and plots the info of 30 most active users (per IP). But you'll need some experience with munin and linux. As for the visited sites I'm afraid I can't help.

pizzonia · Sun Jun 29, 2014 1:58 pm

Win machine is needed running 24/7?

danielm · Mon Jun 30, 2014 11:43 am

Win machine is needed running 24/7?

Only if you need accurate values for the amount of data transferred per ip for the week. You might also notice a spike in measured traffic when the service starts up due to the build-up of accounting data. Other than that no issue.

hamidbhatti · Wed Jul 02, 2014 5:24 am

Dear danielm,

Thanks for this awesome utility. I install it a month ago, its works fine.
Now i enable Mikrotik Web Proxy(transparent mode) and i observe that the tool doesn't show me the real bandwidth utilization of users.
Do i need to made some changes to work with Web Proxy?

thanks in advance.

danielm · Wed Jul 02, 2014 12:55 pm

Dear danielm,

Thanks for this awesome utility. I install it a month ago, its works fine.
No i enable Mikrotik Web Proxy(transparent mode) and i observe that the tool doesn't show me the real bandwidth utilization of users.
Do i need to made some changes to work with Web Proxy?

thanks in advance.

Hmm, when you use a web proxy the traffic does not go through the router as normal, instead it terminates on the router and the router makes a new connection to the internet. I'm not sure how this is handled in accounting. (You can try switching on 'account local traffic' in accounting perhaps?)

What I can tell you is the logic in the sniffer. For the sniffer to count a packet the source must be local (according to the specified network and mask) and the target must not be local. Or the other way round. If both are local (or both are not local for some reason) it is not counted because we are interested in Local -> Internet traffic.

hamidbhatti · Sat Jul 05, 2014 6:44 am

Dear danielm.

Thanks for your brief reply. I have tested it with "account-local-traffic=yes" but no such success. as you mentioned, traffic redirected to proxy doesn't count.
for my understanding is it possible to count the per ip traffic on a particular interface (i.e LAN) with dst-address=!local for upload and dst-address=local for download.
As TORCH tool does on an interface(i think its also using ip accounting, but not pretty sure

).

Thanks and regards,

danielm · Sat Jul 05, 2014 6:30 pm

Dear danielm.

Thanks for your brief reply. I have tested it with "account-local-traffic=yes" but no such success. as you mentioned, traffic redirected to proxy doesn't count.
for my understanding is it possible to count the per ip traffic on a particular interface (i.e LAN) with dst-address=!local for upload and dst-address=local for download.
As TORCH tool does on an interface(i think its also using ip accounting, but not pretty sure ).

Thanks and regards,

OK, let's do an experiment. If the mikrotik accounting reports the traffic from the LAN to the router then we can show that. I have added some logic to do that. Grab the service attached below and specify

MeasureTrafficToRouter=1

in the ini file. Also set account-local-traffic=yes on your mikrotik.

It should show all traffic going through the router as well as LAN traffic to and from the router.

I have not tested this yet so no guarantees

Let me know how it goes.

hamidbhatti · Mon Jul 07, 2014 7:09 am

Thanks dear danielm.

Seems start working, i will test it further.

really thankful for your time and efforts.

danielm · Mon Jul 07, 2014 11:29 am

Thanks dear danielm.

Seems start working, i will test it further.

really thankful for your time and efforts.

hamidbhatti, that's good news! It was a fairly small change so I don't expect other things to break, but do let me know if you find something odd.

anon3778 · Mon Jul 14, 2014 11:56 am

Hi danielm. Is there any way to clear the log in SniffViewer.exe? The clear button only clears the graph but the total of sent and received data is not cleared. I have also tried to modify the log in traffic.txt but it doesn't seem to work. I need to clear all the sent and received data and hopefully you can help to do so. Thanks.

danielm · Mon Jul 14, 2014 12:15 pm

Hi danielm. Is there any way to clear the log in SniffViewer.exe? The clear button only clears the graph but the total of sent and received data is not cleared. I have also tried to modify the log in traffic.txt but it doesn't seem to work. I need to clear all the sent and received data and hopefully you can help to do so. Thanks.

Yes sure. Just stop the service, delete traffic.txt and start it up again.

Skyflash · Thu Jul 17, 2014 10:50 am

I really thank you for this great tool

Only one question: i have a RB1100 with some different internal "phisical" networks (192.168.1.0/24; 192.168.2.0/24; 10.0.0.0/24) attached on the respective RJ45 interfaces, and the "RED" interface connected to the WAN

How can i use your tool for monitor everything?

Skyflash · Thu Jul 17, 2014 11:33 am

I have a suggestion for a next release

In my LAN i have some Windows DNS servers, that serve the Windows domain. Can you add an option for connect the viewer to a dns service instead the ips.txt file?

danielm · Thu Jul 17, 2014 12:10 pm

I really thank you for this great tool

Only one question: i have a RB1100 with some different internal "phisical" networks (192.168.1.0/24; 192.168.2.0/24; 10.0.0.0/24) attached on the respective RJ45 interfaces, and the "RED" interface connected to the WAN

How can i use your tool for monitor everything?

Skyflash, glad you like it. Note this comment in snifferservice.ini:

#Capture packets from this network
#Comma-separated values are accepted.  Specify a mask for each network even if they are the same.

So for you that would mean

Network=192.168.1.0,192.168.2.0,10.0.0.0
Mask=255.255.255.0,255.255.255.0,255.255.255.0

Skyflash · Thu Jul 17, 2014 1:03 pm

Oh, thank you again. I didn't read the configuration notes... My mistake

kameelperdza · Thu Jul 17, 2014 4:21 pm

Thank you.
Nice Tool

Etz · Thu Jul 17, 2014 11:20 pm

Great tool, thank you

Andoniiiiii · Thu Jul 24, 2014 4:45 pm

Very nice tool, Works fine. Thanks...

I was wondering if you can show realtime Internet connections, I have worked with Watchguard and it has an utility in their firebox system that is called HostWatch:

http://cicorp.com/internet/firewall/Wat ... tWatch.jpg

The "only" thing they do is to put in Graphical mode what you see in IP/Firewall/Connections Tab on RouterOS, but is very nice tool...

Kind regrads,
Andoni.

Andoniiiiii · Thu Jul 24, 2014 4:59 pm

Very nice tool, thanks.

I was wondering if it could be posible to show active connections (IP/Firewall/Connections tab) in graphical mode, I have worked with Watchguard and it have a tool called HostWatch that is very nice too( see attached hostwatch.png)

Kind Regards,
Andoni.

danielm · Fri Jul 25, 2014 11:39 am

Very nice tool, Works fine. Thanks...

I was wondering if you can show realtime Internet connections, I have worked with Watchguard and it has an utility in their firebox system that is called HostWatch:

http://cicorp.com/internet/firewall/Wat ... tWatch.jpg

The "only" thing they do is to put in Graphical mode what you see in IP/Firewall/Connections Tab on RouterOS, but is very nice tool...

Kind regrads,
Andoni.

Andoni,

Unfortunately the Sniffer was not designed to show the target IPs. It does not even track them at all.

Regards,
Daniel

Andoniiiiii · Fri Jul 25, 2014 6:15 pm

Thanks anyway for a great tool.

PCNetworks · Sun Jul 27, 2014 11:36 pm

Thank you danielm for the contribution

!PROBLEM SOLVED!

In the Viewer INI file I un-commented

#Incoming and outgoing max bandwith (not required, for display purposes only)
LineCapacityInbit=1000000
LineCapacityOutbit=512000

All is functioning now, thank you for the great tool.

I have downloaded both he service and viewer files.
Created the SSH user & group on the MT router enabled accounting, set the web access accepted IP.

When i access the router VIA http://10.0.0.1/accounting/ip.cgi.... The browser displays the following in example.

123.237.20.244 10.0.0.248 2032 2 * *
31.13.70.65 10.0.0.248 51963 52 * *
68.67.128.240 10.0.0.248 1368 3 * *

I have copied the Server & Client files into C:\Program Files\Sniffer\

When I start the Sniffer Service, the log SnifferService.log displays the following:

2014/07/27 13:09:53 - Info: Starting up sniffer service
2014/07/27 13:09:53 - Info: Mikrotik user: sniffer
2014/07/27 13:09:53 - Info: Mikrotik IP: 10.0.0.1

When I open the Viewer however, the application fields are not populated with any network statistics.

Can someone possibly help me with determining my error in configuration?

Below are the Service & Viewer INI configs.

[Settings]

#Required settings are uncommented
#Defaults are shown

#Capture packets from this network (ignore internal traffic)
#Comma-separated values are accepted. Specify a mask for each network even if they are the same.
Network=10.0.0.0/24,192.168.0.0/24
Mask=255.255.255.0,255.255.255.0
#Match everything BUT the above (only for special custom situations):
#InverseMatch=0

#Mikrotik Server
Mikrotik=10.0.0.1
MikrotikSSHUser=sniffer
MikrotikSSHPassword=sniffer
#This is combined with the Mikrotik IP address to create the accounting URL:
AccountingPath=/accounting/ip.cgi

#Alternative service port to listen on
ServicePort=80

#Convert static DNS names to uppercase
UppercaseStatic=1

#Trim trailing text from DNS and DHCP names
DeleteSuffix=.mycompany.com

#Clear values weekly (default) or monthly
ClearSchedule=weekly

#Specify a different service name (for multiple services on one machine)
ServiceName=Sniffer
ServiceDisplayName=Sniffer

VIEWER
[Settings]

#Location of SnifferService
SnifferService=localhost

#This line can be used to specify a file listing the ips (not required if service is configured with SSH)
IPSource=http://10.0.0.1
IPSource=c:\temp\ips.txt

#Incoming and outgoing max bandwith (not required, for display purposes only)
#LineCapacityInbit=1000000
#LineCapacityOutbit=512000

Thank you and best regard

danielm · Mon Jul 28, 2014 11:48 am

Network=10.0.0.0/24,192.168.0.0/24

This should be without the '/.24'

Markwinstanley · Mon Jul 28, 2014 12:33 pm

Will it work for Non mikrotik if not is there any other available?

danielm · Mon Jul 28, 2014 2:24 pm

Will it work for Non mikrotik if not is there any other available?

Highly unlikely. Your router must provide accounting info on http in this format (at the very least):

98.168.180.128 192.168.20.11 44 1 * *
23.57.219.27 192.168.21.46 52 1 * *
41.164.145.141 8.8.8.8 65 1 * *
173.194.67.95 192.168.21.13 52 1 * *
192.168.20.11 86.178.40.138 52 1 * *

donaldf · Tue Jul 29, 2014 8:24 am

Great program, thank you for this. It makes my life a lot easier finding workstations that are using large amounts of bandwidth.

I have a question: We have a DC that controls DNS and DHCP. Is there a way for me to see the hostnames? At the moment it is blank, as DNS and DHCP is not handled by the MikroTik.

sammy66 · Tue Jul 29, 2014 3:06 pm

Works great, I really like it. The colorscheme is abit hard to get used to but its quite handy I love it. However if I may make some suggestions, perhaps a way to sort/filter the IP's for future versions ?

DarrenCarterSA · Wed Jul 30, 2014 2:06 pm

You're a star! This is just what I have been looking for!

Brilliant!

danielm · Thu Jul 31, 2014 4:42 pm

Great program, thank you for this. It makes my life a lot easier finding workstations that are using large amounts of bandwidth.

I have a question: We have a DC that controls DNS and DHCP. Is there a way for me to see the hostnames? At the moment it is blank, as DNS and DHCP is not handled by the MikroTik.

Yes, working on that

dennix2014 · Mon Aug 04, 2014 7:22 pm

Ip accounting is not working on the specified machine. If i enter http://192.168.1.98/accounting/ip.cgi (192.168.1.98 is the ip address of my mikrotik router), i always get "ERROR 401:UNATHORISED" . The following screenshot shows that ip accounting is enabled and web access for the specified machine is allowed. Does any body have any idea why this is happening. Any help will be highly appreciated.

hamidbhatti · Wed Aug 06, 2014 8:08 am

Dear danielm.

I was wondering if i can add two routers with same network. i.e.

network : 10.0.0.0/8

#Mikrotik Server
Mikrotik: 10.0.0.1/8
Mikrotik: 10.0.1.1/8

Clients may switch to any gateway with same ip address.

thanks and regards,

Hamid Mehmood

NullKelvin · Wed Aug 06, 2014 8:29 am

Dear danielm.

Thank you for this great tool. It almost perfect for me

Can you add optional function in SnifferService, for resolving reverse DNS entries through specific server?

danielm · Sun Aug 10, 2014 10:38 pm

Works great, I really like it. The colorscheme is abit hard to get used to but its quite handy I love it. However if I may make some suggestions, perhaps a way to sort/filter the IP's for future versions ?

Added option to change the color scheme and sort by ip. Will be in next release

danielm · Sun Aug 10, 2014 10:40 pm

Dear danielm.

I was wondering if i can add two routers with same network. i.e.

network : 10.0.0.0/8

#Mikrotik Server
Mikrotik: 10.0.0.1/8
Mikrotik: 10.0.1.1/8

Clients may switch to any gateway with same ip address.

thanks and regards,

Hamid Mehmood

No, unfortunately that is not supported.

marcdebeer · Thu Aug 14, 2014 1:23 pm

Thanks for this tool its great! Any particular reason why I only get Send Speed data back and no Recv Speed?

WilluX · Thu Aug 14, 2014 5:57 pm

Hi danielm

It seems that I could not get the host names to show up unless i add it manually to ips.txt.

Both DHCP and DNS are on the routerboard.

I have noticed that when I go check on localhost/ip, all I get is:

DHCP Leases:
Static DNS:

DHCP: 0
Static: 0
---------------
Total: 0

Any resolutions to this?

dw5304 · Tue Sep 09, 2014 7:56 pm

would it be possible so make the viewer to be clickable on the color to toggle the data from being displayed on the graph?

makes some things easier to see when u have alot of data flowing over the unit.

also after it runs for a while it seems to loose the graph.

danielm · Tue Sep 09, 2014 10:27 pm

Thanks for this tool its great! Any particular reason why I only get Send Speed data back and no Recv Speed?

That is odd. Can you post the result of http://<service> where <service> is the ip address of the machine running the snifferservice?

danielm · Tue Sep 09, 2014 10:30 pm

Hi danielm

It seems that I could not get the host names to show up unless i add it manually to ips.txt.

Both DHCP and DNS are on the routerboard.

I have noticed that when I go check on localhost/ip, all I get is:
Code: Select all
DHCP Leases:
Static DNS:

DHCP: 0
Static: 0
---------------
Total: 0
Any resolutions to this?

Check your mikrotik log. You should have an SSH connection or at least a connection attempt every 5 minutes from the 'sniffer' user. Maybe you see a logical error. Also check the snifferservice log file.

danielm · Tue Sep 09, 2014 10:36 pm

would it be possible so make the viewer to be clickable on the color to toggle the data from being displayed on the graph?

makes some things easier to see when u have alot of data flowing over the unit.

also after it runs for a while it seems to loose the graph.

Nice idea but will take a while to implement. Maybe some time in the future.

I have seen the graph becoming corrupt but have not been able to find the cause. On the other hand I have had the viewer run for weeks without issues too. If you can figure out under what circumstances it happens it would be very helpful. (Of course restarting the viewer sorts it out but it is a bit of a pain.)

gaff · Thu Sep 11, 2014 4:02 pm

Hello,

I would like to use your application, but I have following problems:

2014.09.11 14:25:34 - Info: Starting up sniffer service
2014.09.11 14:25:34 - Info: Mikrotik user: sniffer
2014.09.11 14:25:34 - Info: Mikrotik IP: 10.8.0.36
2014.09.11 14:25:34 - Info: Networks specified: 1
2014.09.11 14:25:34 - Info: Monitoring network: 10.8.0.0/255.255.0.0
2014.09.11 14:25:34 - Info: SnifferService Port: 8080
2014.09.11 14:25:34 - Info: Service started
2014.09.11 14:25:36 - Error: Cannot get traffic: Connection Closed Gracefully.

in the mikrotik log, there are strange "loggged in" and "loggged out" messages after start of SnifferService:

and the http://10.8.2.33/accounting/ip.cgi reports "Requested document '/accounting/ip.cgi' not found"

Connection by Plink.exe is working (user sniffer is NOT logged out):

Where could be a problem?

gbh · Fri Sep 12, 2014 1:54 pm

Hi danielm

It seems that I could not get the host names to show up unless i add it manually to ips.txt.

Both DHCP and DNS are on the routerboard.

I have noticed that when I go check on localhost/ip, all I get is:
Code: Select all
DHCP Leases:
Static DNS:

DHCP: 0
Static: 0
---------------
Total: 0
Any resolutions to this?

I have exactly the same issue as you.
Which folder should I create an ips.txt in? (and what format for the text please?)

exliko · Wed Oct 01, 2014 4:59 am

Thanks for this great tool

I've installed v1.0.2 several months ago.
Do i need to reinstall the sevices if i want to upgrade it to v1.0.3?

Sl33py · Thu Oct 02, 2014 8:26 pm

Hello
This is a great tool thank you,
Can this tool or even another log the line usage, we can see the current up and download speed but I want to see if the line gets congested at time especially the upload.
I skimmed through the pages but did not see anything.
I have tried cacti but did not come right with it

epiclulz · Mon Oct 20, 2014 5:54 am

this tool is pretty awesome i must admit i like it alot

i have but one question

is this tool grabbing data written to the routers memory or is it polling and collecting data in real time

the question i ask is if i was to turn off the machine with the service running.. if i was to turn it off and go to work and come back and fire it back up will it have account the data from when it was turned off or will it just start logging from there ? im looking for something that will look but do the same thing that your system does without having to have a machine on 24/7

this tool is awesome and you should be really proud of your work

cheers bud

Duduhandelman · Tue Oct 21, 2014 12:10 pm

Well done, very nice tool.

It's working very well while the Mikrotik is doing routing but for some reason I'm unable to view the data while using a bridge.
The data is in the accounting on the router side.
Is there any spaecail config?

Thanks for the great tool

Adame123 · Thu Oct 30, 2014 12:38 pm

@danielm

Is there a way to reset the current stats displayed on the traffic monitor to 0 and start the "monthly" clearschedule from the time of reset ( so that would be day 1)

Adame123 · Thu Oct 30, 2014 12:45 pm

@danielm

Is there a way to reset all the current statistic in the traffic monitor to 0. I set the clearschedule to monthly and after i reset it i want it to start counting from day 1.

epiclulz · Fri Oct 31, 2014 6:09 am

the tool as a major bug... not sure if its resetting when it gets to 100gb or if the remote collector is rebooted it seems to reset the couter

imek · Fri Nov 14, 2014 11:13 am

Each time I run the Snifferviewer, I get this error message List index out of bound (22)

Please could you help with the solution

NunoMMS · Fri Nov 21, 2014 4:35 pm

Hi, can anyone tell me what to do with these errors:
2014-11-21 16:24:32 - Info: Starting up sniffer service
2014-11-21 16:24:32 - Info: Mikrotik user: sniffer
2014-11-21 16:24:32 - Info: Mikrotik IP: 192.168.1.1
2014-11-21 16:24:32 - Info: Networks specified: 1
2014-11-21 16:24:32 - Info: Monitoring network: 192.168.1.0/255.255.255.0
2014-11-21 16:24:32 - Info: SnifferService Port: 80
2014-11-21 16:24:32 - Error: Cannot listen on tcp port 80
2014-11-21 16:24:32 - Error: Socket Error #10013, Access denied.

oskaratk · Wed Dec 17, 2014 7:29 am

seems to be a great tool almost all I need. If I could get accounting to work

However, when I turn on ip-accounting, I not even see traffic using the snapshot funtionality.

I am using a RB450G, in this case pretty much as switch. eth1 as master for eth2 - eth5.
I wonder what I am missing ...

Thanks
Oskar

guoshuzhang · Thu Dec 18, 2014 5:47 pm

2014/12/18 23:45:56 - Info: Starting up sniffer service
2014/12/18 23:45:56 - Info: Mikrotik user: admin
2014/12/18 23:45:56 - Info: Mikrotik IP: 192.168.10.1:22
2014/12/18 23:45:56 - Info: Networks specified: 1
2014/12/18 23:45:56 - Info: Monitoring network: 192.168.10.0/255.255.255.0
2014/12/18 23:45:56 - Info: SnifferService Port: 83
2014/12/18 23:45:56 - Info: Service started
2014/12/18 23:45:56 - Error: Cannot get DNS: C:\Program Files (x86)\Sniffer\plink.exe admin@192.168.10.1:22 -pw ******* "/ip dns static print detail without-paging"
2014/12/18 23:45:56 - Error: Error code: 32
2014/12/18 23:45:58 - Error: Cannot get traffic: Connect timed out. (192.168.10.1:22)
2014/12/18 23:45:59 - Error: Cannot get traffic: Connect timed out. (192.168.10.1:22)
2014/12/18 23:46:00 - Error: Cannot get traffic: Connect timed out. (192.168.10.1:22)
2014/12/18 23:46:01 - Error: Cannot get traffic: Connect timed out. (192.168.10.1:22)

some body help me please

guoshuzhang · Fri Dec 19, 2014 5:50 am

this is my setup
OK?

billjellis · Sun Dec 21, 2014 11:28 am

Stumbled upon a feature of this tonight "networx application" can give you graphs like this. It is by a company called https://www.softperfect.com/. I have been using it for years to monitor traffic on a PC.

Capture.JPG

wilsonlmh · Sat Dec 27, 2014 10:50 pm

Great works you did. BTW, I'd like to ask if you will release the source or not? I think this is a great idea to enrich more functions for this app. For my personal opinion, I think it should at least have a column for connect manually instead of store the server address in a INI file. And also it should use the per-user config store to save last connect address. Since it's the first time I try the app, but I already got lots of idea to improve it. I'm afraid some of my idea will conflict with your original intention. So I think it will be better for you to publish the source in some repository(like github, sourceforge etc.) and then people can develop different version for different purpose. But if that's not quite possible to release the source, would you like to write some documents to describe the protocol between server and viewer? Thank you!

Wed Jan 07, 2015 7:40 pm

awesome work!

real world useful tool !!!

thanks for sharing !!!!!

satrunner · Mon Feb 16, 2015 11:04 am

I have Windows 8.1 for some reason I can't see service running in task manager. and I get error when I start the viewer up Invalid floating point operation

Bintalhoda · Sat Feb 28, 2015 2:17 pm

Hello, i must say this is a life-saver since i have been looking for it for some time, but it won't work for me -_-

Windows 8.1 Pro x64
Mikrotik Server: 192.168.0.254
Network: 192.168.0.0/24
I can start the service and see it running in task manager
I configured accounting in winbox
I added the user 'sniffer' in group 'sniffer' with ssh and read permissions
I cannot access "//192.168.0.254/accounting/ip.cgi"
I am having a 'Cannot get traffic' message

Please advice and thanks in advance

==============
My configuration:
==============

[Settings]
#Capture packets from this network (ignore internal traffic)
#Comma-separated values are accepted. Specify a mask for each network even if they are the same.
Network=192.168.0.0
Mask=255.255.255.0
#Match everything BUT the above (only for special custom situations):
#InverseMatch=0

#Mikrotik Server
Mikrotik=192.168.0.254
MikrotikSSHUser=sniffer
MikrotikSSHPassword=sniffer
#This is combined with the Mikrotik IP address to create the accounting URL:
AccountingPath=//192.168.0.254/accounting/ip.cgi

#Alternative service port to listen on
ServicePort=80

======
Output
======
2015/02/28 14:12:45 - Info: Starting up sniffer service
2015/02/28 14:12:45 - Info: Mikrotik user: sniffer
2015/02/28 14:12:45 - Info: Mikrotik IP: 192.168.0.254
2015/02/28 14:12:45 - Info: Networks specified: 1
2015/02/28 14:12:45 - Info: Monitoring network: 192.168.0.0/255.255.255.0
2015/02/28 14:12:45 - Info: SnifferService Port: 80
2015/02/28 14:12:45 - Info: Service started
2015/02/28 14:12:47 - Error: Cannot get traffic: Connect timed out. (192.168.0.254:80)
2015/02/28 14:12:48 - Error: Cannot get traffic: Connect timed out. (192.168.0.254:80)

imaljko4 · Mon Mar 16, 2015 2:43 am

Is it possible to use this tool to monitor 2 different mikrotik routers at the same time?
Thank you for help

epiclulz · Mon Mar 23, 2015 4:24 am

anyone else still getting this bug where once it goes over 100gb of usage it resets it self to 0 in the tool ?

Fri Apr 03, 2015 9:09 am

Thank you very much for such nice tool.
I would like to monitor multiple routers with one service. Is that possible?

tongqabiz · Thu Apr 09, 2015 8:37 am

Dear bro Daniel

I've already tried this and its work amazingly.
but why cant i see the hostname (in my case)
can you help me with it?

m3a2r1 · Sun Apr 19, 2015 11:16 am

I've got the same problem. It works great but doesn't show hostnames. I'm using DHCP on my MT. I've tested on 2 MT's with the same effect.

imaljko4 · Sat Apr 25, 2015 2:00 am

I've got the same problem. It works great but doesn't show hostnames. I'm using DHCP on my MT. I've tested on 2 MT's with the same effect.

Usually it takes few minutes for the hosts to appear.

Check in your log on the mikrotik router if you see the "sniffer" user connecting ?(if all works fine, you will see the "sniffer" user connecting constantly in your log).
If it doesn't show in the log, then something is wrong...

See the picture.

log.png

m3a2r1 · Sun Apr 26, 2015 11:34 am

I've fixed it. Install note in readme text shows how to create ssh user but there's no info that I have to create password for that user

nikolas22t · Mon May 04, 2015 10:00 am

Can i monitor 2 different mikrotik routers on the same server ? ( 1 service running with 2 servers or 2 services running with 1 server each ?)

imaljko4 · Tue May 05, 2015 2:38 am

Can i monitor 2 different mikrotik routers on the same server ? ( 1 service running with 2 servers or 2 services running with 1 server each ?)

I am able to monitor 2 different routers on the same computer.
I had to install/run 2 services (had to rename the 2nd service to "sniffer2"), and then i used 2 viewers, each viewer is setup to connect to one of the services.
Then it works

So " viewer1" is connecting to "snifferservice1"
"viewer2" is connecting to "snifferservice2"

You have to set this parameters in the snifferservice folder "snifferservice.ini" file
and in the viewer folder on the "sniffer.ini" file

ALX1S · Mon Jun 01, 2015 6:56 pm

Hi, Thanks for the programs, it look like Awesome.

I have the service Running, but im not beeing able to catch teh traffic, and when i check the SnifferService.txt appear "Error: Cannot get traffic: http response code: 401, unauthorized". Im suing the same usr, group and password in the readme. Could you tell me if I forget something.

Thanks.

imaljko4 · Tue Jun 02, 2015 1:36 am

Hi, Thanks for the programs, it look like Awesome.

I have the service Running, but im not beeing able to catch teh traffic, and when i check the SnifferService.txt appear "Error: Cannot get traffic: http response code: 401, unauthorized". Im suing the same usr, group and password in the readme. Could you tell me if I forget something.

Thanks.

Try to type this link in your browser and see if you can access it: http://192.168.1.1/accounting/ip.cgi

instead of the "192.168.1.1" you put your router ip address.

If you cannot acces that page, see if you have enabled accounting under: winbox- ip- accounting
and check if you have enabled http access to your router under: winbox- ip - services (here the port 80 must be enabled for access)

ALX1S · Tue Jun 02, 2015 4:57 pm

Yep, I could see the Mikrotik telling the connections in an plane text interface, and restarted the windows service many times. (the service port is set in the 80, I don't have any other service in this port in this computer)

pverburg · Tue Jun 16, 2015 10:28 pm

Hi,
got this working except I cant get the viewer to use port 85 ??? cant use 80 already in use
I can see the data so the sniffer works, just the viewer I have used 192.168.x.x:85 no go ?

Thanks

Lentin · Wed Jun 17, 2015 5:18 pm

Please help!

Stuck Here:
-------
2015/06/17 16:11:46 - Info: Mikrotik user: sniffer
2015/06/17 16:11:46 - Info: Mikrotik IP: 192.168.1.1
-------
from web: 192.168.1.1/accounting/ip.cgi - Success
my config:
#Capture packets from this network (ignore internal traffic)
#Comma-separated values are accepted. Specify a mask for each network even if they are the same.
Network=192.168.1.0
Mask=255.255.255.0
#Match everything BUT the above (only for special custom situations):
#InverseMatch=0

#Mikrotik Server
Mikrotik=192.168.1.1
MikrotikSSHUser=sniffer
MikrotikSSHPassword=sniffer
#This is combined with the Mikrotik IP address to create the accounting URL:
#AccountingPath=/accounting/ip.cgi

Appreciate your help, Thanks in advance

dalejsa · Mon Jun 22, 2015 1:00 pm

Hi All

I wonder if someone can help me. I followed the instructions below to create the sniffer user for the monitor, I logged out of the router and thereafter I could not login as admin anymore. I have restarted the routerboard but no joy. I am desperate to get back in as admin. Did anyone else experience this? Any suggestions at all?

Thanks

On Mikrotik
-----------
Create an SSH user for getting DHCP lease names and DNS entries
/user
group add name=sniffer policy="ssh,read"
add address=192.168.88.0/24 disabled=no group=sniffer name=sniffer

Enable accounting, required for graph
/ip accounting
set account-local-traffic=no enabled=yes threshold=2560
/ip accounting web-access
set accessible-via-web=yes address=192.168.88.XX/32
(XX is the IP of the Windows machine where SnifferService will run)

check on http://192.168.88.1/accounting/ip.cgi that it works (from specified machine)

imaljko4 · Mon Jul 13, 2015 11:02 am

HI, thanks again for your software, do you know how many ip-s (computers) can the viewer show at once on a network. My network has about 50 computers connected, but seems that the viewer will show only up to 33 computers, or am i wrong?
Do you know if i can somewhere specify that the viewer shows more than 33 computers (actually all the computers that are connected to the network) ? thanks

fundus · Mon Jul 27, 2015 4:55 pm

Is there any way of overriding the default ssh port 22? To avoid brute force attacks, my Mikrotik is set to a different port.

The ini.file's port setting only overrides web, not SSH access. I tried changing the server to 192.168.1.88:5005, but that does not seem to register.

Any guidance much appreciated!

Lordi · Sat Aug 08, 2015 12:05 pm

many thanks to share this tool with us.
it works great for my.
any development in progress?

Elementn · Tue Aug 11, 2015 3:57 pm

many thanks to share this tool with us.
it works great for my.
any development in progress?

Every thing was good , the service start normally but in the miktrotik Logs no user sniffer is logged in ?
Please anyone can help me to solve that ?

Thanks,

shootaboyz · Thu Aug 13, 2015 1:03 pm

Hello,

First I have to thank you for providing this tool. I would like to ask whether I can put the service on another PC (192.168.168.250) and run the viewer from my notebook (192.168.168.124)? If its possible can you show me what I should enter on the viewer config file. Also, is it possible to save the traffic by day, maybe to a csv file?

Thanks.

renedr · Wed Aug 26, 2015 1:00 am

[quote="danielm"]Hi there Mikrotik fans!

I have something to share that I've been working on for the office. When the Internet seems slow I like to be able to see who is doing what, and that is what this little Windows app does. It looks like this:

Nice app. Works well.

psycoclan1 · Wed Sep 09, 2015 12:50 am

Hello guys,

it seems i have a problem here which i cant completely understand and fix it..

I used the sniffer perfectly until today...Today i renabled my transparent web proxy which redirects all the port 80 traffic to port 8989. As soon as i did that the sniffer stopped working. I checked the accounting from web and browser sends back a 401 error (anauthorised access). It seems that the proxy doesnt authorise the accounting, but my sniffer is configured on port 249 (random port i assigned when i first set it up, coz port 80 was blocked).

How can i bypass it?

EDIT : i created 2 address lists in firewall, all the network range exluding mine and i created 2 nat chains with both lists in each redirect. Now all the hosts in the network go through the proxy apart from my pc. Is there another way to have both proxy and accounting?

hendrikbasson · Thu Sep 10, 2015 4:10 pm

Hi,

Great tool!

Anyone figure out a way to send the data via email weekly or so? With the grid and graph?

BroganOs · Fri Sep 18, 2015 1:08 pm

I'm having problems seeing traffic in the viewer and looking for help.

I can see traffic if I go to the address: http://192.168.0.1:81/accounting/ip.cgi
I can see information in the traffic.txt file
The log file show's me logged in with no errors.

2015/09/18 10:57:29 - Info: Starting up sniffer service
2015/09/18 10:57:29 - Info: Mikrotik user: sniffer
2015/09/18 10:57:29 - Info: Mikrotik IP: 192.168.0.1:81
2015/09/18 10:57:29 - Info: Networks specified: 1
2015/09/18 10:57:29 - Info: Monitoring network: 192.168.0.1/255.255.255.0
2015/09/18 10:57:29 - Info: SnifferService Port: 81
2015/09/18 10:57:29 - Info: Service started

But the viewer (SniffViewer.exe) is blank.

I'm not using port 80, I'm using port 81 and have change the web access port on the MT to port 81.
(This solved the error

Error: Cannot get traffic: Connect timed out. (192.168.0.1:81)

I was having by the way)

anyone got any advise?

BroganOs · Fri Sep 18, 2015 3:08 pm

Solved: After I changed ports from 80 to 81 I forgot to change the port number in sniffer.ini as per readme file.

Viewer on Windows machine
-------------------------
- Copy the Viewer files to your machine (any windows machine on the LAN)
- Configure sniffer.ini as per comments (add a port number to the ip if you are not using port 80 for the 
  SnifferService, i.e. SnifferService=localhost:81)
- Start up SnifferViewer.exe

bouvrie · Tue Sep 29, 2015 11:51 am

I have Windows 8.1 for some reason I can't see service running in task manager. and I get error when I start the viewer up Invalid floating point operation

Same issue with me running the viewer, any clue on resolving the isssue?

*edit*

Thanks BroganOs, specifying the alternate port in the Sniffer.ini (host:port) solved my client crashing too...

ciwmohsen · Thu Oct 01, 2015 9:30 am

hi every body
I did settings،But the result was not good
These images is the result of my work
please help me...

snifferservice.jpg

sniffer.jpg

attix 5.jpg

BroganOs · Thu Oct 01, 2015 1:06 pm

In snifferService.ini try changing the "Network" address to the address of your router which I'm assuming is 192.168.0.3 and put the new service port number at the end of the IP address under the microtik server ( see example below)

#Capture packets from this network (ignore internal traffic)
#Comma-separated values are accepted.  Specify a mask for each network even if they are the same.
Network=192.168.0.3
Mask=255.255.255.0
#Match everything BUT the above (only for special custom situations):
InverseMatch=0

#Mikrotik Server
Mikrotik=192.168.0.3:2560
MikrotikSSHUser=sniffer
MikrotikSSHPassword=sniffer
#This is combined with the Mikrotik IP address to create the accounting URL:
AccountingPath=/accounting/ip.cgi

#Alternative service port to listen on
ServicePort=2560

otgooneo · Fri Oct 02, 2015 7:23 am

Looks Awesome!

I`ll try later

ciwmohsen · Sat Oct 03, 2015 4:32 pm

hi BroganOs
thanx for your comment
i change that . but not work properly

ciwmohsen · Mon Oct 05, 2015 8:32 am

hi
thanks BroganOs
i change that. but not work properly

infused · Thu Nov 12, 2015 5:46 am

Just replying to let you know this works really well. Thanks

piyaservice · Wed Nov 18, 2015 8:28 am

Dear sir
this is my config from sniffer.ini
[Settings]

#Required settings are uncommented
#Defaults are shown

#Capture packets from this network (ignore internal traffic)
#Comma-separated values are accepted. Specify a mask for each network even if they are the same.
Network=192.168.0.0
Mask=255.255.255.0
#Match everything BUT the above (only for special custom situations):
#InverseMatch=0

#Mikrotik Server
Mikrotik=192.168.0.254
MikrotikSSHUser=sniffer
MikrotikSSHPassword=sniffer
#This is combined with the Mikrotik IP address to create the accounting URL:
#AccountingPath=/accounting/ip.cgi

#Alternative service port to listen on
#ServicePort=81

#Convert static DNS names to uppercase
#UppercaseStatic=1

#Trim trailing text from DNS and DHCP names
#DeleteSuffix=.mycompany.com

#Clear values weekly (default) or monthly
#ClearSchedule=weekly

this is log file
2015/11/18 13:14:27 - Info: Starting up sniffer service
2015/11/18 13:14:27 - Info: Mikrotik user: sniffer
2015/11/18 13:14:27 - Info: Mikrotik IP: 192.168.0.254
2015/11/18 13:14:27 - Info: Networks specified: 1
2015/11/18 13:14:27 - Info: Monitoring network: 192.168.0.0/255.255.255.0
2015/11/18 13:14:27 - Info: SnifferService Port: 80
2015/11/18 13:14:27 - Info: Service started
2015/11/18 13:14:29 - Error: Cannot get traffic: Connect timed out. (192.168.0.254:80)
2015/11/18 13:14:30 - Error: Cannot get traffic: Connect timed out. (192.168.0.254:80)
2015/11/18 13:14:31 - Error: Cannot get traffic: Connect timed out. (192.168.0.254:80)
2015/11/18 13:14:32 - Error: Cannot get traffic: Connect timed out. (192.168.0.254:80)
2015/11/18 13:14:33 - Error: Cannot get traffic: Connect timed out. (192.168.0.254:80)
2015/11/18 13:14:34 - Error: Cannot get traffic: Connect timed out. (192.168.0.254:80)
2015/11/18 13:14:35 - Error: Cannot get traffic: Connect timed out. (192.168.0.254:80)
2015/11/18 13:14:36 - Error: Cannot get traffic: Connect timed out. (192.168.0.254:80)
2015/11/18 13:14:37 - Error: Cannot get traffic: Connect timed out. (192.168.0.254:80)
2015/11/18 13:14:38 - Error: Cannot get traffic: Connect timed out. (192.168.0.254:80)
2015/11/18 13:14:39 - Error: Cannot get traffic: Connect timed out. (192.168.0.254:80)
2015/11/18 13:14:40 - Error: Cannot get traffic: Connect timed out. (192.168.0.254:80)
2015/11/18 13:14:41 - Error: Cannot get traffic: Connect timed out. (192.168.0.254:80)
2015/11/18 13:14:42 - Error: Cannot get traffic: Connect timed out. (192.168.0.254:80)
2015/11/18 13:14:43 - Error: Cannot get traffic: Connect timed out. (192.168.0.254:80)
2015/11/18 13:14:44 - Error: Cannot get traffic: Connect timed out. (192.168.0.254:80)
2015/11/18 13:14:45 - Error: Cannot get traffic: Connect timed out. (192.168.0.254:80)
2015/11/18 13:14:46 - Error: Cannot get traffic: Connect timed out. (192.168.0.254:80)
2015/11/18 13:14:47 - Error: Cannot get traffic: Connect timed out. (192.168.0.254:80)

www service port : 81
What is problem , Because I cannot change to www service port : 81

BroganOs · Wed Nov 18, 2015 11:42 am

maybe try changing your mikrotik server address to the following:

Mikrotik=192.168.0.254:81

piyaservice · Thu Nov 19, 2015 3:55 am

maybe try changing your mikrotik server address to the following:

Mikrotik=192.168.0.254:81

dear sir
I cannot try http://192.168.0.254:81/accounting/ip.cgi it is found Error 401: Unauthorized

best regard

BroganOs · Thu Nov 19, 2015 12:52 pm

have you tried the advise from imaljko4:

If you cannot acces that page, see if you have enabled accounting under: winbox- ip- accounting
and check if you have enabled http access to your router under: winbox- ip - services (here the port 80 must be enabled for access)

kendo · Mon Nov 23, 2015 12:05 am

maybe try changing your mikrotik server address to the following:

Mikrotik=192.168.0.254:81
dear sir
I cannot try http://192.168.0.254:81/accounting/ip.cgi it is found Error 401: Unauthorized

best regard

Hi
Try to change your router IP address because *.*.*.254 is used as broadcast address.

kendo · Mon Nov 23, 2015 12:22 am

maybe try changing your mikrotik server address to the following:

Mikrotik=192.168.0.254:81
dear sir
I cannot try http://192.168.0.254:81/accounting/ip.cgi it is found Error 401: Unauthorized

best regard

Hi
Try to change your router IP.
ip address you have is used as broadcast.

kendo · Mon Nov 23, 2015 12:28 am

Hi
I have a little misunderstanding

I have installed the system and it`s working well. But I have got wrong RECV TOTAL and SENT TOTAL data

In the picture you can see only 15.50 Mb TOTAL RECV. But I had watched a movie online ~ 500 Mb.

Do you have any ideas how to get correct traffic info?

piyaservice · Wed Nov 25, 2015 8:37 am

maybe try changing your mikrotik server address to the following:

Mikrotik=192.168.0.254:81
dear sir
I cannot try http://192.168.0.254:81/accounting/ip.cgi it is found Error 401: Unauthorized

best regard
Hi
Try to change your router IP.
ip address you have is used as broadcast.

Thank you this is broadcast , It mean 192.168.0.255 this is my understand correct or not , because I use 192.168.0.0/24