Hi all.
I'm trying to use packet sniffer and forward sniffed traffic to streaming-server as described in http://www.mikrotik.com/testdocs/ros/2. ... niffer.php but in document no word about setup of streaming-server. I've been tried to install Ethereal and Packetyzer witch mentioned in help on Windows box. Than just start capture and in Winbox enable streaming server and press start. And I can't see traffic going through the router. How it should be used?

1. configure sniffer to stream to device running wireshark:
/tool sniffer set streaming-enabled=yes streaming-server=ip.of.wireshark.box
/tool sniffer start

2. make sure you accept UDP in wireshark (as TZSP uses UDP to transport data)

3. if you are streaming wireless sniffer captures (interface wireless
sniffer), make sure you have newest
wireshark and newest routeros

4. you may need to disable WCCP protocol in wireshark (Analyze/Enabled
Protocols), as that collides with TZSP and by default frames may be
considered WCCP, not TZSP.

Thank you a lot.
It works.

1. configure sniffer to stream to device running wireshark:
/tool sniffer set streaming-enabled=yes streaming-server=ip.of.wireshark.box
/tool sniffer start

2. make sure you accept UDP in wireshark (as TZSP uses UDP to transport data)

3. if you are streaming wireless sniffer captures (interface wireless
sniffer), make sure you have newest
wireshark and newest routeros

4. you may need to disable WCCP protocol in wireshark (Analyze/Enabled
Protocols), as that collides with TZSP and by default frames may be
considered WCCP, not TZSP.

The above instructions are great but they don't describe the wireshark setup. How do you invoke it? Do you have to tell it to listen on some port? How do you tell it to "accept UDP"? What exactly does that mean, anyway.

I've gone through the wireshark documentation and it barely touches on the whole concept of receiving a stream from a remote capture.

The Mikrotik documentation, likewise, tells how to tell RouterOS to *send* the stream, but does not mention how to tell wireshark to *receive* the stream.

Just try it yourself.
It doesn't need any additional settings on Wireshark.
You will see packets not destined to your workstation.

i havent tried in a while but wireshark would show all the packets, but they were not decoded as the original packets, they were TZSP packets only... therefore most of the decoding of protocols, viewing tcp stream, etc didn't work right. havent used it in a while though. i always record to a pcap (using trafr or directly to routeros hdd) and then use wireshark.

Wireshark is not MikroTik product, that's why documentation does not provide detailed information about configuration it.
You may search at google for the "Wireshark remote capture" to get more information.

Wireshark is not MikroTik product, that's why documentation does not provide detailed information about configuration it.
You may search at google for the "Wireshark remote capture" to get more information.

I can't use it neither, can you help us?

I just need to check out the traffic of the server from a windows box

What mikrotik recommends to do that?

Here's how i got streaming working with mikrotik and wireshark:

Mikrotik IP: 192.168.77.1
Workstation IP: 192.168.77.11
Fake IP address: 192.168.77.12

The stream is sent to a udp port on your workstation... but nothing is listening to that port... wireshark listens to the interface as a whole. What I do is send the data to a fake IP address, and set a static mapping of that fake ip to the mac of my workstation ip. This way Windows ignores these packets and doesn't generate annoying port unreachables.

/ip arp
add address=192.168.77.12 comment="" disabled=no interface=1-LAN mac-address=00:19:D1:26:46:94

/tool sniffer> print
interface: 0-INET
only-headers: no
memory-limit: 1000
file-name: ""
file-limit: 1000
streaming-enabled: yes
streaming-server: 192.168.77.11
filter-stream: no
filter-protocol: all-frames
filter-address1: 0.0.0.0/0:0-65535
filter-address2: 0.0.0.0/0:0-65535
running: no

In wireshark, use this as your filter:

tzsp and ....

Sorry to bump-up the topic, but maybe better than establishing new one

We were recently contacted by one criminal investigation agency, and they want us to cooperate upon catching some criminal activity from our network. Surely we want to cooperate

I tried many things, but I am not sure I am getting expected result. I work with WireShark and I know basic stuff about it. Then I think I know at least basic stuff about MT, but ... this aproach either does not work at all, or I am completly dumb (which might be the case

1) I can choose two adresses, and here comes my issue with MT docs. Sorry but stating "criterion of choosing the packets to process" is like actually stating nothing usefull. So - what is the relation of address1 and address2? Is it like src, dst? So if I want to stream whole traffic coming to/from one concrete IP address, do I fill in that ip adress in address1 field, and the second one stays with 0.0.0.0/0, or? I surely don't want to use 0.0.0.0/0 everywhere, which would imo redirect whole 50mbit traffic?

2) I went to WireShark, set-up logging to files, disabled WCCP as suggested, but I am still not sure I am receiving streamed content. What should I state in the capture filter (tcpdump) filter field of WireShark? "udp"? "host mt.ip.here"?, "host intruder.ip.here"? or? What I want to get into WireShark is actually raw packets of indruder to/from communication.

I think that if I don't get it working, I will have to find some old hub to put WireShark PC onto the same cable as main router is, and use tcpdump direct host filtering ...

Thanks for eventual help!
-pekr-

address1 and address2 are addresses to capture from. It is an AND expression, so if you use specific ranges on both fields both must match.

The streaming portion works well if you can figure it out and deal with packets wrapped up in the tzsp headers.

Calea was added to the RouterOS for this specific reason, you should look into using that.

Beyond that, if you have 50mbps of traffic, and you really need good clean captures that aren't invalidating evidence (and taxing your router under heavy loads) you should use a switch with a mirror port on it. You can find 100mb enterprise class switches on ebay for like $20 now. If you only need 100mb one of those 3com / ibm 12 or 24 port switches are excellent and cheap.

hi,

long time for coming to this again i guess. i was just looking for a way to remote tcpdump kind of thing and came across the sniffer tool. has anyone done this to a streming-server running netcat or something else other than wireshark ? i am in troubleshooting voip issues and i need to capture all related traffic on a remote end with ROS router and the voip server. the voip server is no problem with tcpdump to a file. how can i stream with sniffer on ROS to a linux server which is putting all captured traffic into a file for later analysis with wireshark ?

regards
Jan

Look into the trafr program, that you can get from the download area. It does exactly that.

WOW !!!! that was EXACTLY what i was looking for ! thanks for that !

regards
Jan

I think it would be simpler and more efficient to be able to use Wireshark in remote capture mode with Router OS.

1. configure sniffer to stream to device running wireshark:
/tool sniffer set streaming-enabled=yes streaming-server=ip.of.wireshark.box
/tool sniffer start

I know this thread is a few years old but i came across earlier with it. I followed these 2 commands and as soon as i clicked on Start button my mikrotik crashed for an hour. I couldnt even telnet into it and stop the sniffer. Do you have any idea why did it happen? Was it the cpu (100% load) or the ram?

You need to set filter-stream=yes otherwise the Mikrotik sniffs the streamed traffic and streams it, causing an infinite loop and maxing out the CPU

My two cents:

Mikrotik packet sniffer tcpdump / wireshark / tshark -> https://elundivided.wordpress.com/2021/ ... rk-tshark/