Page 1 of 1
Torch vs. Packet Sniffer
Posted: Wed Jun 23, 2021 9:28 pm
by strarsis
Do I understand this correctly?:
The Torch tool will capture and list all packets that somehow reach the Mikrotik device (similar to "promiscuous mode"),
while the Packet Sniffer tool will only capture packets that actually go through the Mikrotik device (e.g. routing) and are processed by it?
This is important for me because the Torch tool shows that the IPCam indeed sends ICMP response packets, while the Packet Sniffer will not list them (only the ICMP request packets going to the IPCamera).
Re: Torch vs. Packet Sniffer
Posted: Thu Jun 24, 2021 2:07 pm
by anav
I was told once that torch is simplified sniff but it's just good to see whether something is moving across the interface.
Sorry that is all I know.
Re: Torch vs. Packet Sniffer [SOLVED]
Posted: Thu Jun 24, 2021 2:30 pm
by mikeeg02
The packet sniffer is far more powerful, it generates an actual wireshark capture file you can copy to your computer, and open with wireshark, and see every piece of info on every packet. Just like you captured it locally with your computer. You can also specify tx, rx or both on an interface which is very handy if you have high throughput on links and only really are looking for something that's being forwarded or received.
It is important to note, if using bridge ports utilizing hardware mode, during the capture, you will need to disable hardware mode on the bridge port, perform the capture, then re-enable hardware mode. Otherwise you will only capture cpu generated packets such as rstp and so on.
Re: Torch vs. Packet Sniffer
Posted: Thu Jun 24, 2021 11:14 pm
by Zacharias
Packet sniffer is realy useful especially when used with Wireshark as the previous post indicates...
Re: Torch vs. Packet Sniffer
Posted: Fri Jun 25, 2021 7:16 am
by vecernik87
Personally, I prefer to use mangle action "sniff tzsp" because it is clear when it gets executed and you can actually choose - prerouting, forward, postrouting ... (look at
packet flow). You can even sniff the same packet multiple times (once in prerouting, once in postrouting) and send them to different ports (so you can have multiple wiresharks running on the same computer and watching it simultaneously). Another advantage is that it is more stable than sniffer (e.g. sniffer stops when your router restarts). Finally - thanks to really powerful matching in mangle, you can filter very precisely, what you want to sniff.
Obvious disadvantage is, that you need to fully understand what you are matching, otherwise you may miss something.
Re: Torch vs. Packet Sniffer
Posted: Sun Jun 27, 2021 2:01 pm
by Zacharias
@vecernik87 i wasn't aware of sniff TZSP, just tested and works great...
Re: Torch vs. Packet Sniffer
Posted: Thu Apr 13, 2023 3:39 am
by justanotherhuman
Hello there!
The solution you describe works nicely and I agree with you on the matter, BUT I found something very weird which I do not understand.
So I have this mangle rule which gets executed in postrouting and only sniff the traffic sniff-TZSP to a server. All seems to work ok with one observation:
Only when the rule is active (sniffing takes place) I see ICMP traffic being generated from the server (that is processing the tzsp traffic) back to the router.
Basically i see invalid ICMP connection (in both INPUT and FORWARD chains) coming from the server back to the router. I'm runnning on the latest 7.8 ROS.
Any clues why is this happening?
Thank you in advance!
Personally, I prefer to use mangle action "sniff tzsp" because it is clear when it gets executed and you can actually choose - prerouting, forward, postrouting ... (look at
packet flow). You can even sniff the same packet multiple times (once in prerouting, once in postrouting) and send them to different ports (so you can have multiple wiresharks running on the same computer and watching it simultaneously). Another advantage is that it is more stable than sniffer (e.g. sniffer stops when your router restarts). Finally - thanks to really powerful matching in mangle, you can filter very precisely, what you want to sniff.
Obvious disadvantage is, that you need to fully understand what you are matching, otherwise you may miss something.
Re: Torch vs. Packet Sniffer
Posted: Thu Apr 13, 2023 7:44 am
by Buckeye
I'm runnning on the latest 8.7 ROS.
I think you meant 7.8? No way to send a PM.
Re: Torch vs. Packet Sniffer
Posted: Fri Apr 14, 2023 2:18 am
by justanotherhuman
Hey, thanks for your reply. I edited my previous post.
Do you have any clues on the issues I have described please?
I'm runnning on the latest 8.7 ROS.
I think you meant 7.8? No way to send a PM.