Community discussions

MikroTik App
  4. RouterOS
  5. General

Cloning traffic for monitoring

Post Reply
 
JohnJacob
just joined
Topic Author
Posts: 2
Joined: Thu Jul 08, 2010 2:07 am

Cloning traffic for monitoring

Thu Jul 08, 2010 2:21 am

Greetings

I have a RB/433 and I'd like to do mirror/clone a copy of data coming to/from the wwireless clients to the internet.
I've had some success on linux platforms doing the following:
Code: Select all
iptables -A PREROUTING -t mangle -j ROUTE --gw 192.168.100.100 --tee
iptables -A POSTROUTING -t mangle -j ROUTE --gw 192.168.100.100 --tee
Where 192.168.100.100 is a setup as a interface.

Any suggestions on how to do this with routeros?

Thanks
Top
 
amadeus
just joined
Posts: 3
Joined: Sat Jun 12, 2010 11:08 am

Re: Cloning traffic for monitoring

Thu Jul 08, 2010 8:14 pm

Greetings

I have a RB/433 and I'd like to do mirror/clone a copy of data coming to/from the wwireless clients to the internet.
[...]
Any suggestions on how to do this with routeros?

Thanks
Hi,

I'd suggest using the sniffer function in routeros. However, this requires you to run a tool called 'trafr' (http://www.mikrotik.com/download/trafr.tgz) on the receiving box.

eg:
Code: Select all
$ ./trafr -s | tcpdump -r - -n
Then, setup sniffing on your RB433:
Code: Select all
[admin@MikroTik] > /tool sniffer
[admin@MikroTik] /tool sniffer> print
          interface: all
       only-headers: no
       memory-limit: 10
      memory-scroll: no
          file-name: ""
         file-limit: 10
  streaming-enabled: no
   streaming-server: 0.0.0.0
      filter-stream: yes
    filter-protocol: ip-only
    filter-address1: 0.0.0.0/0:0-65535
    filter-address2: 0.0.0.0/0:0-65535
            running: no
[admin@MikroTik] /tool sniffer> set interface=wlan1 streaming-server=192.168.100.100 streaming-enabled=yes
[admin@MikroTik] /tool sniffer> start
..and you should see the expected tcpdump output.

There's also a port mirror feature in the switch chip, but since the wlan interface is not a part of the switch, that won't work in this case (well, unless you mirror your uplink). http://wiki.mikrotik.com/wiki/Manual:Sw ... p_Features

Hope it helps.

--
Morten
Top
 
JohnJacob
just joined
Topic Author
Posts: 2
Joined: Thu Jul 08, 2010 2:07 am

Re: Cloning traffic for monitoring

Thu Jul 08, 2010 10:13 pm

Hi Morten,

Thanks for the references. I've did look into using the built in packet streaming but I'd rather not have to modify my existing setup if it isn't required. I'll give it a closer look as it may be doing what I need.

Regarding mirroring the up-link. I've considered that however I'm not sure if I can get all of the information I'd like for monitoring wireless clients. I know all of the wireless mac addresses and I'd like access to that info, i'm pretty sure that info will be lost after the NAT does its magic.


jj
Top
Post Reply
  4. RouterOS
  5. General