2.9.14 packet sniffer

changeip · Wed Mar 01, 2006 7:55 pm

Anyone else having major issues with Packet Sniffer in 2.9.14? It seems as thought its not capturing all packets and other oddities. 20-30 entries show up and then disappear. After moving the pcap to ethereal I see that it only captured about 10% of the traffic. Just curious if anyone else noticed this.

I also notice when filtering on specifics you still get ICMP and non-IP from everywhere included in the pcap.

Sam

dsdee · Sun Mar 19, 2006 5:09 am

i'm having a similar issue here. It's starting, and then dying. I created a script, below, that restarts it every 5 minutes in case it's not running, since I'm running snort on my server that it is supposed to be streaming to. Anyways, every 5 it runs, it logs that the sniffer is not running. It used to stay up all the time in 2.9.13 before I upgraded...

Anyone else seeing similar ???

restart script:

:if ( ! [tool sniffer get running] ) do={:log  info "Sniffer IS NOT RUNNING at Start of script"
/tool sniffer stop
:delay 2s
/tool sniffer start} else={:log  info "Sniffer is running at Start of script"}

:if ( [tool sniffer get running] ) do={:log  info "Sniffer is running at End of script"} else={:log  info "Sniffer IS NOT RUNNING at End of script"}

and a snippet of my syslog:

Mar 18 19:36:00 sentry script,info Sniffer IS NOT RUNNING at Start of script
Mar 18 19:36:02 sentry script,info Sniffer is running at End of script
Mar 18 19:41:00 sentry script,info Sniffer IS NOT RUNNING at Start of script
Mar 18 19:41:02 sentry script,info Sniffer is running at End of script
Mar 18 19:46:00 sentry script,info Sniffer IS NOT RUNNING at Start of script
Mar 18 19:46:02 sentry script,info Sniffer is running at End of script
Mar 18 19:51:00 sentry script,info Sniffer IS NOT RUNNING at Start of script
Mar 18 19:51:02 sentry script,info Sniffer is running at End of script
Mar 18 19:56:00 sentry script,info Sniffer IS NOT RUNNING at Start of script
Mar 18 19:56:02 sentry script,info Sniffer is running at End of script

Eugene · Mon Mar 20, 2006 4:50 pm

You should upgrade to the latest version to fix this issue.

Eugene

dsdee · Mon Mar 20, 2006 4:55 pm

i'm already on 2.9.17, and it's doing it there. 2.9.13 was fine...

Eugene · Mon Mar 20, 2006 5:29 pm

I meant 2.9.18 when it becomes available

dsdee · Mon Mar 20, 2006 5:31 pm

... just need to make sure MikroTik knows it's a problem, since it was something that was broken along the way, they need to know it's now broken so that it can be fixed...

cmit · Mon Mar 20, 2006 5:32 pm

I meant 2.9.18 when it becomes available

Which will be soon I suppose (given that it already is on the demo systems)?

Best regards,
Christian Meis

Eugene · Mon Mar 20, 2006 5:38 pm

right.

dsdee · Tue Mar 21, 2006 8:22 pm

ok, so now that i've upgraded to 2.9.18, the Sniffer starts as it should, and stays started. Yeay !

ok, now I have a problem that the CPU load shoots up to 55 and stays there. This didn't happen in previous versions.

Here's my sniffer config:

> /tool sniffer print
          interface: int_if
       only-headers: no
       memory-limit: 0
          file-name: ""
         file-limit: 0
  streaming-enabled: yes
   streaming-server: 192.168.200.3
      filter-stream: yes
    filter-protocol: ip-only
    filter-address1: 0.0.0.0/0:0-65535
    filter-address2: 0.0.0.0/0:0-65535
            running: yes
>

thoughts?

2.9.14 packet sniffer

2.9.14 packet sniffer

2.9.17 sniffer...

already on 2.9.17

well, in the meantime...

sniffer on 2.9.18, and cpu load