I'm trying to setup a calea capture off a CRS and running into issues. I followed the Wiki and setup the intercept for two LAN ips (on different VLANs), in and out, and I turned on logging with a prepended CALEA to identify it in the log. yet if I try and ping that device, it responds as I would expect, but even torch is not showing the traffic and nothing shows in the log.
The switch has multiple VLANs setup as well. I originally setup wireshark on another box to receive the stream as well but it seems from what I've read it's better to use a virtualized RouterOS to save it locally.
i've also looked at Butchs presentation as well.
TO me this looks real simple but I am obviously missing something.
Any ideas and suggestions are welcome.
Thanks leon
Re: CALEA and CRS
Please post configuration that is used for CALEA here.
Re: CALEA and CRS
Hi Sergejs...when I get back to this later this week I will.
Leon
Leon
Re: CALEA and CRS
ok folks here is what I have.
This is on my CRS which is the interceptor @ 10.161.51.4:
[admin@CRS125.wa4zlw.homedns.org] /ip firewall calea> p
Flags: X - disabled, I - invalid, D - dynamic
0 chain=forward action=sniff sniff-target=10.161.51.2 sniff-target-port=300
src-address=10.195.13.10 log=yes log-prefix="CALEA"
1 chain=forward action=sniff sniff-target=10.161.51.2 sniff-target-port=300
dst-address=10.195.13.10 log=yes log-prefix="CALEA"
2 chain=forward action=sniff sniff-target=10.161.51.2 sniff-target-port=300
dst-address=10.161.51.10 log=yes log-prefix="CALEA"
3 chain=forward action=sniff sniff-target=10.161.51.2 sniff-target-port=300
src-address=10.161.51.10 log=yes log-prefix="CALEA"
[admin@CRS125.wa4zlw.homedns.org] /ip firewall calea>
This is on the server @ 10.161.51.2 an X86 routeros (watchguard X series hardware platform) Only has 64MB flash but trying this as a test only to see if it works before deploying across a wide set of hardware:
[admin@core10.wa4zlw.homedns.org] /tool calea> p
Flags: X - disabled
0 case-id=0 case-name="" intercept-ip=10.161.51.4
action=pcap file-root="" pcap-file-stop-interval
pcap-file-stop-size=2000000 pcap-file-stop-count
pcap-file-hash-method=sha256
[admin@core10.wa4zlw.homedns.org] /tool calea>
I see nothing in the logs on either box.
10.161.51.10 and 10.195.13.10 are the same box with vlan 100 on 10.195.13.10 with is where the voice goes excepting one Linksys ATA temporarily which can not be setup with QoS or VLANs. the 10.161 network is used to manage the pbx.
The pbx sends registration out periodically so I would expect to see something.
Looking forward to hearing from anyone on if I screwed pooch so to speak.
THanks. Leon
Below is the full CRS config:
# mar/14/2015 18:04:28 by RouterOS 6.19
# software id = T7SR-8147
#
/interface ethernet
set [ find default-name=ether1 ] name=ether1-100M
set [ find default-name=ether2 ] master-port=ether1-100M name=\
ether2-100M-Spare
set [ find default-name=ether3 ] master-port=ether1-100M name=\
ether3-100M-2-WG
set [ find default-name=ether7 ] name=ether7-DVR
set [ find default-name=ether8 ] name=ether8-LAN-Master
set [ find default-name=ether9 ] master-port=ether8-LAN-Master
set [ find default-name=ether10 ] master-port=ether8-LAN-Master
set [ find default-name=ether11 ] master-port=ether8-LAN-Master
set [ find default-name=ether12 ] master-port=ether8-LAN-Master
set [ find default-name=ether13 ] master-port=ether8-LAN-Master
set [ find default-name=ether14 ] master-port=ether8-LAN-Master
set [ find default-name=ether15 ] master-port=ether8-LAN-Master
set [ find default-name=ether16 ] master-port=ether8-LAN-Master
set [ find default-name=ether17 ] master-port=ether8-LAN-Master
set [ find default-name=ether18 ] master-port=ether8-LAN-Master
set [ find default-name=ether19 ] master-port=ether8-LAN-Master
set [ find default-name=ether20 ] master-port=ether8-LAN-Master
set [ find default-name=ether21 ] master-port=ether8-LAN-Master
set [ find default-name=ether22 ] master-port=ether8-LAN-Master
set [ find default-name=ether23 ] master-port=ether8-LAN-Master
set [ find default-name=ether24 ] name=ether24-Backdoor
/ip neighbor discovery
set ether24-Backdoor discover=no
/interface vlan
add interface=ether8-LAN-Master l2mtu=1584 name=vlan1 vlan-id=1
add interface=ether8-LAN-Master l2mtu=1584 name=vlan50 vlan-id=50
add interface=ether8-LAN-Master l2mtu=1584 name=vlan51 vlan-id=51
add interface=ether8-LAN-Master l2mtu=1584 name=vlan100 vlan-id=100
/interface ethernet
set [ find default-name=ether5 ] master-port=ether7-DVR name=ether5-DVR-2-WG
set [ find default-name=ether6 ] master-port=ether7-DVR name=ether6-DVR-spare
/ip pool
add name=Backdoor ranges=192.168.88.100-192.168.88.199
/ip dhcp-server
add add-arp=yes address-pool=Backdoor always-broadcast=yes disabled=no \
interface=ether24-Backdoor lease-time=30m name=Backdoor
/port
set 0 name=serial0
/routing ospf instance
set [ find default=yes ] redistribute-other-ospf=as-type-2 router-id=\
10.161.51.4
/snmp community
set [ find default=yes ] name=BWW_RO
/interface ethernet switch port
set 23 qos-scheme-precedence="pcp-based,sa-based,da-based,dscp-based,protocol-\
based,vlan-based,pcp-based"
/ip address
add address=192.168.88.1/24 comment=BackDoor interface=ether24-Backdoor \
network=192.168.88.0
add address=10.161.51.4/24 interface=ether8-LAN-Master network=10.161.51.0
add address=10.195.10.4/24 interface=vlan1 network=10.195.10.0
add address=10.195.11.4/24 interface=vlan50 network=10.195.11.0
add address=10.195.12.4/24 interface=vlan51 network=10.195.12.0
add address=10.195.13.4/24 interface=vlan100 network=10.195.13.0
/ip dhcp-client
add comment=DHCP-2-Beta default-route-distance=0 dhcp-options=\
hostname,clientid interface=ether1-100M
add comment=DHCP-2-DVR default-route-distance=0 dhcp-options=\
hostname,clientid disabled=no interface=ether7-DVR
add default-route-distance=0 dhcp-options=hostname,clientid interface=\
ether8-LAN-Master
/ip dhcp-server network
add address=192.168.88.0/24 dns-server=192.168.88.1 gateway=192.168.88.1 \
ntp-server=192.168.88.1
/ip firewall calea
add chain=forward log=yes log-prefix=CALEA sniff-target=10.161.51.2 \
sniff-target-port=300 src-address=10.195.13.10
add chain=forward dst-address=10.195.13.10 log=yes log-prefix=CALEA \
sniff-target=10.161.51.2 sniff-target-port=300
add chain=forward dst-address=10.161.51.10 log=yes log-prefix=CALEA \
sniff-target=10.161.51.2 sniff-target-port=300
add chain=forward log=yes log-prefix=CALEA sniff-target=10.161.51.2 \
sniff-target-port=300 src-address=10.161.51.10
/ip firewall nat
add action=masquerade chain=srcnat comment=\
"Backdoor masquerade our Beta interface" out-interface=ether1-100M \
src-address=192.168.88.0/24
/ip firewall service-port
set sip ports=5060,5061,5062,5080,5081,5082
/ip upnp
set allow-disable-external-interface=no
/lcd
set default-screen=informative-slideshow
/routing ospf area range
add area=backbone disabled=yes
add area=backbone range=10.195.10.0/24
add area=backbone range=10.195.11.0/24
add area=backbone range=10.195.12.0/24
add area=backbone range=10.195.13.0/24
add area=backbone range=10.161.51.0/24
/routing ospf interface
add disabled=yes network-type=broadcast
/routing ospf network
add area=backbone network=10.161.51.0/24
add area=backbone disabled=yes
add area=backbone network=10.195.10.0/24
add area=backbone network=10.195.11.0/24
add area=backbone network=10.195.12.0/24
add area=backbone network=10.195.13.0/24
/snmp
set contact="BackWoods Wireless" enabled=yes location="Blandon, PA" \
trap-community=BWW_RO trap-version=2
/system clock
set time-zone-name=America/New_York
/system identity
set name=CRS125.wa4zlw.homedns.org
/system lcd
set contrast=0 enabled=no port=parallel type=24x4
/system lcd page
set time disabled=yes display-time=5s
set resources disabled=yes display-time=5s
set uptime disabled=yes display-time=5s
set packets disabled=yes display-time=5s
set bits disabled=yes display-time=5s
set version disabled=yes display-time=5s
set identity disabled=yes display-time=5s
set ether1-100M disabled=yes display-time=5s
set ether2-100M-Spare disabled=yes display-time=5s
set ether3-100M-2-WG disabled=yes display-time=5s
set ether4 disabled=yes display-time=5s
set ether5-DVR-2-WG disabled=yes display-time=5s
set ether6-DVR-spare disabled=yes display-time=5s
set ether7-DVR disabled=yes display-time=5s
set ether8-LAN-Master disabled=yes display-time=5s
set ether9 disabled=yes display-time=5s
set ether10 disabled=yes display-time=5s
set ether11 disabled=yes display-time=5s
set ether21 disabled=yes display-time=5s
set ether22 disabled=yes display-time=5s
set ether23 disabled=yes display-time=5s
set ether24-Backdoor disabled=yes display-time=5s
set sfp1 disabled=yes display-time=5s
set ether17 disabled=yes display-time=5s
set ether18 disabled=yes display-time=5s
set ether19 disabled=yes display-time=5s
set ether20 disabled=yes display-time=5s
set ether12 disabled=yes display-time=5s
set ether13 disabled=yes display-time=5s
set ether14 disabled=yes display-time=5s
set ether15 disabled=yes display-time=5s
set ether16 disabled=yes display-time=5s
set vlan51 disabled=yes display-time=5s
set vlan1 disabled=yes display-time=5s
set vlan50 disabled=yes display-time=5s
set vlan100 disabled=yes display-time=5s
/system logging
add disabled=yes topics=ospf
add action=disk topics=firewall
/system ntp client
set enabled=yes primary-ntp=96.44.142.5 secondary-ntp=209.114.111.1
/system routerboard settings
set boot-delay=5s
This is on my CRS which is the interceptor @ 10.161.51.4:
[admin@CRS125.wa4zlw.homedns.org] /ip firewall calea> p
Flags: X - disabled, I - invalid, D - dynamic
0 chain=forward action=sniff sniff-target=10.161.51.2 sniff-target-port=300
src-address=10.195.13.10 log=yes log-prefix="CALEA"
1 chain=forward action=sniff sniff-target=10.161.51.2 sniff-target-port=300
dst-address=10.195.13.10 log=yes log-prefix="CALEA"
2 chain=forward action=sniff sniff-target=10.161.51.2 sniff-target-port=300
dst-address=10.161.51.10 log=yes log-prefix="CALEA"
3 chain=forward action=sniff sniff-target=10.161.51.2 sniff-target-port=300
src-address=10.161.51.10 log=yes log-prefix="CALEA"
[admin@CRS125.wa4zlw.homedns.org] /ip firewall calea>
This is on the server @ 10.161.51.2 an X86 routeros (watchguard X series hardware platform) Only has 64MB flash but trying this as a test only to see if it works before deploying across a wide set of hardware:
[admin@core10.wa4zlw.homedns.org] /tool calea> p
Flags: X - disabled
0 case-id=0 case-name="" intercept-ip=10.161.51.4
action=pcap file-root="" pcap-file-stop-interval
pcap-file-stop-size=2000000 pcap-file-stop-count
pcap-file-hash-method=sha256
[admin@core10.wa4zlw.homedns.org] /tool calea>
I see nothing in the logs on either box.
10.161.51.10 and 10.195.13.10 are the same box with vlan 100 on 10.195.13.10 with is where the voice goes excepting one Linksys ATA temporarily which can not be setup with QoS or VLANs. the 10.161 network is used to manage the pbx.
The pbx sends registration out periodically so I would expect to see something.
Looking forward to hearing from anyone on if I screwed pooch so to speak.
THanks. Leon
Below is the full CRS config:
# mar/14/2015 18:04:28 by RouterOS 6.19
# software id = T7SR-8147
#
/interface ethernet
set [ find default-name=ether1 ] name=ether1-100M
set [ find default-name=ether2 ] master-port=ether1-100M name=\
ether2-100M-Spare
set [ find default-name=ether3 ] master-port=ether1-100M name=\
ether3-100M-2-WG
set [ find default-name=ether7 ] name=ether7-DVR
set [ find default-name=ether8 ] name=ether8-LAN-Master
set [ find default-name=ether9 ] master-port=ether8-LAN-Master
set [ find default-name=ether10 ] master-port=ether8-LAN-Master
set [ find default-name=ether11 ] master-port=ether8-LAN-Master
set [ find default-name=ether12 ] master-port=ether8-LAN-Master
set [ find default-name=ether13 ] master-port=ether8-LAN-Master
set [ find default-name=ether14 ] master-port=ether8-LAN-Master
set [ find default-name=ether15 ] master-port=ether8-LAN-Master
set [ find default-name=ether16 ] master-port=ether8-LAN-Master
set [ find default-name=ether17 ] master-port=ether8-LAN-Master
set [ find default-name=ether18 ] master-port=ether8-LAN-Master
set [ find default-name=ether19 ] master-port=ether8-LAN-Master
set [ find default-name=ether20 ] master-port=ether8-LAN-Master
set [ find default-name=ether21 ] master-port=ether8-LAN-Master
set [ find default-name=ether22 ] master-port=ether8-LAN-Master
set [ find default-name=ether23 ] master-port=ether8-LAN-Master
set [ find default-name=ether24 ] name=ether24-Backdoor
/ip neighbor discovery
set ether24-Backdoor discover=no
/interface vlan
add interface=ether8-LAN-Master l2mtu=1584 name=vlan1 vlan-id=1
add interface=ether8-LAN-Master l2mtu=1584 name=vlan50 vlan-id=50
add interface=ether8-LAN-Master l2mtu=1584 name=vlan51 vlan-id=51
add interface=ether8-LAN-Master l2mtu=1584 name=vlan100 vlan-id=100
/interface ethernet
set [ find default-name=ether5 ] master-port=ether7-DVR name=ether5-DVR-2-WG
set [ find default-name=ether6 ] master-port=ether7-DVR name=ether6-DVR-spare
/ip pool
add name=Backdoor ranges=192.168.88.100-192.168.88.199
/ip dhcp-server
add add-arp=yes address-pool=Backdoor always-broadcast=yes disabled=no \
interface=ether24-Backdoor lease-time=30m name=Backdoor
/port
set 0 name=serial0
/routing ospf instance
set [ find default=yes ] redistribute-other-ospf=as-type-2 router-id=\
10.161.51.4
/snmp community
set [ find default=yes ] name=BWW_RO
/interface ethernet switch port
set 23 qos-scheme-precedence="pcp-based,sa-based,da-based,dscp-based,protocol-\
based,vlan-based,pcp-based"
/ip address
add address=192.168.88.1/24 comment=BackDoor interface=ether24-Backdoor \
network=192.168.88.0
add address=10.161.51.4/24 interface=ether8-LAN-Master network=10.161.51.0
add address=10.195.10.4/24 interface=vlan1 network=10.195.10.0
add address=10.195.11.4/24 interface=vlan50 network=10.195.11.0
add address=10.195.12.4/24 interface=vlan51 network=10.195.12.0
add address=10.195.13.4/24 interface=vlan100 network=10.195.13.0
/ip dhcp-client
add comment=DHCP-2-Beta default-route-distance=0 dhcp-options=\
hostname,clientid interface=ether1-100M
add comment=DHCP-2-DVR default-route-distance=0 dhcp-options=\
hostname,clientid disabled=no interface=ether7-DVR
add default-route-distance=0 dhcp-options=hostname,clientid interface=\
ether8-LAN-Master
/ip dhcp-server network
add address=192.168.88.0/24 dns-server=192.168.88.1 gateway=192.168.88.1 \
ntp-server=192.168.88.1
/ip firewall calea
add chain=forward log=yes log-prefix=CALEA sniff-target=10.161.51.2 \
sniff-target-port=300 src-address=10.195.13.10
add chain=forward dst-address=10.195.13.10 log=yes log-prefix=CALEA \
sniff-target=10.161.51.2 sniff-target-port=300
add chain=forward dst-address=10.161.51.10 log=yes log-prefix=CALEA \
sniff-target=10.161.51.2 sniff-target-port=300
add chain=forward log=yes log-prefix=CALEA sniff-target=10.161.51.2 \
sniff-target-port=300 src-address=10.161.51.10
/ip firewall nat
add action=masquerade chain=srcnat comment=\
"Backdoor masquerade our Beta interface" out-interface=ether1-100M \
src-address=192.168.88.0/24
/ip firewall service-port
set sip ports=5060,5061,5062,5080,5081,5082
/ip upnp
set allow-disable-external-interface=no
/lcd
set default-screen=informative-slideshow
/routing ospf area range
add area=backbone disabled=yes
add area=backbone range=10.195.10.0/24
add area=backbone range=10.195.11.0/24
add area=backbone range=10.195.12.0/24
add area=backbone range=10.195.13.0/24
add area=backbone range=10.161.51.0/24
/routing ospf interface
add disabled=yes network-type=broadcast
/routing ospf network
add area=backbone network=10.161.51.0/24
add area=backbone disabled=yes
add area=backbone network=10.195.10.0/24
add area=backbone network=10.195.11.0/24
add area=backbone network=10.195.12.0/24
add area=backbone network=10.195.13.0/24
/snmp
set contact="BackWoods Wireless" enabled=yes location="Blandon, PA" \
trap-community=BWW_RO trap-version=2
/system clock
set time-zone-name=America/New_York
/system identity
set name=CRS125.wa4zlw.homedns.org
/system lcd
set contrast=0 enabled=no port=parallel type=24x4
/system lcd page
set time disabled=yes display-time=5s
set resources disabled=yes display-time=5s
set uptime disabled=yes display-time=5s
set packets disabled=yes display-time=5s
set bits disabled=yes display-time=5s
set version disabled=yes display-time=5s
set identity disabled=yes display-time=5s
set ether1-100M disabled=yes display-time=5s
set ether2-100M-Spare disabled=yes display-time=5s
set ether3-100M-2-WG disabled=yes display-time=5s
set ether4 disabled=yes display-time=5s
set ether5-DVR-2-WG disabled=yes display-time=5s
set ether6-DVR-spare disabled=yes display-time=5s
set ether7-DVR disabled=yes display-time=5s
set ether8-LAN-Master disabled=yes display-time=5s
set ether9 disabled=yes display-time=5s
set ether10 disabled=yes display-time=5s
set ether11 disabled=yes display-time=5s
set ether21 disabled=yes display-time=5s
set ether22 disabled=yes display-time=5s
set ether23 disabled=yes display-time=5s
set ether24-Backdoor disabled=yes display-time=5s
set sfp1 disabled=yes display-time=5s
set ether17 disabled=yes display-time=5s
set ether18 disabled=yes display-time=5s
set ether19 disabled=yes display-time=5s
set ether20 disabled=yes display-time=5s
set ether12 disabled=yes display-time=5s
set ether13 disabled=yes display-time=5s
set ether14 disabled=yes display-time=5s
set ether15 disabled=yes display-time=5s
set ether16 disabled=yes display-time=5s
set vlan51 disabled=yes display-time=5s
set vlan1 disabled=yes display-time=5s
set vlan50 disabled=yes display-time=5s
set vlan100 disabled=yes display-time=5s
/system logging
add disabled=yes topics=ospf
add action=disk topics=firewall
/system ntp client
set enabled=yes primary-ntp=96.44.142.5 secondary-ntp=209.114.111.1
/system routerboard settings
set boot-delay=5s
Re: CALEA and CRS
I've got torches on each ROS box and dont see any traffic going/coming from either 10.161.51.4 or 10.161.51.2.
The interceptor is collecting off ether-8-master which is the master port of that switch segment.
I'm stumped.
Leon
The interceptor is collecting off ether-8-master which is the master port of that switch segment.
I'm stumped.
Leon
Re: CALEA and CRS
has anyone had a chance to take a look?
Thanks leon
Thanks leon
Re: CALEA and CRS
Please use action=sniff-pc instead of sniff,
sniff - generates a tzsp stream that can be directed to any Wireshark (Ethereal) server;
sniff-pc - generates a Packet Cable stream that can be directed to a MikroTik RouterOS system with the calea package installed
sniff - generates a tzsp stream that can be directed to any Wireshark (Ethereal) server;
sniff-pc - generates a Packet Cable stream that can be directed to a MikroTik RouterOS system with the calea package installed
Re: CALEA and CRS
HI Sergejs...but I am seeing nothing in my torch or the log entries on the interceptor sending sniffed traffic. Now since this is on a CRS switch port and I have VLANs I am wondering if this is the problem? VLANs are being handled by the CPU not the switch I beleive the way I have it. What do I need to do to let the switch handle the VLAN stuff?
AM I correct in my assumption?
Leon
AM I correct in my assumption?
Leon
Re: CALEA and CRS
Hi Sergejs...any new info please?
thanks leon
thanks leon
Who is online
Users browsing this forum: GoogleOther [Bot] and 45 guests