Manual:Tools/Packet Sniffer: Difference between revisions

From MikroTik Wiki
Jump to navigation Jump to search
SergejsB (talk | contribs)
Add Sniffer Download Example
 
(28 intermediate revisions by 5 users not shown)
Line 1: Line 1:
{{Versions| v2.9, v3, v4+}}
{{Versions| v5.8+}}
__TOC__
__TOC__


Line 7: Line 7:
<b>Packages required:</b> <code>system</code>
<b>Packages required:</b> <code>system</code>
</p>
</p>
<br />


<p>
 
Packet sniffer is a tool that can capture and analyze packets that are going to, leaving or going through the router (except the traffic that passes only through the switch chip).
Packet sniffer is a tool that can capture and analyze packets that are going to, leaving or going through the router.
</p>
 
{{ Note | Unicast traffic between Wireless clients with client-to-client forwarding enabled will not be visible to sniffer tool. Packets that are processed with hardware offloading enabled bridge will also not be visible (unknown unicast, broadcast and some multicast traffic will be visible to sniffer tool). }}


==Packet Sniffer Configuration==
==Packet Sniffer Configuration==


<p id="shbox"><b>Sub-menu:</b> <code>/tool sniffer</code></p><br />
<p id="shbox"><b>Sub-menu:</b> <code>/tool sniffer</code></p>
 
 
 
{{Mr-arg-table-h
|prop=Property
|desc=Description
}}
 
{{Mr-arg-table
|arg=file-limit
|type=integer 10..4294967295[KiB]
|default=1000KiB
|desc=File size limit. Sniffer will stop when limit is reached.
 
}}


<table class="styled_table">
{{Mr-arg-table
<tr>
|arg=file-name
  <th width="44%">Property</th>
|type=string
  <th >Description</th>
|default=
</tr>
|desc=Name of the file where sniffed packets will be saved.
}}


<tr>
{{Mr-arg-table
    <td><var><b>file-limit</b></var> (<em>integer 10..1000000000</em>; Default:<b> 10</b>)</td>
|arg=filter-ip-address
    <td>The limit of the file in KB. Sniffer will stop after this limit is reached</td>
|type=ip/mask[,ip/mask] (max 16 items)
</tr>
|default=
|desc=Up to 16 ip addresses used as a filter
}}


<tr>
{{Mr-arg-table
    <td><var><b>file-name</b></var> (<em>string</em>; Default:<b> ""</b>)</td>
|arg=filter-mac-address
    <td>The name of the file where the sniffed packets will be saved to</td>
|type=mac/mask[,mac/mask] (max 16 items)
</tr>
|default=
|desc=Up to 16 MAC addresses and MAC address masks used as a filter
}}


<tr>
{{Mr-arg-table
    <td><var><b>filter-address1</b></var> (<em>IP address/netmask:port</em>; Default:<b> 0.0.0.0/0:0-65535</b>)</td>
|arg=filter-port
    <td>The first address to filter</td>
|type=[!]port[,port] (max 16 items)
</tr>
|default=
|desc=Up to 16 comma separated entries used as a filter
}}


<tr>
{{Mr-arg-table
    <td><var><b>filter-address2</b></var> (<em>IP address/netmask:port</em>; Default:<b> 0.0.0.0/0:0-65535</b>)</td>
|arg=filter-ip-protocol
    <td>The second address to filter</td>
|type=[!]protocol[,protocol] (max 16 items)
</tr>
|default=
|desc=Up to 16 comma separated entries used as a filter
IP protocols (instead of protocol names, protocol number can be used)
*<b>ipsec-ah</b> - IPsec AH protocol                                                                                                 
*<b>ipsec-esp</b> - IPsec ESP protocol
*<b>ddp</b> - datagram delivery protocol
*<b>egp</b> - exterior gateway protocol
*<b>ggp</b> - gateway-gateway protocol
*<b>gre</b> - general routing encapsulation
*<b>hmp</b> - host monitoring protocol
*<b>idpr-cmtp</b> - idpr control message transport
*<b>icmp</b> - internet control message protocol
*<b>icmpv6</b> - internet control message protocol v6
*<b>igmp</b> - internet group management protocol
*<b>ipencap</b> - ip encapsulated in ip
*<b>ipip</b> - ip encapsulation
*<b>encap</b> - ip encapsulation
*<b>iso-tp4</b> - iso transport protocol class 4
*<b>ospf</b> - open shortest path first
*<b>pup</b> - parc universal packet protocol
*<b>pim</b> - protocol independent multicast
*<b>rspf</b> - radio shortest path first
*<b>rdp</b> - reliable datagram protocol
*<b>st</b> - st datagram mode
*<b>tcp</b> - transmission control protocol
*<b>udp</b> - user datagram protocol
*<b>vmtp</b> - versatile message transport
*<b>vrrp</b> - virtual router redundancy protocol
*<b>xns-idp</b> - xerox xns idp
*<b>xtp</b> - xpress transfer protocol
}}


<tr>
{{Mr-arg-table
    <td><var><b>filter-protocol</b></var> (<em>all-frames | ip-only | mac-only-no-ip</em>; Default:<b> ip-only</b>)</td>
|arg=filter-mac-protocol
    <td>Filter specific protocol
|type=[!]protocol[,protocol] (max 16 items)
*<b>ip-only</b> - Sniff IP packets only
|default=
*<b>all-frames</b> - Sniff all packets
|desc=Up to 16 comma separated entries used as a filter.
*<b>mac-only-no-ip</b> - Sniff non-IP packets only
Mac protocols (instead of protocol names, protocol number can be used):
</td>
* <b>802.2</b> - 802.2 Frames (0x0004)
</tr>
* <b>arp</b> - Address Resolution Protocol (0x0806)
* <b>homeplug-av</b> - HomePlug AV MME (0x88E1)
* <b>ip</b> - Internet Protocol version 4 (0x0800)
* <b>ipv6</b> - Internet Protocol Version 6 (0x86DD)
* <b>ipx</b> - Internetwork Packet Exchange (0x8137)
* <b>lldp</b> - Link Layer Discovery Protocol (0x88CC)
* <b>loop-protect</b> - Loop Protect Protocol (0x9003)
* <b>mpls-multicast</b> - MPLS multicast (0x8848)
* <b>mpls-unicast</b> - MPLS unicast (0x8847)
* <b>packing-compr</b> - Encapsulated packets with compressed [[Manual:IP/Packing| IP packing]] (0x9001)
* <b>packing-simple</b> - Encapsulated packets with simple [[Manual:IP/Packing| IP packing]] (0x9000)
* <b>pppoe</b> - PPPoE Session Stage (0x8864)
* <b>pppoe-discovery</b> - PPPoE Discovery Stage (0x8863)
* <b>rarp</b> - Reverse Address Resolution Protocol (0x8035)
* <b>service-vlan</b> - Provider Bridging (IEEE 802.1ad) & Shortest Path Bridging IEEE 802.1aq (0x88A8)
* <b>vlan</b> - VLAN-tagged frame (IEEE 802.1Q) and Shortest Path Bridging IEEE 802.1aq with NNI compatibility (0x8100)
}}


<tr>
{{Mr-arg-table
    <td><var><b>filter-stream</b></var> (<em>yes | no</em>; Default:<b> no</b>)</td>
|arg=filter-stream
    <td>Sniffed packets that are devised for sniffer server are ignored</td>
|type=yes {{!}} no
</tr>
|default=yes
|desc=Sniffed packets that are devised for sniffer server are ignored
}}


<tr>
{{Mr-arg-table
    <td><var><b>interface</b></var> (<em>all | ether1 | ...</em>; Default:<b> all</b>)</td>
|arg=filter-direction
    <td>Interface management</td>
|type=any {{!}} rx {{!}} tx
</tr>
|default=
|desc=Specifies om which direction filtering will be applied.
}}


<tr>
{{Mr-arg-table
    <td><var><b>memory-limit</b></var> (<em>integer 10..4294967295</em>; Default:<b> 10</b>)</td>
|arg=interface
    <td>Memory amount reached in KB to stop sniffing</td>
|type=all {{!}} name
</tr>
|default=all
|desc=Interface name on which sniffer will be running. '''all''' indicates that sniffer will sniff packets on all interfaces.
}}


<tr>
{{Mr-arg-table
    <td><var><b>memory-scroll</b></var> (<em>yes | no</em>; Default:<b> no</b>)</td>
|arg=memory-limit
    <td></td>
|type=integer 10..4294967295[KiB]
</tr>
|default=100KiB
|desc=Memory amount used to store sniffed data.
}}


<tr>
{{Mr-arg-table
    <td><var><b>only-headers</b></var> (<em>yes | no</em>; Default:<b> no</b>)</td>
|arg=memory-scroll
    <td>Save in the memory only packet's headers not the whole packet</td>
|type=yes {{!}} no
</tr>
|default=yes
|desc=Whether to rewrite older sniffed data when memory limit is reached.
}}


<tr>
{{Mr-arg-table
    <td><var><b>running</b></var> (<em>read-only</em>)</td>
|arg=only-headers
    <td>If the sniffer is started then the value is <b>yes</b> otherwise <b>no</b></td>
|type=yes {{!}} no
</tr>
|default=no
|desc=Save in the memory only packet's headers not the whole packet.
}}


<tr>
{{Mr-arg-table
    <td><var><b>streaming-enabled</b></var> (<em>yes | no</em>; Default:<b> no</b>)</td>
|arg=streaming-enabled
    <td>Defines whether to send sniffed packets to sniffer's server or not</td>
|type=yes {{!}} no
</tr>
|default=no
|desc=Defines whether to send sniffed packets to streaming server
}}


<tr>
{{Mr-arg-table-end
    <td><var><b>streaming-server</b></var> (<em>ip address</em>; Default:<b> </b>)</td>
|arg=streaming-server
    <td>Tazmen Sniffer Protocol (TZSP) stream receiver</td>
|type=IP
</tr>
|default=0.0.0.0
|desc=Tazmen Sniffer Protocol (TZSP) stream receiver
}}


</table>


<h3>Notes</h3>
{{ Warning | <var>file-size</var> limit should not be configured more than available free memory!}}


<p>
===Example===
<b>filter-address1</b> and <b>filter-address2</b> are used to specify the two participients in communication (i.e. they will match only in the case if one of them matches the source address and the other one matches the destination address of a packet). These properties are taken in account only if <b>filter-protocol</b> is <b>ip-only</b>.
</p>


<h3>Example</h3>
In the following example <b>streaming-server</b> will be added, streaming will be enabled, <b>file-name</b> will be set to test and packet sniffer will be started and stopped after some time:


<p>In the following example <b>streaming-server</b> will be added, streaming will be enabled, <b>file-name</b> will be set to test and packet sniffer will be started and stopped after some time:</p>


<pre>
<pre>
[admin@MikroTik] tool sniffer> set streaming-server=192.168.0.240 \
[admin@MikroTik] tool sniffer> set streaming-server=192.168.0.240 \
\... streaming-enabled=yes file-name=test
\... streaming-enabled=yes file-name=test.pcap
[admin@MikroTik] tool sniffer> print
[admin@MikroTik] tool sniffer> print
             interface: all
             interface: all
         only-headers: no
         only-headers: no
         memory-limit: 10
         memory-limit: 100KiB
             file-name: "test"
        memory-scroll: yes
           file-limit: 10
             file-name: test.pcap
           file-limit: 1000KiB
     streaming-enabled: yes
     streaming-enabled: yes
     streaming-server: 192.168.0.240
     streaming-server: 192.168.0.240
         filter-stream: yes
         filter-stream: yes
      filter-protocol: ip-only
  filter-mac-address:
      filter-address1: 0.0.0.0/0:0-65535
  filter-mac-protocol:  
      filter-address2: 0.0.0.0/0:0-65535
    filter-ip-address:
  filter-ip-protocol:  
          filter-port:  
    filter-direction: any
               running: no
               running: no
[admin@MikroTik] tool sniffer> start
[admin@MikroTik] tool sniffer> start
Line 126: Line 210:
==Running Packet Sniffer==
==Running Packet Sniffer==


<p id="shbox"><b>Commands:</b> <code>/tool sniffer start, /tool sniffer stop, /tool sniffer save</code></p><br />
<p id="shbox"><b>Commands:</b> <code>/tool sniffer start, /tool sniffer stop, /tool sniffer save</code></p>
 


<p>
The commands are used to control runtime operation of the packet sniffer. The <b>start</b> command is used to start/reset sniffering, <b>stop</b> - stops sniffering. To save currently sniffed packets in a specific file <b>save</b> command is used.
The commands are used to control runtime operation of the packet sniffer. The <b>start</b> command is used to start/reset sniffering, <b>stop</b> - stops sniffering. To save currently sniffed packets in a specific file <b>save</b> command is used.
</p>


<h3>Example</h3>
It is also possible to use [[#Quick_mode | quick mode]].
===Example===


<p>In the following example the packet sniffer will be started and after some time - stopped:</p>
In the following example the packet sniffer will be started and after some time - stopped:


<pre>
<pre>
Line 141: Line 225:
</pre>
</pre>


<p>Below the sniffed packets will be saved in the file named test:</p>
Below the sniffed packets will be saved in the file named test:


<pre>
<pre>
Line 154: Line 238:
<p id="shbox"><b>Sub-menu:</b> <code>/tool sniffer packet</code></p><br />
<p id="shbox"><b>Sub-menu:</b> <code>/tool sniffer packet</code></p><br />


<p>This sub-menu allows to see the list of sniffed packets.</p>
This sub-menu allows to see the list of sniffed packets.
 
<pre>
[admin@SXT test] /tool sniffer packet> print
#    TIME INTERFACE SRC-ADDRESS                              DST-ADDRESS 
120  1.993 ether1    10.5.101.1:646                            224.0.0.2:646                          >
121  2.045 ether1    10.5.101.15:8291 (winbox)                10.5.101.10:36771                      >
122  2.046 ether1    10.5.101.15:8291 (winbox)                10.5.101.10:36771                      >
123  2.255 ether1    fe80::20c:42ff:fe49:fcec                  ff02::5                                >
</pre>
 


<table class="styled_table">
<table class="styled_table">
Line 213: Line 307:


<tr>
<tr>
     <td><var><b>protocol</b></var> (<em>read-only: ip | arp | rarp | ipx | ipv6</em>)</td>
     <td><var><b>protocol</b></var> (<em>read-only: 802.2 | arp | homeplug-av | ip | ipv6 | ipx | lldp | loop-protect | mpls-multicast | mpls-unicast | packing-compr | packing-simple | pppoe | pppoe-discovery | rarp | service-vlan | vlan</em>)</td>
     <td>The name/number of ethernet protocol</td>
     <td>The name/number of ethernet protocol</td>
</tr>
</tr>
Line 267: Line 361:
<p id="shbox"><b>Sub-menu:</b> <code>/tool sniffer protocol</code></p><br />
<p id="shbox"><b>Sub-menu:</b> <code>/tool sniffer protocol</code></p><br />


<p>In this submenu you can see all kind of protocols that have been sniffed.</p>
In this submenu you can see all sniffed protocols and their share of the whole sniffed amount.
 
<pre>
[admin@SXT test] /tool sniffer protocol> print
# PROTOCOL IP-PROTOCOL PORT                                    PACKETS      BYTES        SHARE
0 802.2                                                              1        60        0.05%
1 ip                                                              215    100377      99.04%
2 arp                                                                2        120        0.11%
3 ipv6                                                              6        788        0.77%
4 ip      tcp                                                    210      99981      98.65%
5 ip      udp                                                      3        228        0.22%
6 ip      ospf                                                      2        168        0.16%
7 ip      tcp        8291 (winbox)                              210      99981      98.65%
8 ip      tcp        36771                                      210      99981      98.65%
9 ip      udp        646                                          3        228        0.22%
</pre>




Line 297: Line 406:


<tr>
<tr>
     <td><var><b>protocol</b></var> (<em>read-only: ip | arp | rarp | ipx | ipv6</em>)</td>
     <td><var><b>protocol</b></var> (<em>read-only: 802.2 | arp | homeplug-av | ip | ipv6 | ipx | lldp | loop-protect | mpls-multicast | mpls-unicast | packing-compr | packing-simple | pppoe | pppoe-discovery | rarp | service-vlan | vlan</em>)</td>
     <td>The name/number of the protocol</td>
     <td>The name/number of the protocol</td>
</tr>
</tr>
Line 308: Line 417:
</table>
</table>


<h3>Example</h3>
==Packet Sniffer Host==
<p id="shbox"><b>Sub-menu:</b> <code>/tool sniffer host</code></p>
 
 
The submenu shows the list of hosts that were participating in data excange you've sniffed.


<pre>
<pre>
[admin@MikroTik] tool sniffer protocol> print
[admin@SXT test] /tool sniffer host> print  
  # PROTOCOL IP-PR... PORT          PACKETS  BYTES  SHARE
# ADDRESS        RATE                PEEK-RATE          TOTAL           
  0 ip                              77        4592    100 %
0 10.5.101.3      0bps/0bps          0bps/720bps        0/90           
  1 ip       tcp                    74        4328    94.25 %
1 10.5.101.10    0bps/0bps          175.0kbps/19.7kbps  61231/7011        
  2 ip      gre                    3        264     5.74 %
2 10.5.101.13    0bps/0bps          0bps/608bps        0/76           
  3 ip      tcp      22 (ssh)      49        3220    70.12 %
3 10.5.101.14    0bps/0bps          0bps/976bps         0/212           
  4 ip       tcp      23 (telnet)  25       1108    24.12 %
4 10.5.101.15     0bps/0bps          19.7kbps/175.0kbps  7011/61231     
[admin@MikroTik] tool sniffer protocol>
5 224.0.0.2      0bps/0bps          608bps/0bps        76/0           
6 224.0.0.5       0bps/0bps          1440bps/0bps       302/0           
[admin@SXT test] /tool sniffer host>  
 
</pre>
</pre>
==Packet Sniffer Host==
<p id="shbox"><b>Sub-menu:</b> <code>/tool sniffer host</code></p><br />
<p>The submenu shows the list of hosts that were participating in data excange you've sniffed.</p>




Line 355: Line 466:
</table>
</table>


<h3>Example</h3>
==Packet Sniffer Connections==
<p id="shbox"><b>Sub-menu:</b> <code>/tool sniffer connection</code></p>
 


<p>In the following example we'll see the list of hosts:</p>
Here you can get a list of the connections that have been watched during the sniffing time.


<pre>
<pre>
[admin@MikroTik] tool sniffer host> print
[admin@MikroTik] tool sniffer connection> print
   # ADDRESS      RATE        PEEK-RATE          TOTAL
Flags: A - active
   0 10.0.0.4     0bps/0bps    704bps/0bps        264/0
   #   SRC-ADDRESS      DST-ADDRESS            BYTES    RESENDS  MSS
   1 10.0.0.144   0bps/0bps    6.24kbps/12.2kbps  1092/2128
   0 A 10.0.0.241:1839  10.0.0.181:23 (telnet)  6/42     60/0      0/0
   2 10.0.0.181   0bps/0bps    12.2kbps/6.24kbps   2994/1598
   1 A 10.0.0.144:2265   10.0.0.181:22 (ssh)    504/252   504/0     0/0
  3 10.0.0.241    0bps/0bps    1.31kbps/4.85kbps  242/866
[admin@MikroTik] tool sniffer connection>
[admin@MikroTik] tool sniffer host>
</pre>
</pre>
==Packet Sniffer Connections==
<p id="shbox"><b>Sub-menu:</b> <code>/tool sniffer connection</code></p><br />
<p>Here you can get a list of the connections that have been watched during the sniffing time.</p>




Line 413: Line 520:
</table>
</table>


<h3>Example</h3>
==Quick mode==
 
<p>The example shows how to get the list of connections:</p>
 
<pre>
[admin@MikroTik] tool sniffer connection> print
Flags: A - active
  #  SRC-ADDRESS      DST-ADDRESS            BYTES    RESENDS  MSS
  0 A 10.0.0.241:1839  10.0.0.181:23 (telnet)  6/42      60/0      0/0
  1 A 10.0.0.144:2265  10.0.0.181:22 (ssh)    504/252  504/0    0/0
[admin@MikroTik] tool sniffer connection>
</pre>
 
 
 
 
 
 
 
 
 
 


Quick mode will display results as they are filtered out with limited size buffer for packets. There are several attributes that can be set up filtering. If no attributes are set current configuration will be used.




<table class="styled_table">
<tr>
  <th width="44%">Property</th>
  <th >Description</th>
</tr>
<tr>
<td><var><b>duration</b></var></td>
<td>length of the test in seconds</td>
</tr>
<tr>
<td><var><b>fast-path</b></var></td>
<td>capture FastPath packets without disabling FastPath, you can read more about [[Manual:Fast_Path | FastPath]]</td>
</tr>
<tr>
<td><var><b>freeze-frame-interval</b></var></td>
<td>time between data printout</td>
</tr>
<tr>
<td><var><b>interface</b></var></td>
<td>intarface name or <b>all</b></td>
</tr>
<tr>
<td><var><b>ip-address</b></var></td>
<td>up to 16 addresses to filter</td>
</tr>
<tr>
<td><var><b>ip-protocol</b></var></td>
<td> one of listed protocols, up to 16 entries
*<b>ipsec-ah</b> - IPsec AH protocol                                                                                                  *<b>ipsec-esp</b> - IPsec ESP protocol
*<b>ddp</b> - datagram delivery protocol
*<b>egp</b> - exterior gateway protocol
*<b>ggp</b> - gateway-gateway protocol
*<b>gre</b> - general routing encapsulation
*<b>hmp</b> - host monitoring protocol
*<b>idpr-cmtp</b> - idpr control message transport
*<b>icmp</b> - internet control message protocol
*<b>icmpv6</b> - internet control message protocol v6
*<b>igmp</b> - internet group management protocol
*<b>ipencap</b> - ip encapsulated in ip
*<b>ipip</b> - ip encapsulation
*<b>encap</b> - ip encapsulation
*<b>iso-tp4</b> - iso transport protocol class 4
*<b>ospf</b> - open shortest path first
*<b>pup</b> - parc universal packet protocol
*<b>pim</b> - protocol independent multicast
*<b>rspf</b> - radio shortest path first
*<b>rdp</b> - reliable datagram protocol
*<b>st</b> - st datagram mode
*<b>tcp</b> - transmission control protocol
*<b>udp</b> - user datagram protocol
*<b>vmtp</b> - versatile message transport
*<b>vrrp</b> - virtual router redundancy protocol
*<b>xns-idp</b> - xerox xns idp
*<b>xtp</b> - xpress transfer protocol
</td>
</tr>
<tr>
<td><var><b>mac-address</b></var></td>
<td>up to 16 MAC addresses to filter</td>
</tr>
<tr>
<td><var><b>mac-protocol</b></var></td>
<td>up 16 entries
* <b>802.2</b> - 802.2 Frames (0x0004)
* <b>arp</b> - Address Resolution Protocol (0x0806)
* <b>homeplug-av</b> - HomePlug AV MME (0x88E1)
* <b>ip</b> - Internet Protocol version 4 (0x0800)
* <b>ipv6</b> - Internet Protocol Version 6 (0x86DD)
* <b>ipx</b> - Internetwork Packet Exchange (0x8137)
* <b>lldp</b> - Link Layer Discovery Protocol (0x88CC)
* <b>loop-protect</b> - Loop Protect Protocol (0x9003)
* <b>mpls-multicast</b> - MPLS multicast (0x8848)
* <b>mpls-unicast</b> - MPLS unicast (0x8847)
* <b>packing-compr</b> - Encapsulated packets with compressed [[Manual:IP/Packing| IP packing]] (0x9001)
* <b>packing-simple</b> - Encapsulated packets with simple [[Manual:IP/Packing| IP packing]] (0x9000)
* <b>pppoe</b> - PPPoE Session Stage (0x8864)
* <b>pppoe-discovery</b> - PPPoE Discovery Stage (0x8863)
* <b>rarp</b> - Reverse Address Resolution Protocol (0x8035)
* <b>service-vlan</b> - Provider Bridging (IEEE 802.1ad) & Shortest Path Bridging IEEE 802.1aq (0x88A8)
* <b>vlan</b> - VLAN-tagged frame (IEEE 802.1Q) and Shortest Path Bridging IEEE 802.1aq with NNI compatibility (0x8100)</td>
</tr>
<tr>
<td><var><b>port</b></var></td>
<td>up to 16 entries to filter by</td>
</table>




<pre>
[admin@SXT test] /tool sniffer> quick interface=ether1 
INTERFACE  TIME  NUM DI SRC-MAC          DST-MAC          VLAN SRC-ADDRESS                       
ether1    3.145  210 <- 00:24:1D:17:81:F7 00:0C:42:CB:DE:62      10.5.101.10:36771                 
ether1    3.145  211 -> 00:0C:42:CB:DE:62 00:24:1D:17:81:F7      10.5.101.15:8291 (winbox)         
ether1    3.183  212 <- 00:24:1D:17:81:F7 00:0C:42:CB:DE:62      10.5.101.10:36771                 
ether1    3.184  213 -> 00:0C:42:CB:DE:62 00:24:1D:17:81:F7      10.5.101.15:8291 (winbox)         
ether1    3.195  214 -> 00:0C:42:CB:DE:62 00:24:1D:17:81:F7      10.5.101.15:8291 (winbox)         
ether1    3.195  215 -> 00:0C:42:CB:DE:62 00:24:1D:17:81:F7      10.5.101.15:8291 (winbox)         
ether1    3.195  216 <- 00:24:1D:17:81:F7 00:0C:42:CB:DE:62      10.5.101.10:36771                 
ether1    3.217  217 <- 00:24:1D:17:81:F7 00:0C:42:CB:DE:62      10.5.101.10:36771                 
ether1    3.218  218 -> 00:0C:42:CB:DE:62 00:24:1D:17:81:F7      10.5.101.15:8291 (winbox)         
ether1    3.22  219 <- 00:0C:42:49:FC:EC 33:33:00:00:00:05      fe80::20c:42ff:fe49:fcec         
ether1    3.255  220 <- 00:0C:42:A1:6E:47 01:00:5E:00:00:05      192.168.15.6                     
ether1    3.256  221 <- 00:24:1D:17:81:F7 00:0C:42:CB:DE:62      10.5.101.10:36771                 
ether1    3.259  222 <- 00:24:1D:17:81:F7 00:0C:42:CB:DE:62      10.5.101.10:36771                 
ether1    3.294  223 -> 00:0C:42:CB:DE:62 00:24:1D:17:81:F7      10.5.101.15:8291 (winbox)         
ether1    3.325  224 -> 00:0C:42:CB:DE:62 00:24:1D:17:81:F7      10.5.101.15:8291 (winbox)         
ether1    3.325  225 -> 00:0C:42:CB:DE:62 00:24:1D:17:81:F7      10.5.101.15:8291 (winbox)         
ether1    3.326  226 <- 00:24:1D:17:81:F7 00:0C:42:CB:DE:62      10.5.101.10:36771                 
ether1    3.35  227 <- 00:0C:42:A8:ED:C2 33:33:00:00:00:01      fe80::20c:42ff:fea8:edc2         
ether1    3.391  228 <- 00:24:1D:17:81:F7 00:0C:42:CB:DE:62      10.5.101.10:36771                 
ether1    3.392  229 -> 00:0C:42:CB:DE:62 00:24:1D:17:81:F7      10.5.101.15:8291 (winbox) 
</pre>


{{ Note | Traffic-Generator packets will not be visible using the packet sniffer on the same interface unless <code>fast-path</code> parameter is set. }}


==Download Sniffer Results==
==Download Sniffer Results==
<p id="shbox"><b>Sub-menu:</b> <code>/tool sniffer</code></p><br />
<p id="shbox"><b>Sub-menu:</b> <code>/tool sniffer</code></p><br />


<p>Packet Sniffer results could be downloaded and viewed as file by specific program (like Wireshark).</p>
<p>Packet Sniffer results could be downloaded and viewed as file by specific program (for example [http://www.wireshark.org/ Wireshark]).</p>





Latest revision as of 12:15, 15 March 2019

Applies to RouterOS: v5.8+

Summary

Sub-menu: /tool sniffer
Packages required: system


Packet sniffer is a tool that can capture and analyze packets that are going to, leaving or going through the router.

Note: Unicast traffic between Wireless clients with client-to-client forwarding enabled will not be visible to sniffer tool. Packets that are processed with hardware offloading enabled bridge will also not be visible (unknown unicast, broadcast and some multicast traffic will be visible to sniffer tool).


Packet Sniffer Configuration

Sub-menu: /tool sniffer


Property Description
file-limit (integer 10..4294967295[KiB]; Default: 1000KiB) File size limit. Sniffer will stop when limit is reached.
file-name (string; Default: ) Name of the file where sniffed packets will be saved.
filter-ip-address (ip/mask[,ip/mask] (max 16 items); Default: ) Up to 16 ip addresses used as a filter
filter-mac-address (mac/mask[,mac/mask] (max 16 items); Default: ) Up to 16 MAC addresses and MAC address masks used as a filter
filter-port ([!]port[,port] (max 16 items); Default: ) Up to 16 comma separated entries used as a filter
filter-ip-protocol ([!]protocol[,protocol] (max 16 items); Default: ) Up to 16 comma separated entries used as a filter

IP protocols (instead of protocol names, protocol number can be used)

  • ipsec-ah - IPsec AH protocol
  • ipsec-esp - IPsec ESP protocol
  • ddp - datagram delivery protocol
  • egp - exterior gateway protocol
  • ggp - gateway-gateway protocol
  • gre - general routing encapsulation
  • hmp - host monitoring protocol
  • idpr-cmtp - idpr control message transport
  • icmp - internet control message protocol
  • icmpv6 - internet control message protocol v6
  • igmp - internet group management protocol
  • ipencap - ip encapsulated in ip
  • ipip - ip encapsulation
  • encap - ip encapsulation
  • iso-tp4 - iso transport protocol class 4
  • ospf - open shortest path first
  • pup - parc universal packet protocol
  • pim - protocol independent multicast
  • rspf - radio shortest path first
  • rdp - reliable datagram protocol
  • st - st datagram mode
  • tcp - transmission control protocol
  • udp - user datagram protocol
  • vmtp - versatile message transport
  • vrrp - virtual router redundancy protocol
  • xns-idp - xerox xns idp
  • xtp - xpress transfer protocol
filter-mac-protocol ([!]protocol[,protocol] (max 16 items); Default: ) Up to 16 comma separated entries used as a filter.

Mac protocols (instead of protocol names, protocol number can be used):

  • 802.2 - 802.2 Frames (0x0004)
  • arp - Address Resolution Protocol (0x0806)
  • homeplug-av - HomePlug AV MME (0x88E1)
  • ip - Internet Protocol version 4 (0x0800)
  • ipv6 - Internet Protocol Version 6 (0x86DD)
  • ipx - Internetwork Packet Exchange (0x8137)
  • lldp - Link Layer Discovery Protocol (0x88CC)
  • loop-protect - Loop Protect Protocol (0x9003)
  • mpls-multicast - MPLS multicast (0x8848)
  • mpls-unicast - MPLS unicast (0x8847)
  • packing-compr - Encapsulated packets with compressed IP packing (0x9001)
  • packing-simple - Encapsulated packets with simple IP packing (0x9000)
  • pppoe - PPPoE Session Stage (0x8864)
  • pppoe-discovery - PPPoE Discovery Stage (0x8863)
  • rarp - Reverse Address Resolution Protocol (0x8035)
  • service-vlan - Provider Bridging (IEEE 802.1ad) & Shortest Path Bridging IEEE 802.1aq (0x88A8)
  • vlan - VLAN-tagged frame (IEEE 802.1Q) and Shortest Path Bridging IEEE 802.1aq with NNI compatibility (0x8100)
filter-stream (yes | no; Default: yes) Sniffed packets that are devised for sniffer server are ignored
filter-direction (any | rx | tx; Default: ) Specifies om which direction filtering will be applied.
interface (all | name; Default: all) Interface name on which sniffer will be running. all indicates that sniffer will sniff packets on all interfaces.
memory-limit (integer 10..4294967295[KiB]; Default: 100KiB) Memory amount used to store sniffed data.
memory-scroll (yes | no; Default: yes) Whether to rewrite older sniffed data when memory limit is reached.
only-headers (yes | no; Default: no) Save in the memory only packet's headers not the whole packet.
streaming-enabled (yes | no; Default: no) Defines whether to send sniffed packets to streaming server
streaming-server (IP; Default: 0.0.0.0) Tazmen Sniffer Protocol (TZSP) stream receiver


Warning: file-size limit should not be configured more than available free memory!


Example

In the following example streaming-server will be added, streaming will be enabled, file-name will be set to test and packet sniffer will be started and stopped after some time:


[admin@MikroTik] tool sniffer> set streaming-server=192.168.0.240 \
\... streaming-enabled=yes file-name=test.pcap
[admin@MikroTik] tool sniffer> print
            interface: all
         only-headers: no
         memory-limit: 100KiB
        memory-scroll: yes
            file-name: test.pcap
           file-limit: 1000KiB
    streaming-enabled: yes
     streaming-server: 192.168.0.240
        filter-stream: yes
   filter-mac-address: 
  filter-mac-protocol: 
    filter-ip-address: 
   filter-ip-protocol: 
          filter-port: 
     filter-direction: any
              running: no
[admin@MikroTik] tool sniffer> start
[admin@MikroTik] tool sniffer> stop

Running Packet Sniffer

Commands: /tool sniffer start, /tool sniffer stop, /tool sniffer save


The commands are used to control runtime operation of the packet sniffer. The start command is used to start/reset sniffering, stop - stops sniffering. To save currently sniffed packets in a specific file save command is used.

It is also possible to use quick mode.

Example

In the following example the packet sniffer will be started and after some time - stopped:

[admin@MikroTik] tool sniffer> start
[admin@MikroTik] tool sniffer> stop

Below the sniffed packets will be saved in the file named test:

[admin@MikroTik] tool sniffer> save file-name=test
[admin@MikroTik] tool sniffer> /file print
  # NAME                           TYPE         SIZE       CREATION-TIME
  0 test                           unknown      1350       apr/07/2003 16:01:52
[admin@MikroTik] tool sniffer>

Sniffed Packets

Sub-menu: /tool sniffer packet


This sub-menu allows to see the list of sniffed packets.

[admin@SXT test] /tool sniffer packet> print 
 #    TIME INTERFACE SRC-ADDRESS                               DST-ADDRESS  
120   1.993 ether1    10.5.101.1:646                            224.0.0.2:646                          >
121   2.045 ether1    10.5.101.15:8291 (winbox)                 10.5.101.10:36771                      >
122   2.046 ether1    10.5.101.15:8291 (winbox)                 10.5.101.10:36771                      >
123   2.255 ether1    fe80::20c:42ff:fe49:fcec                  ff02::5                                >


Property Description
data (read-only: text) Specified data inclusion in packets
direction (read-only: in | out) Indicates whether packet is entering (in) or leaving (out) the router
dscp (read-only: integer) IP DSCP field value
dst-address (read-only: IP address) Destination IP address
fragment-offset (read-only: integer) IP fragment offset
identification (read-only: integer) IP identification
interface (read-only: name) Name of the interface the packet has been captured on
ip-header-size (read-only: integer) The size of IP header
ip-packet-size (read-only: integer) The size of IP packet
ip-protocol (read-only: ddp | egp | encap | ggp | gre | hmp | icmp | icmpv6 | dpr-cmt | igmp | ip | ipencap | ipip | ipsec-ah | ipsec-esp | iso-tp4 | ospf | pim | pup | rdp | rspft | st | tcp | udp | vmtp | vrrp | xns-idp | xtp) The name/number of IP protocol
protocol (read-only: 802.2 | arp | homeplug-av | ip | ipv6 | ipx | lldp | loop-protect | mpls-multicast | mpls-unicast | packing-compr | packing-simple | pppoe | pppoe-discovery | rarp | service-vlan | vlan) The name/number of ethernet protocol
size (read-only: integer) Size of packet
src-address (read-only: IP address) Source IP address
src-mac (read-only: MAC address) Source MAC address
data (read-only: string) IP data
tcp-flags (read-only: ack | cwr | ece | fin | psh | rst | syn | urg) TCP flags
time (read-only: time) Time when packet arrived
ttl (read-only: integer) IP Time To Live
vlan-id (read-only: integer) VLAN-ID of the packet
vlan-priority (read-only: integer) VLAN-Priority of the packet

Packet Sniffer Protocols

Sub-menu: /tool sniffer protocol


In this submenu you can see all sniffed protocols and their share of the whole sniffed amount.

[admin@SXT test] /tool sniffer protocol> print 
 # PROTOCOL IP-PROTOCOL PORT                                     PACKETS      BYTES        SHARE
 0 802.2                                                              1         60        0.05%
 1 ip                                                               215     100377       99.04%
 2 arp                                                                2        120        0.11%
 3 ipv6                                                               6        788        0.77%
 4 ip       tcp                                                     210      99981       98.65%
 5 ip       udp                                                       3        228        0.22%
 6 ip       ospf                                                      2        168        0.16%
 7 ip       tcp         8291 (winbox)                               210      99981       98.65%
 8 ip       tcp         36771                                       210      99981       98.65%
 9 ip       udp         646                                           3        228        0.22%


Property Description
bytes (read-only: integer) Total number of data bytes
ip-protocol (read-only: ddp | egp | encap | ggp | gre | hmp | icmp | icmpv6 | dpr-cmt | igmp | ip | ipencap | ipip | ipsec-ah | ipsec-esp | iso-tp4 | ospf | pim | pup | rdp | rspft | st | tcp | udp | vmtp | vrrp | xns-idp | xtp) IP protocol
packets (read-only: integer) The number of packets
port (read-only: integer) The port of TCP/UDP protocol
protocol (read-only: 802.2 | arp | homeplug-av | ip | ipv6 | ipx | lldp | loop-protect | mpls-multicast | mpls-unicast | packing-compr | packing-simple | pppoe | pppoe-discovery | rarp | service-vlan | vlan) The name/number of the protocol
share (read-only: decimal) Specific type of traffic compared to all traffic in bytes

Packet Sniffer Host

Sub-menu: /tool sniffer host


The submenu shows the list of hosts that were participating in data excange you've sniffed.

[admin@SXT test] /tool sniffer host> print 
 # ADDRESS         RATE                PEEK-RATE           TOTAL            
 0 10.5.101.3      0bps/0bps           0bps/720bps         0/90             
 1 10.5.101.10     0bps/0bps           175.0kbps/19.7kbps  61231/7011       
 2 10.5.101.13     0bps/0bps           0bps/608bps         0/76             
 3 10.5.101.14     0bps/0bps           0bps/976bps         0/212            
 4 10.5.101.15     0bps/0bps           19.7kbps/175.0kbps  7011/61231       
 5 224.0.0.2       0bps/0bps           608bps/0bps         76/0             
 6 224.0.0.5       0bps/0bps           1440bps/0bps        302/0            
[admin@SXT test] /tool sniffer host> 


Property Description
address (read-only: IP address) IP address of the host
peek-rate (read-only: integer/integer) The maximum data-rate received/transmitted
rate (read-only: integer/integer) Current data-rate received/transmitted
total (read-only: integer/integer) Total packets received/transmitted

Packet Sniffer Connections

Sub-menu: /tool sniffer connection


Here you can get a list of the connections that have been watched during the sniffing time.

[admin@MikroTik] tool sniffer connection> print
Flags: A - active
  #   SRC-ADDRESS       DST-ADDRESS             BYTES     RESENDS   MSS
  0 A 10.0.0.241:1839   10.0.0.181:23 (telnet)  6/42      60/0      0/0
  1 A 10.0.0.144:2265   10.0.0.181:22 (ssh)     504/252   504/0     0/0
[admin@MikroTik] tool sniffer connection>


Property Description
active (read-only: yes | no) Indicates whether connection is active or not
bytes (read-only: integer/integer) Bytes in the current connection
dst-address (read-only: IP address:port) Destination address
mss (read-only: integer/integer) Maximum segment size
resends (read-only: integer/integer) The number of packets resends in the current connection
src-address (read-only: IP address:port) Source address

Quick mode

Quick mode will display results as they are filtered out with limited size buffer for packets. There are several attributes that can be set up filtering. If no attributes are set current configuration will be used.


Property Description
duration length of the test in seconds
fast-path capture FastPath packets without disabling FastPath, you can read more about FastPath
freeze-frame-interval time between data printout
interface intarface name or all
ip-address up to 16 addresses to filter
ip-protocol one of listed protocols, up to 16 entries
  • ipsec-ah - IPsec AH protocol *ipsec-esp - IPsec ESP protocol
  • ddp - datagram delivery protocol
  • egp - exterior gateway protocol
  • ggp - gateway-gateway protocol
  • gre - general routing encapsulation
  • hmp - host monitoring protocol
  • idpr-cmtp - idpr control message transport
  • icmp - internet control message protocol
  • icmpv6 - internet control message protocol v6
  • igmp - internet group management protocol
  • ipencap - ip encapsulated in ip
  • ipip - ip encapsulation
  • encap - ip encapsulation
  • iso-tp4 - iso transport protocol class 4
  • ospf - open shortest path first
  • pup - parc universal packet protocol
  • pim - protocol independent multicast
  • rspf - radio shortest path first
  • rdp - reliable datagram protocol
  • st - st datagram mode
  • tcp - transmission control protocol
  • udp - user datagram protocol
  • vmtp - versatile message transport
  • vrrp - virtual router redundancy protocol
  • xns-idp - xerox xns idp
  • xtp - xpress transfer protocol
mac-address up to 16 MAC addresses to filter
mac-protocol up 16 entries
  • 802.2 - 802.2 Frames (0x0004)
  • arp - Address Resolution Protocol (0x0806)
  • homeplug-av - HomePlug AV MME (0x88E1)
  • ip - Internet Protocol version 4 (0x0800)
  • ipv6 - Internet Protocol Version 6 (0x86DD)
  • ipx - Internetwork Packet Exchange (0x8137)
  • lldp - Link Layer Discovery Protocol (0x88CC)
  • loop-protect - Loop Protect Protocol (0x9003)
  • mpls-multicast - MPLS multicast (0x8848)
  • mpls-unicast - MPLS unicast (0x8847)
  • packing-compr - Encapsulated packets with compressed IP packing (0x9001)
  • packing-simple - Encapsulated packets with simple IP packing (0x9000)
  • pppoe - PPPoE Session Stage (0x8864)
  • pppoe-discovery - PPPoE Discovery Stage (0x8863)
  • rarp - Reverse Address Resolution Protocol (0x8035)
  • service-vlan - Provider Bridging (IEEE 802.1ad) & Shortest Path Bridging IEEE 802.1aq (0x88A8)
  • vlan - VLAN-tagged frame (IEEE 802.1Q) and Shortest Path Bridging IEEE 802.1aq with NNI compatibility (0x8100)
port up to 16 entries to filter by


[admin@SXT test] /tool sniffer> quick interface=ether1  
INTERFACE  TIME  NUM DI SRC-MAC           DST-MAC           VLAN SRC-ADDRESS                        
ether1    3.145  210 <- 00:24:1D:17:81:F7 00:0C:42:CB:DE:62      10.5.101.10:36771                  
ether1    3.145  211 -> 00:0C:42:CB:DE:62 00:24:1D:17:81:F7      10.5.101.15:8291 (winbox)          
ether1    3.183  212 <- 00:24:1D:17:81:F7 00:0C:42:CB:DE:62      10.5.101.10:36771                  
ether1    3.184  213 -> 00:0C:42:CB:DE:62 00:24:1D:17:81:F7      10.5.101.15:8291 (winbox)          
ether1    3.195  214 -> 00:0C:42:CB:DE:62 00:24:1D:17:81:F7      10.5.101.15:8291 (winbox)          
ether1    3.195  215 -> 00:0C:42:CB:DE:62 00:24:1D:17:81:F7      10.5.101.15:8291 (winbox)          
ether1    3.195  216 <- 00:24:1D:17:81:F7 00:0C:42:CB:DE:62      10.5.101.10:36771                  
ether1    3.217  217 <- 00:24:1D:17:81:F7 00:0C:42:CB:DE:62      10.5.101.10:36771                  
ether1    3.218  218 -> 00:0C:42:CB:DE:62 00:24:1D:17:81:F7      10.5.101.15:8291 (winbox)          
ether1     3.22  219 <- 00:0C:42:49:FC:EC 33:33:00:00:00:05      fe80::20c:42ff:fe49:fcec           
ether1    3.255  220 <- 00:0C:42:A1:6E:47 01:00:5E:00:00:05      192.168.15.6                       
ether1    3.256  221 <- 00:24:1D:17:81:F7 00:0C:42:CB:DE:62      10.5.101.10:36771                  
ether1    3.259  222 <- 00:24:1D:17:81:F7 00:0C:42:CB:DE:62      10.5.101.10:36771                  
ether1    3.294  223 -> 00:0C:42:CB:DE:62 00:24:1D:17:81:F7      10.5.101.15:8291 (winbox)          
ether1    3.325  224 -> 00:0C:42:CB:DE:62 00:24:1D:17:81:F7      10.5.101.15:8291 (winbox)          
ether1    3.325  225 -> 00:0C:42:CB:DE:62 00:24:1D:17:81:F7      10.5.101.15:8291 (winbox)          
ether1    3.326  226 <- 00:24:1D:17:81:F7 00:0C:42:CB:DE:62      10.5.101.10:36771                  
ether1     3.35  227 <- 00:0C:42:A8:ED:C2 33:33:00:00:00:01      fe80::20c:42ff:fea8:edc2           
ether1    3.391  228 <- 00:24:1D:17:81:F7 00:0C:42:CB:DE:62      10.5.101.10:36771                  
ether1    3.392  229 -> 00:0C:42:CB:DE:62 00:24:1D:17:81:F7      10.5.101.15:8291 (winbox)  

Note: Traffic-Generator packets will not be visible using the packet sniffer on the same interface unless fast-path parameter is set.


Download Sniffer Results

Sub-menu: /tool sniffer


Packet Sniffer results could be downloaded and viewed as file by specific program (for example Wireshark).


Property Description
file-name (string; Default: "") The name of the file where the sniffed packets will be saved to


Example

To save sniffed result to file set,

[admin@MikroTik] /tool sniffer set file-name=example

Run sniffer with required settings,

[admin@MikroTik] /tool sniffer start

Do not forget to stop sniffer after sniffing is done,

[admin@MikroTik] /tool sniffer stop


Sniffed results could be downloaded from /file by FTP client or Windows Drag-n-Drop (do not forget to use binary mode, when file is downloaded by FTP).

[admin@MikroTik] /file print
 # NAME              TYPE             SIZE                 CREATION-TIME       
 0 example           file             44092                jan/02/2010 01:11:59

[ Top | Back to Content ]