Manual:Tools/Packet Sniffer: Difference between revisions
(9 intermediate revisions by 2 users not shown) | |||
Line 9: | Line 9: | ||
Packet sniffer is a tool that can capture and analyze packets that are going to, leaving or going through the router ( | Packet sniffer is a tool that can capture and analyze packets that are going to, leaving or going through the router. | ||
{{ Note | Unicast traffic between Wireless clients with client-to-client forwarding enabled will not be visible to sniffer tool. Packets that are processed with hardware offloading enabled bridge will also not be visible (unknown unicast, broadcast and some multicast traffic will be visible to sniffer tool). }} | |||
==Packet Sniffer Configuration== | ==Packet Sniffer Configuration== | ||
Line 99: | Line 101: | ||
|desc=Up to 16 comma separated entries used as a filter. | |desc=Up to 16 comma separated entries used as a filter. | ||
Mac protocols (instead of protocol names, protocol number can be used): | Mac protocols (instead of protocol names, protocol number can be used): | ||
*<b>arp</b> - Address Resolution Protocol | * <b>802.2</b> - 802.2 Frames (0x0004) | ||
*<b>ip</b> - Internet Protocol | * <b>arp</b> - Address Resolution Protocol (0x0806) | ||
*<b>ipv6</b> - Internet Protocol | * <b>homeplug-av</b> - HomePlug AV MME (0x88E1) | ||
*<b>ipx</b> - Internetwork Packet Exchange | * <b>ip</b> - Internet Protocol version 4 (0x0800) | ||
*<b>rarp</b> - Reverse Address Resolution Protocol | * <b>ipv6</b> - Internet Protocol Version 6 (0x86DD) | ||
* <b>ipx</b> - Internetwork Packet Exchange (0x8137) | |||
* <b>lldp</b> - Link Layer Discovery Protocol (0x88CC) | |||
* <b>loop-protect</b> - Loop Protect Protocol (0x9003) | |||
* <b>mpls-multicast</b> - MPLS multicast (0x8848) | |||
* <b>mpls-unicast</b> - MPLS unicast (0x8847) | |||
* <b>packing-compr</b> - Encapsulated packets with compressed [[Manual:IP/Packing| IP packing]] (0x9001) | |||
* <b>packing-simple</b> - Encapsulated packets with simple [[Manual:IP/Packing| IP packing]] (0x9000) | |||
* <b>pppoe</b> - PPPoE Session Stage (0x8864) | |||
* <b>pppoe-discovery</b> - PPPoE Discovery Stage (0x8863) | |||
* <b>rarp</b> - Reverse Address Resolution Protocol (0x8035) | |||
* <b>service-vlan</b> - Provider Bridging (IEEE 802.1ad) & Shortest Path Bridging IEEE 802.1aq (0x88A8) | |||
* <b>vlan</b> - VLAN-tagged frame (IEEE 802.1Q) and Shortest Path Bridging IEEE 802.1aq with NNI compatibility (0x8100) | |||
}} | }} | ||
Line 163: | Line 177: | ||
{{ Warning | <var>file-size</var> limit should not be configured more than available free memory!}} | |||
===Example=== | ===Example=== | ||
Line 292: | Line 307: | ||
<tr> | <tr> | ||
<td><var><b>protocol</b></var> (<em>read-only: ip | | <td><var><b>protocol</b></var> (<em>read-only: 802.2 | arp | homeplug-av | ip | ipv6 | ipx | lldp | loop-protect | mpls-multicast | mpls-unicast | packing-compr | packing-simple | pppoe | pppoe-discovery | rarp | service-vlan | vlan</em>)</td> | ||
<td>The name/number of ethernet protocol</td> | <td>The name/number of ethernet protocol</td> | ||
</tr> | </tr> | ||
Line 391: | Line 406: | ||
<tr> | <tr> | ||
<td><var><b>protocol</b></var> (<em>read-only: ip | | <td><var><b>protocol</b></var> (<em>read-only: 802.2 | arp | homeplug-av | ip | ipv6 | ipx | lldp | loop-protect | mpls-multicast | mpls-unicast | packing-compr | packing-simple | pppoe | pppoe-discovery | rarp | service-vlan | vlan</em>)</td> | ||
<td>The name/number of the protocol</td> | <td>The name/number of the protocol</td> | ||
</tr> | </tr> | ||
Line 518: | Line 533: | ||
<td><var><b>duration</b></var></td> | <td><var><b>duration</b></var></td> | ||
<td>length of the test in seconds</td> | <td>length of the test in seconds</td> | ||
</tr> | |||
<tr> | |||
<td><var><b>fast-path</b></var></td> | |||
<td>capture FastPath packets without disabling FastPath, you can read more about [[Manual:Fast_Path | FastPath]]</td> | |||
</tr> | </tr> | ||
<tr> | <tr> | ||
<td><var><b>freeze-frame-interval</b></var></td> | <td><var><b>freeze-frame-interval</b></var></td> | ||
<td>time between data printout</td> | <td>time between data printout</td> | ||
</tr> | |||
<tr> | <tr> | ||
<td><var><b>interface</b></var></td> | <td><var><b>interface</b></var></td> | ||
<td>intarface name or <b>all</b></td> | <td>intarface name or <b>all</b></td> | ||
</tr> | |||
<tr> | <tr> | ||
<td><var><b>ip-address</b></var></td> | <td><var><b>ip-address</b></var></td> | ||
<td>up to 16 addresses to filter</td> | <td>up to 16 addresses to filter</td> | ||
</tr> | |||
<tr> | <tr> | ||
<td><var><b>ip-protocol</b></var></td> | <td><var><b>ip-protocol</b></var></td> | ||
Line 558: | Line 580: | ||
*<b>xtp</b> - xpress transfer protocol | *<b>xtp</b> - xpress transfer protocol | ||
</td> | </td> | ||
</tr> | |||
<tr> | <tr> | ||
<td><var><b>mac-address</b></var></td> | <td><var><b>mac-address</b></var></td> | ||
<td>up to 16 MAC addresses to filter</td> | <td>up to 16 MAC addresses to filter</td> | ||
</tr> | |||
<tr> | <tr> | ||
<td><var><b>mac-protocol</b></var></td> | <td><var><b>mac-protocol</b></var></td> | ||
<td>up 16 entries | <td>up 16 entries | ||
*<b>arp</b> - Address Resolution Protocol | * <b>802.2</b> - 802.2 Frames (0x0004) | ||
*<b>ip</b> - Internet Protocol | * <b>arp</b> - Address Resolution Protocol (0x0806) | ||
*<b>ipv6</b> - Internet Protocol | * <b>homeplug-av</b> - HomePlug AV MME (0x88E1) | ||
*<b>ipx</b> - Internetwork Packet Exchange | * <b>ip</b> - Internet Protocol version 4 (0x0800) | ||
*<b>rarp</b> - Reverse Address Resolution Protocol</td> | * <b>ipv6</b> - Internet Protocol Version 6 (0x86DD) | ||
* <b>ipx</b> - Internetwork Packet Exchange (0x8137) | |||
* <b>lldp</b> - Link Layer Discovery Protocol (0x88CC) | |||
* <b>loop-protect</b> - Loop Protect Protocol (0x9003) | |||
* <b>mpls-multicast</b> - MPLS multicast (0x8848) | |||
* <b>mpls-unicast</b> - MPLS unicast (0x8847) | |||
* <b>packing-compr</b> - Encapsulated packets with compressed [[Manual:IP/Packing| IP packing]] (0x9001) | |||
* <b>packing-simple</b> - Encapsulated packets with simple [[Manual:IP/Packing| IP packing]] (0x9000) | |||
* <b>pppoe</b> - PPPoE Session Stage (0x8864) | |||
* <b>pppoe-discovery</b> - PPPoE Discovery Stage (0x8863) | |||
* <b>rarp</b> - Reverse Address Resolution Protocol (0x8035) | |||
* <b>service-vlan</b> - Provider Bridging (IEEE 802.1ad) & Shortest Path Bridging IEEE 802.1aq (0x88A8) | |||
* <b>vlan</b> - VLAN-tagged frame (IEEE 802.1Q) and Shortest Path Bridging IEEE 802.1aq with NNI compatibility (0x8100)</td> | |||
</tr> | |||
<tr> | <tr> | ||
<td><var><b>port</b></var></td> | <td><var><b>port</b></var></td> | ||
Line 599: | Line 636: | ||
ether1 3.392 229 -> 00:0C:42:CB:DE:62 00:24:1D:17:81:F7 10.5.101.15:8291 (winbox) | ether1 3.392 229 -> 00:0C:42:CB:DE:62 00:24:1D:17:81:F7 10.5.101.15:8291 (winbox) | ||
</pre> | </pre> | ||
{{ Note | Traffic-Generator packets will not be visible using the packet sniffer on the same interface unless <code>fast-path</code> parameter is set. }} | |||
==Download Sniffer Results== | ==Download Sniffer Results== |
Latest revision as of 12:15, 15 March 2019
Applies to RouterOS: v5.8+
Summary
Sub-menu: /tool sniffer
Packages required: system
Packet sniffer is a tool that can capture and analyze packets that are going to, leaving or going through the router.
Note: Unicast traffic between Wireless clients with client-to-client forwarding enabled will not be visible to sniffer tool. Packets that are processed with hardware offloading enabled bridge will also not be visible (unknown unicast, broadcast and some multicast traffic will be visible to sniffer tool).
Packet Sniffer Configuration
Sub-menu: /tool sniffer
Property | Description |
---|---|
file-limit (integer 10..4294967295[KiB]; Default: 1000KiB) | File size limit. Sniffer will stop when limit is reached. |
file-name (string; Default: ) | Name of the file where sniffed packets will be saved. |
filter-ip-address (ip/mask[,ip/mask] (max 16 items); Default: ) | Up to 16 ip addresses used as a filter |
filter-mac-address (mac/mask[,mac/mask] (max 16 items); Default: ) | Up to 16 MAC addresses and MAC address masks used as a filter |
filter-port ([!]port[,port] (max 16 items); Default: ) | Up to 16 comma separated entries used as a filter |
filter-ip-protocol ([!]protocol[,protocol] (max 16 items); Default: ) | Up to 16 comma separated entries used as a filter
IP protocols (instead of protocol names, protocol number can be used)
|
filter-mac-protocol ([!]protocol[,protocol] (max 16 items); Default: ) | Up to 16 comma separated entries used as a filter.
Mac protocols (instead of protocol names, protocol number can be used):
|
filter-stream (yes | no; Default: yes) | Sniffed packets that are devised for sniffer server are ignored |
filter-direction (any | rx | tx; Default: ) | Specifies om which direction filtering will be applied. |
interface (all | name; Default: all) | Interface name on which sniffer will be running. all indicates that sniffer will sniff packets on all interfaces. |
memory-limit (integer 10..4294967295[KiB]; Default: 100KiB) | Memory amount used to store sniffed data. |
memory-scroll (yes | no; Default: yes) | Whether to rewrite older sniffed data when memory limit is reached. |
only-headers (yes | no; Default: no) | Save in the memory only packet's headers not the whole packet. |
streaming-enabled (yes | no; Default: no) | Defines whether to send sniffed packets to streaming server |
streaming-server (IP; Default: 0.0.0.0) | Tazmen Sniffer Protocol (TZSP) stream receiver |
Warning: file-size limit should not be configured more than available free memory!
Example
In the following example streaming-server will be added, streaming will be enabled, file-name will be set to test and packet sniffer will be started and stopped after some time:
[admin@MikroTik] tool sniffer> set streaming-server=192.168.0.240 \ \... streaming-enabled=yes file-name=test.pcap [admin@MikroTik] tool sniffer> print interface: all only-headers: no memory-limit: 100KiB memory-scroll: yes file-name: test.pcap file-limit: 1000KiB streaming-enabled: yes streaming-server: 192.168.0.240 filter-stream: yes filter-mac-address: filter-mac-protocol: filter-ip-address: filter-ip-protocol: filter-port: filter-direction: any running: no [admin@MikroTik] tool sniffer> start [admin@MikroTik] tool sniffer> stop
Running Packet Sniffer
Commands: /tool sniffer start, /tool sniffer stop, /tool sniffer save
The commands are used to control runtime operation of the packet sniffer. The start command is used to start/reset sniffering, stop - stops sniffering. To save currently sniffed packets in a specific file save command is used.
It is also possible to use quick mode.
Example
In the following example the packet sniffer will be started and after some time - stopped:
[admin@MikroTik] tool sniffer> start [admin@MikroTik] tool sniffer> stop
Below the sniffed packets will be saved in the file named test:
[admin@MikroTik] tool sniffer> save file-name=test [admin@MikroTik] tool sniffer> /file print # NAME TYPE SIZE CREATION-TIME 0 test unknown 1350 apr/07/2003 16:01:52 [admin@MikroTik] tool sniffer>
Sniffed Packets
Sub-menu: /tool sniffer packet
This sub-menu allows to see the list of sniffed packets.
[admin@SXT test] /tool sniffer packet> print # TIME INTERFACE SRC-ADDRESS DST-ADDRESS 120 1.993 ether1 10.5.101.1:646 224.0.0.2:646 > 121 2.045 ether1 10.5.101.15:8291 (winbox) 10.5.101.10:36771 > 122 2.046 ether1 10.5.101.15:8291 (winbox) 10.5.101.10:36771 > 123 2.255 ether1 fe80::20c:42ff:fe49:fcec ff02::5 >
Property | Description |
---|---|
data (read-only: text) | Specified data inclusion in packets |
direction (read-only: in | out) | Indicates whether packet is entering (in) or leaving (out) the router |
dscp (read-only: integer) | IP DSCP field value |
dst-address (read-only: IP address) | Destination IP address |
fragment-offset (read-only: integer) | IP fragment offset |
identification (read-only: integer) | IP identification |
interface (read-only: name) | Name of the interface the packet has been captured on |
ip-header-size (read-only: integer) | The size of IP header |
ip-packet-size (read-only: integer) | The size of IP packet |
ip-protocol (read-only: ddp | egp | encap | ggp | gre | hmp | icmp | icmpv6 | dpr-cmt | igmp | ip | ipencap | ipip | ipsec-ah | ipsec-esp | iso-tp4 | ospf | pim | pup | rdp | rspft | st | tcp | udp | vmtp | vrrp | xns-idp | xtp) | The name/number of IP protocol |
protocol (read-only: 802.2 | arp | homeplug-av | ip | ipv6 | ipx | lldp | loop-protect | mpls-multicast | mpls-unicast | packing-compr | packing-simple | pppoe | pppoe-discovery | rarp | service-vlan | vlan) | The name/number of ethernet protocol |
size (read-only: integer) | Size of packet |
src-address (read-only: IP address) | Source IP address |
src-mac (read-only: MAC address) | Source MAC address |
data (read-only: string) | IP data |
tcp-flags (read-only: ack | cwr | ece | fin | psh | rst | syn | urg) | TCP flags |
time (read-only: time) | Time when packet arrived |
ttl (read-only: integer) | IP Time To Live |
vlan-id (read-only: integer) | VLAN-ID of the packet |
vlan-priority (read-only: integer) | VLAN-Priority of the packet |
Packet Sniffer Protocols
Sub-menu: /tool sniffer protocol
In this submenu you can see all sniffed protocols and their share of the whole sniffed amount.
[admin@SXT test] /tool sniffer protocol> print # PROTOCOL IP-PROTOCOL PORT PACKETS BYTES SHARE 0 802.2 1 60 0.05% 1 ip 215 100377 99.04% 2 arp 2 120 0.11% 3 ipv6 6 788 0.77% 4 ip tcp 210 99981 98.65% 5 ip udp 3 228 0.22% 6 ip ospf 2 168 0.16% 7 ip tcp 8291 (winbox) 210 99981 98.65% 8 ip tcp 36771 210 99981 98.65% 9 ip udp 646 3 228 0.22%
Property | Description |
---|---|
bytes (read-only: integer) | Total number of data bytes |
ip-protocol (read-only: ddp | egp | encap | ggp | gre | hmp | icmp | icmpv6 | dpr-cmt | igmp | ip | ipencap | ipip | ipsec-ah | ipsec-esp | iso-tp4 | ospf | pim | pup | rdp | rspft | st | tcp | udp | vmtp | vrrp | xns-idp | xtp) | IP protocol |
packets (read-only: integer) | The number of packets |
port (read-only: integer) | The port of TCP/UDP protocol |
protocol (read-only: 802.2 | arp | homeplug-av | ip | ipv6 | ipx | lldp | loop-protect | mpls-multicast | mpls-unicast | packing-compr | packing-simple | pppoe | pppoe-discovery | rarp | service-vlan | vlan) | The name/number of the protocol |
share (read-only: decimal) | Specific type of traffic compared to all traffic in bytes |
Packet Sniffer Host
Sub-menu: /tool sniffer host
The submenu shows the list of hosts that were participating in data excange you've sniffed.
[admin@SXT test] /tool sniffer host> print # ADDRESS RATE PEEK-RATE TOTAL 0 10.5.101.3 0bps/0bps 0bps/720bps 0/90 1 10.5.101.10 0bps/0bps 175.0kbps/19.7kbps 61231/7011 2 10.5.101.13 0bps/0bps 0bps/608bps 0/76 3 10.5.101.14 0bps/0bps 0bps/976bps 0/212 4 10.5.101.15 0bps/0bps 19.7kbps/175.0kbps 7011/61231 5 224.0.0.2 0bps/0bps 608bps/0bps 76/0 6 224.0.0.5 0bps/0bps 1440bps/0bps 302/0 [admin@SXT test] /tool sniffer host>
Property | Description |
---|---|
address (read-only: IP address) | IP address of the host |
peek-rate (read-only: integer/integer) | The maximum data-rate received/transmitted |
rate (read-only: integer/integer) | Current data-rate received/transmitted |
total (read-only: integer/integer) | Total packets received/transmitted |
Packet Sniffer Connections
Sub-menu: /tool sniffer connection
Here you can get a list of the connections that have been watched during the sniffing time.
[admin@MikroTik] tool sniffer connection> print Flags: A - active # SRC-ADDRESS DST-ADDRESS BYTES RESENDS MSS 0 A 10.0.0.241:1839 10.0.0.181:23 (telnet) 6/42 60/0 0/0 1 A 10.0.0.144:2265 10.0.0.181:22 (ssh) 504/252 504/0 0/0 [admin@MikroTik] tool sniffer connection>
Property | Description |
---|---|
active (read-only: yes | no) | Indicates whether connection is active or not |
bytes (read-only: integer/integer) | Bytes in the current connection |
dst-address (read-only: IP address:port) | Destination address |
mss (read-only: integer/integer) | Maximum segment size |
resends (read-only: integer/integer) | The number of packets resends in the current connection |
src-address (read-only: IP address:port) | Source address |
Quick mode
Quick mode will display results as they are filtered out with limited size buffer for packets. There are several attributes that can be set up filtering. If no attributes are set current configuration will be used.
Property | Description |
---|---|
duration | length of the test in seconds |
fast-path | capture FastPath packets without disabling FastPath, you can read more about FastPath |
freeze-frame-interval | time between data printout |
interface | intarface name or all |
ip-address | up to 16 addresses to filter |
ip-protocol | one of listed protocols, up to 16 entries
|
mac-address | up to 16 MAC addresses to filter |
mac-protocol | up 16 entries
|
port | up to 16 entries to filter by |
[admin@SXT test] /tool sniffer> quick interface=ether1 INTERFACE TIME NUM DI SRC-MAC DST-MAC VLAN SRC-ADDRESS ether1 3.145 210 <- 00:24:1D:17:81:F7 00:0C:42:CB:DE:62 10.5.101.10:36771 ether1 3.145 211 -> 00:0C:42:CB:DE:62 00:24:1D:17:81:F7 10.5.101.15:8291 (winbox) ether1 3.183 212 <- 00:24:1D:17:81:F7 00:0C:42:CB:DE:62 10.5.101.10:36771 ether1 3.184 213 -> 00:0C:42:CB:DE:62 00:24:1D:17:81:F7 10.5.101.15:8291 (winbox) ether1 3.195 214 -> 00:0C:42:CB:DE:62 00:24:1D:17:81:F7 10.5.101.15:8291 (winbox) ether1 3.195 215 -> 00:0C:42:CB:DE:62 00:24:1D:17:81:F7 10.5.101.15:8291 (winbox) ether1 3.195 216 <- 00:24:1D:17:81:F7 00:0C:42:CB:DE:62 10.5.101.10:36771 ether1 3.217 217 <- 00:24:1D:17:81:F7 00:0C:42:CB:DE:62 10.5.101.10:36771 ether1 3.218 218 -> 00:0C:42:CB:DE:62 00:24:1D:17:81:F7 10.5.101.15:8291 (winbox) ether1 3.22 219 <- 00:0C:42:49:FC:EC 33:33:00:00:00:05 fe80::20c:42ff:fe49:fcec ether1 3.255 220 <- 00:0C:42:A1:6E:47 01:00:5E:00:00:05 192.168.15.6 ether1 3.256 221 <- 00:24:1D:17:81:F7 00:0C:42:CB:DE:62 10.5.101.10:36771 ether1 3.259 222 <- 00:24:1D:17:81:F7 00:0C:42:CB:DE:62 10.5.101.10:36771 ether1 3.294 223 -> 00:0C:42:CB:DE:62 00:24:1D:17:81:F7 10.5.101.15:8291 (winbox) ether1 3.325 224 -> 00:0C:42:CB:DE:62 00:24:1D:17:81:F7 10.5.101.15:8291 (winbox) ether1 3.325 225 -> 00:0C:42:CB:DE:62 00:24:1D:17:81:F7 10.5.101.15:8291 (winbox) ether1 3.326 226 <- 00:24:1D:17:81:F7 00:0C:42:CB:DE:62 10.5.101.10:36771 ether1 3.35 227 <- 00:0C:42:A8:ED:C2 33:33:00:00:00:01 fe80::20c:42ff:fea8:edc2 ether1 3.391 228 <- 00:24:1D:17:81:F7 00:0C:42:CB:DE:62 10.5.101.10:36771 ether1 3.392 229 -> 00:0C:42:CB:DE:62 00:24:1D:17:81:F7 10.5.101.15:8291 (winbox)
Note: Traffic-Generator packets will not be visible using the packet sniffer on the same interface unless fast-path
parameter is set.
Download Sniffer Results
Sub-menu: /tool sniffer
Packet Sniffer results could be downloaded and viewed as file by specific program (for example Wireshark).
Property | Description |
---|---|
file-name (string; Default: "") | The name of the file where the sniffed packets will be saved to |
Example
To save sniffed result to file set,
[admin@MikroTik] /tool sniffer set file-name=example
Run sniffer with required settings,
[admin@MikroTik] /tool sniffer start
Do not forget to stop sniffer after sniffing is done,
[admin@MikroTik] /tool sniffer stop
Sniffed results could be downloaded from /file by FTP client or Windows Drag-n-Drop (do not forget to use binary mode, when file is downloaded by FTP).
[admin@MikroTik] /file print # NAME TYPE SIZE CREATION-TIME 0 example file 44092 jan/02/2010 01:11:59
[ Top | Back to Content ]