Manual:Tools/Packet Sniffer: Difference between revisions
Fix Packet Sniffer |
→Packet Sniffer Configuration: syntax change |
||
Line 34: | Line 34: | ||
<tr> | <tr> | ||
<td><var><b>filter- | <td><var><b>filter-ip-address</b></var> (<em>IP address/netmask</em>;)</td> | ||
<td> | <td>up to 16 ip addresses to use as a filter</td> | ||
</tr> | |||
<tr> | |||
<td><var><b>filter-mac-address</b></var> (<em>MAC address</em>;)</td> | |||
<td>up to 16 MAC addresses to use as a filter</td> | |||
</tr> | </tr> | ||
<tr> | <tr> | ||
<td><var><b>filter- | <td><var><b>filter-port</b></var> (<em>port</em>; Default:<b>0-65535</b>)</td> | ||
<td> | <td>up to 16 comma separated entries</td> | ||
</tr> | </tr> | ||
<tr> | <tr> | ||
<td><var><b>filter-protocol</b></var> (<em>all-frames | ip-only | mac-only-no-ip</em>; | <td><var><b>filter-ip-protocol</b></var> (<em>all-frames | ip-only | mac-only-no-ip</em>;)</td> | ||
<td>Filter specific protocol | |||
*<b>ipsec-ah</b> - IPsec AH protocol *<b>ipsec-esp</b> - IPsec ESP protocol | |||
*<b>ddp</b> - datagram delivery protocol | |||
*<b>egp</b> - exterior gateway protocol | |||
*<b>ggp</b> - gateway-gateway protocol | |||
*<b>gre</b> - general routing encapsulation | |||
*<b>hmp</b> - host monitoring protocol | |||
*<b>idpr-cmtp</b> - idpr control message transport | |||
*<b>icmp</b> - internet control message protocol | |||
*<b>icmpv6</b> - internet control message protocol v6 | |||
*<b>igmp</b> - internet group management protocol | |||
*<b>ipencap</b> - ip encapsulated in ip | |||
*<b>ipip</b> - ip encapsulation | |||
*<b>encap</b> - ip encapsulation | |||
*<b>iso-tp4</b> - iso transport protocol class 4 | |||
*<b>ospf</b> - open shortest path first | |||
*<b>pup</b> - parc universal packet protocol | |||
*<b>pim</b> - protocol independent multicast | |||
*<b>rspf</b> - radio shortest path first | |||
*<b>rdp</b> - reliable datagram protocol | |||
*<b>st</b> - st datagram mode | |||
*<b>tcp</b> - transmission control protocol | |||
*<b>udp</b> - user datagram protocol | |||
*<b>vmtp</b> - versatile message transport | |||
*<b>vrrp</b> - virtual router redundancy protocol | |||
*<b>xns-idp</b> - xerox xns idp | |||
*<b>xtp</b> - xpress transfer protocol | |||
</td> | |||
</tr> | |||
<tr> | |||
<td><var><b>filter-mac-protocol</b></var> (<em>all-frames | ip-only | mac-only-no-ip</em>;)</td> | |||
<td>Filter specific protocol | <td>Filter specific protocol | ||
*<b>ip- | *<b>arp</b> - Address Resolution Protocol | ||
*<b> | *<b>ip</b> - Internet Protocol | ||
*<b> | *<b>ipv6</b> - Internet Protocol next generation | ||
*<b>ipx</b> - Internetwork Packet Exchange | |||
*<b>rarp</b> - Reverse Address Resolution Protocol | |||
</td> | </td> | ||
</tr> | </tr> |
Revision as of 09:03, 5 October 2011
Applies to RouterOS: v2.9, v3, v4+
Summary
Sub-menu: /tool sniffer
Packages required: system
Packet sniffer is a tool that can capture and analyze packets that are going to, leaving or going through the router (except the traffic that passes only through the switch chip).
Packet Sniffer Configuration
Sub-menu: /tool sniffer
Property | Description |
---|---|
file-limit (integer 10..1000000000; Default: 10) | The limit of the file in KB. Sniffer will stop after this limit is reached |
file-name (string; Default: "") | The name of the file where the sniffed packets will be saved to |
filter-ip-address (IP address/netmask;) | up to 16 ip addresses to use as a filter |
filter-mac-address (MAC address;) | up to 16 MAC addresses to use as a filter |
filter-port (port; Default:0-65535) | up to 16 comma separated entries |
filter-ip-protocol (all-frames | ip-only | mac-only-no-ip;) | Filter specific protocol
|
filter-mac-protocol (all-frames | ip-only | mac-only-no-ip;) | Filter specific protocol
|
filter-stream (yes | no; Default: no) | Sniffed packets that are devised for sniffer server are ignored |
interface (all | ether1 | ...; Default: all) | Interface management |
memory-limit (integer 10..4294967295; Default: 10) | Memory amount reached in KB to stop sniffing |
memory-scroll (yes | no; Default: no) | |
only-headers (yes | no; Default: no) | Save in the memory only packet's headers not the whole packet |
running (read-only) | If the sniffer is started then the value is yes otherwise no |
streaming-enabled (yes | no; Default: no) | Defines whether to send sniffed packets to sniffer's server or not |
streaming-server (ip address; Default: ) | Tazmen Sniffer Protocol (TZSP) stream receiver |
Notes
filter-address1 and filter-address2 are used to specify the two participients in communication (i.e. they will match only in the case if one of them matches the source address and the other one matches the destination address of a packet). These properties are taken in account only if filter-protocol is ip-only.
Example
In the following example streaming-server will be added, streaming will be enabled, file-name will be set to test and packet sniffer will be started and stopped after some time:
[admin@MikroTik] tool sniffer> set streaming-server=192.168.0.240 \ \... streaming-enabled=yes file-name=test [admin@MikroTik] tool sniffer> print interface: all only-headers: no memory-limit: 10 file-name: "test" file-limit: 10 streaming-enabled: yes streaming-server: 192.168.0.240 filter-stream: yes filter-protocol: ip-only filter-address1: 0.0.0.0/0:0-65535 filter-address2: 0.0.0.0/0:0-65535 running: no [admin@MikroTik] tool sniffer> start [admin@MikroTik] tool sniffer> stop
Running Packet Sniffer
Commands: /tool sniffer start, /tool sniffer stop, /tool sniffer save
The commands are used to control runtime operation of the packet sniffer. The start command is used to start/reset sniffering, stop - stops sniffering. To save currently sniffed packets in a specific file save command is used.
Example
In the following example the packet sniffer will be started and after some time - stopped:
[admin@MikroTik] tool sniffer> start [admin@MikroTik] tool sniffer> stop
Below the sniffed packets will be saved in the file named test:
[admin@MikroTik] tool sniffer> save file-name=test [admin@MikroTik] tool sniffer> /file print # NAME TYPE SIZE CREATION-TIME 0 test unknown 1350 apr/07/2003 16:01:52 [admin@MikroTik] tool sniffer>
Sniffed Packets
Sub-menu: /tool sniffer packet
This sub-menu allows to see the list of sniffed packets.
Property | Description |
---|---|
data (read-only: text) | Specified data inclusion in packets |
direction (read-only: in | out) | Indicates whether packet is entering (in) or leaving (out) the router |
dscp (read-only: integer) | IP DSCP field value |
dst-address (read-only: IP address) | Destination IP address |
fragment-offset (read-only: integer) | IP fragment offset |
identification (read-only: integer) | IP identification |
interface (read-only: name) | Name of the interface the packet has been captured on |
ip-header-size (read-only: integer) | The size of IP header |
ip-packet-size (read-only: integer) | The size of IP packet |
ip-protocol (read-only: ddp | egp | encap | ggp | gre | hmp | icmp | icmpv6 | dpr-cmt | igmp | ip | ipencap | ipip | ipsec-ah | ipsec-esp | iso-tp4 | ospf | pim | pup | rdp | rspft | st | tcp | udp | vmtp | vrrp | xns-idp | xtp) | The name/number of IP protocol |
protocol (read-only: ip | arp | rarp | ipx | ipv6) | The name/number of ethernet protocol |
size (read-only: integer) | Size of packet |
src-address (read-only: IP address) | Source IP address |
src-mac (read-only: MAC address) | Source MAC address |
data (read-only: string) | IP data |
tcp-flags (read-only: ack | cwr | ece | fin | psh | rst | syn | urg) | TCP flags |
time (read-only: time) | Time when packet arrived |
ttl (read-only: integer) | IP Time To Live |
vlan-id (read-only: integer) | VLAN-ID of the packet |
vlan-priority (read-only: integer) | VLAN-Priority of the packet |
Packet Sniffer Protocols
Sub-menu: /tool sniffer protocol
In this submenu you can see all kind of protocols that have been sniffed.
Property | Description |
---|---|
bytes (read-only: integer) | Total number of data bytes |
ip-protocol (read-only: ddp | egp | encap | ggp | gre | hmp | icmp | icmpv6 | dpr-cmt | igmp | ip | ipencap | ipip | ipsec-ah | ipsec-esp | iso-tp4 | ospf | pim | pup | rdp | rspft | st | tcp | udp | vmtp | vrrp | xns-idp | xtp) | IP protocol |
packets (read-only: integer) | The number of packets |
port (read-only: integer) | The port of TCP/UDP protocol |
protocol (read-only: ip | arp | rarp | ipx | ipv6) | The name/number of the protocol |
share (read-only: decimal) | Specific type of traffic compared to all traffic in bytes |
Example
[admin@MikroTik] tool sniffer protocol> print # PROTOCOL IP-PR... PORT PACKETS BYTES SHARE 0 ip 77 4592 100 % 1 ip tcp 74 4328 94.25 % 2 ip gre 3 264 5.74 % 3 ip tcp 22 (ssh) 49 3220 70.12 % 4 ip tcp 23 (telnet) 25 1108 24.12 % [admin@MikroTik] tool sniffer protocol>
Packet Sniffer Host
Sub-menu: /tool sniffer host
The submenu shows the list of hosts that were participating in data excange you've sniffed.
Property | Description |
---|---|
address (read-only: IP address) | IP address of the host |
peek-rate (read-only: integer/integer) | The maximum data-rate received/transmitted |
rate (read-only: integer/integer) | Current data-rate received/transmitted |
total (read-only: integer/integer) | Total packets received/transmitted |
Example
In the following example we'll see the list of hosts:
[admin@MikroTik] tool sniffer host> print # ADDRESS RATE PEEK-RATE TOTAL 0 10.0.0.4 0bps/0bps 704bps/0bps 264/0 1 10.0.0.144 0bps/0bps 6.24kbps/12.2kbps 1092/2128 2 10.0.0.181 0bps/0bps 12.2kbps/6.24kbps 2994/1598 3 10.0.0.241 0bps/0bps 1.31kbps/4.85kbps 242/866 [admin@MikroTik] tool sniffer host>
Packet Sniffer Connections
Sub-menu: /tool sniffer connection
Here you can get a list of the connections that have been watched during the sniffing time.
Property | Description |
---|---|
active (read-only: yes | no) | Indicates whether connection is active or not |
bytes (read-only: integer/integer) | Bytes in the current connection |
dst-address (read-only: IP address:port) | Destination address |
mss (read-only: integer/integer) | Maximum segment size |
resends (read-only: integer/integer) | The number of packets resends in the current connection |
src-address (read-only: IP address:port) | Source address |
Example
The example shows how to get the list of connections:
[admin@MikroTik] tool sniffer connection> print Flags: A - active # SRC-ADDRESS DST-ADDRESS BYTES RESENDS MSS 0 A 10.0.0.241:1839 10.0.0.181:23 (telnet) 6/42 60/0 0/0 1 A 10.0.0.144:2265 10.0.0.181:22 (ssh) 504/252 504/0 0/0 [admin@MikroTik] tool sniffer connection>
Download Sniffer Results
Sub-menu: /tool sniffer
Packet Sniffer results could be downloaded and viewed as file by specific program (for example Wireshark).
Property | Description |
---|---|
file-name (string; Default: "") | The name of the file where the sniffed packets will be saved to |
Example
To save sniffed result to file set,
[admin@MikroTik] /tool sniffer set file-name=example
Run sniffer with required settings,
[admin@MikroTik] /tool sniffer start
Do not forget to stop sniffer after sniffing is done,
[admin@MikroTik] /tool sniffer stop
Sniffed results could be downloaded from /file by FTP client or Windows Drag-n-Drop (do not forget to use binary mode, when file is downloaded by FTP).
[admin@MikroTik] /file print # NAME TYPE SIZE CREATION-TIME 0 example file 44092 jan/02/2010 01:11:59
[ Top | Back to Content ]