Manual:Tools/Packet Sniffer: Difference between revisions

Summary

Sub-menu: /tool sniffer
Packages required: system

Packet sniffer is a tool that can capture and analyze packets that are going to, leaving or going through the router (except the traffic that passes only through the switch chip).

Packet Sniffer Configuration

Sub-menu: /tool sniffer

Property	Description
file-limit (integer 10..1000000000; Default: 10)	The limit of the file in KB. Sniffer will stop after this limit is reached
file-name (string; Default: "")	The name of the file where the sniffed packets will be saved to
filter-ip-address (IP address/netmask;)	up to 16 ip addresses to use as a filter
filter-mac-address (MAC address;)	up to 16 MAC addresses to use as a filter
filter-port (port; Default:0-65535)	up to 16 comma separated entries
filter-ip-protocol (all-frames | ip-only | mac-only-no-ip;)	Filter specific protocol ipsec-ah - IPsec AH protocol *ipsec-esp - IPsec ESP protocol ddp - datagram delivery protocol egp - exterior gateway protocol ggp - gateway-gateway protocol gre - general routing encapsulation hmp - host monitoring protocol idpr-cmtp - idpr control message transport icmp - internet control message protocol icmpv6 - internet control message protocol v6 igmp - internet group management protocol ipencap - ip encapsulated in ip ipip - ip encapsulation encap - ip encapsulation iso-tp4 - iso transport protocol class 4 ospf - open shortest path first pup - parc universal packet protocol pim - protocol independent multicast rspf - radio shortest path first rdp - reliable datagram protocol st - st datagram mode tcp - transmission control protocol udp - user datagram protocol vmtp - versatile message transport vrrp - virtual router redundancy protocol xns-idp - xerox xns idp xtp - xpress transfer protocol
filter-mac-protocol (all-frames | ip-only | mac-only-no-ip;)	Filter specific protocol arp - Address Resolution Protocol ip - Internet Protocol ipv6 - Internet Protocol next generation ipx - Internetwork Packet Exchange rarp - Reverse Address Resolution Protocol
filter-stream (yes | no; Default: no)	Sniffed packets that are devised for sniffer server are ignored
interface (all | ether1 | ...; Default: all)	Interface management
memory-limit (integer 10..4294967295; Default: 10)	Memory amount reached in KB to stop sniffing
memory-scroll (yes | no; Default: no)
only-headers (yes | no; Default: no)	Save in the memory only packet's headers not the whole packet
running (read-only)	If the sniffer is started then the value is yes otherwise no
streaming-enabled (yes | no; Default: no)	Defines whether to send sniffed packets to sniffer's server or not
streaming-server (ip address; Default: )	Tazmen Sniffer Protocol (TZSP) stream receiver

Notes

filter-address1 and filter-address2 are used to specify the two participients in communication (i.e. they will match only in the case if one of them matches the source address and the other one matches the destination address of a packet). These properties are taken in account only if filter-protocol is ip-only.

Example

In the following example streaming-server will be added, streaming will be enabled, file-name will be set to test and packet sniffer will be started and stopped after some time:

[admin@MikroTik] tool sniffer> set streaming-server=192.168.0.240 \
\... streaming-enabled=yes file-name=test
[admin@MikroTik] tool sniffer> print
          interface: all
       only-headers: no
       memory-limit: 1000KiB
      memory-scroll: no
          file-name: test
         file-limit: 10KiB
  streaming-enabled: yes
   streaming-server: 192.168.0.240
      filter-stream: yes
            running: no
[admin@MikroTik] tool sniffer> start
[admin@MikroTik] tool sniffer> stop

Running Packet Sniffer

Commands: /tool sniffer start, /tool sniffer stop, /tool sniffer save

The commands are used to control runtime operation of the packet sniffer. The start command is used to start/reset sniffering, stop - stops sniffering. To save currently sniffed packets in a specific file save command is used.

Example

In the following example the packet sniffer will be started and after some time - stopped:

[admin@MikroTik] tool sniffer> start
[admin@MikroTik] tool sniffer> stop

Below the sniffed packets will be saved in the file named test:

[admin@MikroTik] tool sniffer> save file-name=test
[admin@MikroTik] tool sniffer> /file print
  # NAME                           TYPE         SIZE       CREATION-TIME
  0 test                           unknown      1350       apr/07/2003 16:01:52
[admin@MikroTik] tool sniffer>

Sniffed Packets

Sub-menu: /tool sniffer packet

This sub-menu allows to see the list of sniffed packets.

Property	Description
data (read-only: text)	Specified data inclusion in packets
direction (read-only: in | out)	Indicates whether packet is entering (in) or leaving (out) the router
dscp (read-only: integer)	IP DSCP field value
dst-address (read-only: IP address)	Destination IP address
fragment-offset (read-only: integer)	IP fragment offset
identification (read-only: integer)	IP identification
interface (read-only: name)	Name of the interface the packet has been captured on
ip-header-size (read-only: integer)	The size of IP header
ip-packet-size (read-only: integer)	The size of IP packet
ip-protocol (read-only: ddp | egp | encap | ggp | gre | hmp | icmp | icmpv6 | dpr-cmt | igmp | ip | ipencap | ipip | ipsec-ah | ipsec-esp | iso-tp4 | ospf | pim | pup | rdp | rspft | st | tcp | udp | vmtp | vrrp | xns-idp | xtp)	The name/number of IP protocol
protocol (read-only: ip | arp | rarp | ipx | ipv6)	The name/number of ethernet protocol
size (read-only: integer)	Size of packet
src-address (read-only: IP address)	Source IP address
src-mac (read-only: MAC address)	Source MAC address
data (read-only: string)	IP data
tcp-flags (read-only: ack | cwr | ece | fin | psh | rst | syn | urg)	TCP flags
time (read-only: time)	Time when packet arrived
ttl (read-only: integer)	IP Time To Live
vlan-id (read-only: integer)	VLAN-ID of the packet
vlan-priority (read-only: integer)	VLAN-Priority of the packet

Packet Sniffer Protocols

Sub-menu: /tool sniffer protocol

In this submenu you can see all kind of protocols that have been sniffed.

Property	Description
bytes (read-only: integer)	Total number of data bytes
ip-protocol (read-only: ddp | egp | encap | ggp | gre | hmp | icmp | icmpv6 | dpr-cmt | igmp | ip | ipencap | ipip | ipsec-ah | ipsec-esp | iso-tp4 | ospf | pim | pup | rdp | rspft | st | tcp | udp | vmtp | vrrp | xns-idp | xtp)	IP protocol
packets (read-only: integer)	The number of packets
port (read-only: integer)	The port of TCP/UDP protocol
protocol (read-only: ip | arp | rarp | ipx | ipv6)	The name/number of the protocol
share (read-only: decimal)	Specific type of traffic compared to all traffic in bytes

Example

[admin@MikroTik] tool sniffer protocol> print
  # PROTOCOL IP-PR... PORT          PACKETS   BYTES   SHARE
  0 ip                              77        4592    100 %
  1 ip       tcp                    74        4328    94.25 %
  2 ip       gre                    3         264     5.74 %
  3 ip       tcp      22 (ssh)      49        3220    70.12 %
  4 ip       tcp      23 (telnet)   25        1108    24.12 %
[admin@MikroTik] tool sniffer protocol>

Packet Sniffer Host

Sub-menu: /tool sniffer host

The submenu shows the list of hosts that were participating in data excange you've sniffed.

Property	Description
address (read-only: IP address)	IP address of the host
peek-rate (read-only: integer/integer)	The maximum data-rate received/transmitted
rate (read-only: integer/integer)	Current data-rate received/transmitted
total (read-only: integer/integer)	Total packets received/transmitted

Example

In the following example we'll see the list of hosts:

[admin@MikroTik] tool sniffer host> print
  # ADDRESS       RATE         PEEK-RATE           TOTAL
  0 10.0.0.4      0bps/0bps    704bps/0bps         264/0
  1 10.0.0.144    0bps/0bps    6.24kbps/12.2kbps   1092/2128
  2 10.0.0.181    0bps/0bps    12.2kbps/6.24kbps   2994/1598
  3 10.0.0.241    0bps/0bps    1.31kbps/4.85kbps   242/866
[admin@MikroTik] tool sniffer host>

Packet Sniffer Connections

Sub-menu: /tool sniffer connection

Here you can get a list of the connections that have been watched during the sniffing time.

Property	Description
active (read-only: yes | no)	Indicates whether connection is active or not
bytes (read-only: integer/integer)	Bytes in the current connection
dst-address (read-only: IP address:port)	Destination address
mss (read-only: integer/integer)	Maximum segment size
resends (read-only: integer/integer)	The number of packets resends in the current connection
src-address (read-only: IP address:port)	Source address

Example

The example shows how to get the list of connections:

[admin@MikroTik] tool sniffer connection> print
Flags: A - active
  #   SRC-ADDRESS       DST-ADDRESS             BYTES     RESENDS   MSS
  0 A 10.0.0.241:1839   10.0.0.181:23 (telnet)  6/42      60/0      0/0
  1 A 10.0.0.144:2265   10.0.0.181:22 (ssh)     504/252   504/0     0/0
[admin@MikroTik] tool sniffer connection>

Download Sniffer Results

Sub-menu: /tool sniffer

Packet Sniffer results could be downloaded and viewed as file by specific program (for example Wireshark).

Property	Description
file-name (string; Default: "")	The name of the file where the sniffed packets will be saved to

Example

To save sniffed result to file set,

[admin@MikroTik] /tool sniffer set file-name=example

Run sniffer with required settings,

[admin@MikroTik] /tool sniffer start

Do not forget to stop sniffer after sniffing is done,

[admin@MikroTik] /tool sniffer stop

Sniffed results could be downloaded from /file by FTP client or Windows Drag-n-Drop (do not forget to use binary mode, when file is downloaded by FTP).

[admin@MikroTik] /file print
 # NAME              TYPE             SIZE                 CREATION-TIME       
 0 example           file             44092                jan/02/2010 01:11:59

[ Top | Back to Content ]