Manual:Tools/Packet Sniffer

From MikroTik Wiki
Jump to navigation Jump to search

Applies to RouterOS: v2.9, v3, v4+

Summary

Sub-menu: /tool sniffer
Packages required: system


Packet sniffer is a tool that can capture and analyze packets that are going to, leaving or going through the router (except the traffic that passes only through the switch chip).

Packet Sniffer Configuration

Sub-menu: /tool sniffer


Property Description
file-limit (integer 10..1000000000; Default: 10) The limit of the file in KB. Sniffer will stop after this limit is reached
file-name (string; Default: "") The name of the file where the sniffed packets will be saved to
filter-ip-address (IP address/netmask;) up to 16 ip addresses to use as a filter
filter-mac-address (MAC address;) up to 16 MAC addresses to use as a filter
filter-port (port; Default:0-65535) up to 16 comma separated entries
filter-ip-protocol (all-frames | ip-only | mac-only-no-ip;) Filter specific protocol
  • ipsec-ah - IPsec AH protocol *ipsec-esp - IPsec ESP protocol
  • ddp - datagram delivery protocol
  • egp - exterior gateway protocol
  • ggp - gateway-gateway protocol
  • gre - general routing encapsulation
  • hmp - host monitoring protocol
  • idpr-cmtp - idpr control message transport
  • icmp - internet control message protocol
  • icmpv6 - internet control message protocol v6
  • igmp - internet group management protocol
  • ipencap - ip encapsulated in ip
  • ipip - ip encapsulation
  • encap - ip encapsulation
  • iso-tp4 - iso transport protocol class 4
  • ospf - open shortest path first
  • pup - parc universal packet protocol
  • pim - protocol independent multicast
  • rspf - radio shortest path first
  • rdp - reliable datagram protocol
  • st - st datagram mode
  • tcp - transmission control protocol
  • udp - user datagram protocol
  • vmtp - versatile message transport
  • vrrp - virtual router redundancy protocol
  • xns-idp - xerox xns idp
  • xtp - xpress transfer protocol
filter-mac-protocol (all-frames | ip-only | mac-only-no-ip;) Filter specific protocol
  • arp - Address Resolution Protocol
  • ip - Internet Protocol
  • ipv6 - Internet Protocol next generation
  • ipx - Internetwork Packet Exchange
  • rarp - Reverse Address Resolution Protocol
filter-stream (yes | no; Default: no) Sniffed packets that are devised for sniffer server are ignored
interface (all | ether1 | ...; Default: all) Interface management
memory-limit (integer 10..4294967295; Default: 10) Memory amount reached in KB to stop sniffing
memory-scroll (yes | no; Default: no)
only-headers (yes | no; Default: no) Save in the memory only packet's headers not the whole packet
running (read-only) If the sniffer is started then the value is yes otherwise no
streaming-enabled (yes | no; Default: no) Defines whether to send sniffed packets to sniffer's server or not
streaming-server (ip address; Default: ) Tazmen Sniffer Protocol (TZSP) stream receiver

Notes

filter-address1 and filter-address2 are used to specify the two participients in communication (i.e. they will match only in the case if one of them matches the source address and the other one matches the destination address of a packet). These properties are taken in account only if filter-protocol is ip-only.

Example

In the following example streaming-server will be added, streaming will be enabled, file-name will be set to test and packet sniffer will be started and stopped after some time:

[admin@MikroTik] tool sniffer> set streaming-server=192.168.0.240 \
\... streaming-enabled=yes file-name=test
[admin@MikroTik] tool sniffer> print
          interface: all
       only-headers: no
       memory-limit: 1000KiB
      memory-scroll: no
          file-name: test
         file-limit: 10KiB
  streaming-enabled: yes
   streaming-server: 192.168.0.240
      filter-stream: yes
            running: no
[admin@MikroTik] tool sniffer> start
[admin@MikroTik] tool sniffer> stop

Running Packet Sniffer

Commands: /tool sniffer start, /tool sniffer stop, /tool sniffer save


The commands are used to control runtime operation of the packet sniffer. The start command is used to start/reset sniffering, stop - stops sniffering. To save currently sniffed packets in a specific file save command is used.

Example

In the following example the packet sniffer will be started and after some time - stopped:

[admin@MikroTik] tool sniffer> start
[admin@MikroTik] tool sniffer> stop

Below the sniffed packets will be saved in the file named test:

[admin@MikroTik] tool sniffer> save file-name=test
[admin@MikroTik] tool sniffer> /file print
  # NAME                           TYPE         SIZE       CREATION-TIME
  0 test                           unknown      1350       apr/07/2003 16:01:52
[admin@MikroTik] tool sniffer>

Sniffed Packets

Sub-menu: /tool sniffer packet


This sub-menu allows to see the list of sniffed packets.

Property Description
data (read-only: text) Specified data inclusion in packets
direction (read-only: in | out) Indicates whether packet is entering (in) or leaving (out) the router
dscp (read-only: integer) IP DSCP field value
dst-address (read-only: IP address) Destination IP address
fragment-offset (read-only: integer) IP fragment offset
identification (read-only: integer) IP identification
interface (read-only: name) Name of the interface the packet has been captured on
ip-header-size (read-only: integer) The size of IP header
ip-packet-size (read-only: integer) The size of IP packet
ip-protocol (read-only: ddp | egp | encap | ggp | gre | hmp | icmp | icmpv6 | dpr-cmt | igmp | ip | ipencap | ipip | ipsec-ah | ipsec-esp | iso-tp4 | ospf | pim | pup | rdp | rspft | st | tcp | udp | vmtp | vrrp | xns-idp | xtp) The name/number of IP protocol
protocol (read-only: ip | arp | rarp | ipx | ipv6) The name/number of ethernet protocol
size (read-only: integer) Size of packet
src-address (read-only: IP address) Source IP address
src-mac (read-only: MAC address) Source MAC address
data (read-only: string) IP data
tcp-flags (read-only: ack | cwr | ece | fin | psh | rst | syn | urg) TCP flags
time (read-only: time) Time when packet arrived
ttl (read-only: integer) IP Time To Live
vlan-id (read-only: integer) VLAN-ID of the packet
vlan-priority (read-only: integer) VLAN-Priority of the packet

Packet Sniffer Protocols

Sub-menu: /tool sniffer protocol


In this submenu you can see all kind of protocols that have been sniffed.


Property Description
bytes (read-only: integer) Total number of data bytes
ip-protocol (read-only: ddp | egp | encap | ggp | gre | hmp | icmp | icmpv6 | dpr-cmt | igmp | ip | ipencap | ipip | ipsec-ah | ipsec-esp | iso-tp4 | ospf | pim | pup | rdp | rspft | st | tcp | udp | vmtp | vrrp | xns-idp | xtp) IP protocol
packets (read-only: integer) The number of packets
port (read-only: integer) The port of TCP/UDP protocol
protocol (read-only: ip | arp | rarp | ipx | ipv6) The name/number of the protocol
share (read-only: decimal) Specific type of traffic compared to all traffic in bytes

Example

[admin@MikroTik] tool sniffer protocol> print
  # PROTOCOL IP-PR... PORT          PACKETS   BYTES   SHARE
  0 ip                              77        4592    100 %
  1 ip       tcp                    74        4328    94.25 %
  2 ip       gre                    3         264     5.74 %
  3 ip       tcp      22 (ssh)      49        3220    70.12 %
  4 ip       tcp      23 (telnet)   25        1108    24.12 %
[admin@MikroTik] tool sniffer protocol>

Packet Sniffer Host

Sub-menu: /tool sniffer host


The submenu shows the list of hosts that were participating in data excange you've sniffed.


Property Description
address (read-only: IP address) IP address of the host
peek-rate (read-only: integer/integer) The maximum data-rate received/transmitted
rate (read-only: integer/integer) Current data-rate received/transmitted
total (read-only: integer/integer) Total packets received/transmitted

Example

In the following example we'll see the list of hosts:

[admin@MikroTik] tool sniffer host> print
  # ADDRESS       RATE         PEEK-RATE           TOTAL
  0 10.0.0.4      0bps/0bps    704bps/0bps         264/0
  1 10.0.0.144    0bps/0bps    6.24kbps/12.2kbps   1092/2128
  2 10.0.0.181    0bps/0bps    12.2kbps/6.24kbps   2994/1598
  3 10.0.0.241    0bps/0bps    1.31kbps/4.85kbps   242/866
[admin@MikroTik] tool sniffer host>

Packet Sniffer Connections

Sub-menu: /tool sniffer connection


Here you can get a list of the connections that have been watched during the sniffing time.


Property Description
active (read-only: yes | no) Indicates whether connection is active or not
bytes (read-only: integer/integer) Bytes in the current connection
dst-address (read-only: IP address:port) Destination address
mss (read-only: integer/integer) Maximum segment size
resends (read-only: integer/integer) The number of packets resends in the current connection
src-address (read-only: IP address:port) Source address

Example

The example shows how to get the list of connections:

[admin@MikroTik] tool sniffer connection> print
Flags: A - active
  #   SRC-ADDRESS       DST-ADDRESS             BYTES     RESENDS   MSS
  0 A 10.0.0.241:1839   10.0.0.181:23 (telnet)  6/42      60/0      0/0
  1 A 10.0.0.144:2265   10.0.0.181:22 (ssh)     504/252   504/0     0/0
[admin@MikroTik] tool sniffer connection>


Download Sniffer Results

Sub-menu: /tool sniffer


Packet Sniffer results could be downloaded and viewed as file by specific program (for example Wireshark).


Property Description
file-name (string; Default: "") The name of the file where the sniffed packets will be saved to


Example

To save sniffed result to file set,

[admin@MikroTik] /tool sniffer set file-name=example

Run sniffer with required settings,

[admin@MikroTik] /tool sniffer start

Do not forget to stop sniffer after sniffing is done,

[admin@MikroTik] /tool sniffer stop


Sniffed results could be downloaded from /file by FTP client or Windows Drag-n-Drop (do not forget to use binary mode, when file is downloaded by FTP).

[admin@MikroTik] /file print
 # NAME              TYPE             SIZE                 CREATION-TIME       
 0 example           file             44092                jan/02/2010 01:11:59

[ Top | Back to Content ]