Manual:Tools/Packet Sniffer

From MikroTik Wiki
Jump to navigation Jump to search

Applies to RouterOS: v5.8+

Summary

Sub-menu: /tool sniffer
Packages required: system


Packet sniffer is a tool that can capture and analyze packets that are going to, leaving or going through the router.

Note: Unicast traffic between Wireless clients with client-to-client forwarding enabled will not be visible to sniffer tool. Packets that are processed with hardware offloading enabled bridge will also not be visible (unknown unicast, broadcast and some multicast traffic will be visible to sniffer tool).


Packet Sniffer Configuration

Sub-menu: /tool sniffer


Property Description
file-limit (integer 10..4294967295[KiB]; Default: 1000KiB) File size limit. Sniffer will stop when limit is reached.
file-name (string; Default: ) Name of the file where sniffed packets will be saved.
filter-ip-address (ip/mask[,ip/mask] (max 16 items); Default: ) Up to 16 ip addresses used as a filter
filter-mac-address (mac/mask[,mac/mask] (max 16 items); Default: ) Up to 16 MAC addresses and MAC address masks used as a filter
filter-port ([!]port[,port] (max 16 items); Default: ) Up to 16 comma separated entries used as a filter
filter-ip-protocol ([!]protocol[,protocol] (max 16 items); Default: ) Up to 16 comma separated entries used as a filter

IP protocols (instead of protocol names, protocol number can be used)

  • ipsec-ah - IPsec AH protocol
  • ipsec-esp - IPsec ESP protocol
  • ddp - datagram delivery protocol
  • egp - exterior gateway protocol
  • ggp - gateway-gateway protocol
  • gre - general routing encapsulation
  • hmp - host monitoring protocol
  • idpr-cmtp - idpr control message transport
  • icmp - internet control message protocol
  • icmpv6 - internet control message protocol v6
  • igmp - internet group management protocol
  • ipencap - ip encapsulated in ip
  • ipip - ip encapsulation
  • encap - ip encapsulation
  • iso-tp4 - iso transport protocol class 4
  • ospf - open shortest path first
  • pup - parc universal packet protocol
  • pim - protocol independent multicast
  • rspf - radio shortest path first
  • rdp - reliable datagram protocol
  • st - st datagram mode
  • tcp - transmission control protocol
  • udp - user datagram protocol
  • vmtp - versatile message transport
  • vrrp - virtual router redundancy protocol
  • xns-idp - xerox xns idp
  • xtp - xpress transfer protocol
filter-mac-protocol ([!]protocol[,protocol] (max 16 items); Default: ) Up to 16 comma separated entries used as a filter.

Mac protocols (instead of protocol names, protocol number can be used):

  • 802.2 - 802.2 Frames (0x0004)
  • arp - Address Resolution Protocol (0x0806)
  • homeplug-av - HomePlug AV MME (0x88E1)
  • ip - Internet Protocol version 4 (0x0800)
  • ipv6 - Internet Protocol Version 6 (0x86DD)
  • ipx - Internetwork Packet Exchange (0x8137)
  • lldp - Link Layer Discovery Protocol (0x88CC)
  • loop-protect - Loop Protect Protocol (0x9003)
  • mpls-multicast - MPLS multicast (0x8848)
  • mpls-unicast - MPLS unicast (0x8847)
  • packing-compr - Encapsulated packets with compressed IP packing (0x9001)
  • packing-simple - Encapsulated packets with simple IP packing (0x9000)
  • pppoe - PPPoE Session Stage (0x8864)
  • pppoe-discovery - PPPoE Discovery Stage (0x8863)
  • rarp - Reverse Address Resolution Protocol (0x8035)
  • service-vlan - Provider Bridging (IEEE 802.1ad) & Shortest Path Bridging IEEE 802.1aq (0x88A8)
  • vlan - VLAN-tagged frame (IEEE 802.1Q) and Shortest Path Bridging IEEE 802.1aq with NNI compatibility (0x8100)
filter-stream (yes | no; Default: yes) Sniffed packets that are devised for sniffer server are ignored
filter-direction (any | rx | tx; Default: ) Specifies om which direction filtering will be applied.
interface (all | name; Default: all) Interface name on which sniffer will be running. all indicates that sniffer will sniff packets on all interfaces.
memory-limit (integer 10..4294967295[KiB]; Default: 100KiB) Memory amount used to store sniffed data.
memory-scroll (yes | no; Default: yes) Whether to rewrite older sniffed data when memory limit is reached.
only-headers (yes | no; Default: no) Save in the memory only packet's headers not the whole packet.
streaming-enabled (yes | no; Default: no) Defines whether to send sniffed packets to streaming server
streaming-server (IP; Default: 0.0.0.0) Tazmen Sniffer Protocol (TZSP) stream receiver


Example

In the following example streaming-server will be added, streaming will be enabled, file-name will be set to test and packet sniffer will be started and stopped after some time:


[admin@MikroTik] tool sniffer> set streaming-server=192.168.0.240 \
\... streaming-enabled=yes file-name=test.pcap
[admin@MikroTik] tool sniffer> print
            interface: all
         only-headers: no
         memory-limit: 100KiB
        memory-scroll: yes
            file-name: test.pcap
           file-limit: 1000KiB
    streaming-enabled: yes
     streaming-server: 192.168.0.240
        filter-stream: yes
   filter-mac-address: 
  filter-mac-protocol: 
    filter-ip-address: 
   filter-ip-protocol: 
          filter-port: 
     filter-direction: any
              running: no
[admin@MikroTik] tool sniffer> start
[admin@MikroTik] tool sniffer> stop

Running Packet Sniffer

Commands: /tool sniffer start, /tool sniffer stop, /tool sniffer save


The commands are used to control runtime operation of the packet sniffer. The start command is used to start/reset sniffering, stop - stops sniffering. To save currently sniffed packets in a specific file save command is used.

It is also possible to use quick mode.

Example

In the following example the packet sniffer will be started and after some time - stopped:

[admin@MikroTik] tool sniffer> start
[admin@MikroTik] tool sniffer> stop

Below the sniffed packets will be saved in the file named test:

[admin@MikroTik] tool sniffer> save file-name=test
[admin@MikroTik] tool sniffer> /file print
  # NAME                           TYPE         SIZE       CREATION-TIME
  0 test                           unknown      1350       apr/07/2003 16:01:52
[admin@MikroTik] tool sniffer>

Sniffed Packets

Sub-menu: /tool sniffer packet


This sub-menu allows to see the list of sniffed packets.

[admin@SXT test] /tool sniffer packet> print 
 #    TIME INTERFACE SRC-ADDRESS                               DST-ADDRESS  
120   1.993 ether1    10.5.101.1:646                            224.0.0.2:646                          >
121   2.045 ether1    10.5.101.15:8291 (winbox)                 10.5.101.10:36771                      >
122   2.046 ether1    10.5.101.15:8291 (winbox)                 10.5.101.10:36771                      >
123   2.255 ether1    fe80::20c:42ff:fe49:fcec                  ff02::5                                >


Property Description
data (read-only: text) Specified data inclusion in packets
direction (read-only: in | out) Indicates whether packet is entering (in) or leaving (out) the router
dscp (read-only: integer) IP DSCP field value
dst-address (read-only: IP address) Destination IP address
fragment-offset (read-only: integer) IP fragment offset
identification (read-only: integer) IP identification
interface (read-only: name) Name of the interface the packet has been captured on
ip-header-size (read-only: integer) The size of IP header
ip-packet-size (read-only: integer) The size of IP packet
ip-protocol (read-only: ddp | egp | encap | ggp | gre | hmp | icmp | icmpv6 | dpr-cmt | igmp | ip | ipencap | ipip | ipsec-ah | ipsec-esp | iso-tp4 | ospf | pim | pup | rdp | rspft | st | tcp | udp | vmtp | vrrp | xns-idp | xtp) The name/number of IP protocol
protocol (read-only: 802.2 | arp | homeplug-av | ip | ipv6 | ipx | lldp | loop-protect | mpls-multicast | mpls-unicast | packing-compr | packing-simple | pppoe | pppoe-discovery | rarp | service-vlan | vlan) The name/number of ethernet protocol
size (read-only: integer) Size of packet
src-address (read-only: IP address) Source IP address
src-mac (read-only: MAC address) Source MAC address
data (read-only: string) IP data
tcp-flags (read-only: ack | cwr | ece | fin | psh | rst | syn | urg) TCP flags
time (read-only: time) Time when packet arrived
ttl (read-only: integer) IP Time To Live
vlan-id (read-only: integer) VLAN-ID of the packet
vlan-priority (read-only: integer) VLAN-Priority of the packet

Packet Sniffer Protocols

Sub-menu: /tool sniffer protocol


In this submenu you can see all sniffed protocols and their share of the whole sniffed amount.

[admin@SXT test] /tool sniffer protocol> print 
 # PROTOCOL IP-PROTOCOL PORT                                     PACKETS      BYTES        SHARE
 0 802.2                                                              1         60        0.05%
 1 ip                                                               215     100377       99.04%
 2 arp                                                                2        120        0.11%
 3 ipv6                                                               6        788        0.77%
 4 ip       tcp                                                     210      99981       98.65%
 5 ip       udp                                                       3        228        0.22%
 6 ip       ospf                                                      2        168        0.16%
 7 ip       tcp         8291 (winbox)                               210      99981       98.65%
 8 ip       tcp         36771                                       210      99981       98.65%
 9 ip       udp         646                                           3        228        0.22%


Property Description
bytes (read-only: integer) Total number of data bytes
ip-protocol (read-only: ddp | egp | encap | ggp | gre | hmp | icmp | icmpv6 | dpr-cmt | igmp | ip | ipencap | ipip | ipsec-ah | ipsec-esp | iso-tp4 | ospf | pim | pup | rdp | rspft | st | tcp | udp | vmtp | vrrp | xns-idp | xtp) IP protocol
packets (read-only: integer) The number of packets
port (read-only: integer) The port of TCP/UDP protocol
protocol (read-only: 802.2 | arp | homeplug-av | ip | ipv6 | ipx | lldp | loop-protect | mpls-multicast | mpls-unicast | packing-compr | packing-simple | pppoe | pppoe-discovery | rarp | service-vlan | vlan) The name/number of the protocol
share (read-only: decimal) Specific type of traffic compared to all traffic in bytes

Packet Sniffer Host

Sub-menu: /tool sniffer host


The submenu shows the list of hosts that were participating in data excange you've sniffed.

[admin@SXT test] /tool sniffer host> print 
 # ADDRESS         RATE                PEEK-RATE           TOTAL            
 0 10.5.101.3      0bps/0bps           0bps/720bps         0/90             
 1 10.5.101.10     0bps/0bps           175.0kbps/19.7kbps  61231/7011       
 2 10.5.101.13     0bps/0bps           0bps/608bps         0/76             
 3 10.5.101.14     0bps/0bps           0bps/976bps         0/212            
 4 10.5.101.15     0bps/0bps           19.7kbps/175.0kbps  7011/61231       
 5 224.0.0.2       0bps/0bps           608bps/0bps         76/0             
 6 224.0.0.5       0bps/0bps           1440bps/0bps        302/0            
[admin@SXT test] /tool sniffer host> 


Property Description
address (read-only: IP address) IP address of the host
peek-rate (read-only: integer/integer) The maximum data-rate received/transmitted
rate (read-only: integer/integer) Current data-rate received/transmitted
total (read-only: integer/integer) Total packets received/transmitted

Packet Sniffer Connections

Sub-menu: /tool sniffer connection


Here you can get a list of the connections that have been watched during the sniffing time.

[admin@MikroTik] tool sniffer connection> print
Flags: A - active
  #   SRC-ADDRESS       DST-ADDRESS             BYTES     RESENDS   MSS
  0 A 10.0.0.241:1839   10.0.0.181:23 (telnet)  6/42      60/0      0/0
  1 A 10.0.0.144:2265   10.0.0.181:22 (ssh)     504/252   504/0     0/0
[admin@MikroTik] tool sniffer connection>


Property Description
active (read-only: yes | no) Indicates whether connection is active or not
bytes (read-only: integer/integer) Bytes in the current connection
dst-address (read-only: IP address:port) Destination address
mss (read-only: integer/integer) Maximum segment size
resends (read-only: integer/integer) The number of packets resends in the current connection
src-address (read-only: IP address:port) Source address

Quick mode

Quick mode will display results as they are filtered out with limited size buffer for packets. There are several attributes that can be set up filtering. If no attributes are set current configuration will be used.


Property Description
duration length of the test in seconds
fast-path capture FastPath packets without disabling FastPath, you can read more about FastPath
freeze-frame-interval time between data printout
interface intarface name or all
ip-address up to 16 addresses to filter
ip-protocol one of listed protocols, up to 16 entries
  • ipsec-ah - IPsec AH protocol *ipsec-esp - IPsec ESP protocol
  • ddp - datagram delivery protocol
  • egp - exterior gateway protocol
  • ggp - gateway-gateway protocol
  • gre - general routing encapsulation
  • hmp - host monitoring protocol
  • idpr-cmtp - idpr control message transport
  • icmp - internet control message protocol
  • icmpv6 - internet control message protocol v6
  • igmp - internet group management protocol
  • ipencap - ip encapsulated in ip
  • ipip - ip encapsulation
  • encap - ip encapsulation
  • iso-tp4 - iso transport protocol class 4
  • ospf - open shortest path first
  • pup - parc universal packet protocol
  • pim - protocol independent multicast
  • rspf - radio shortest path first
  • rdp - reliable datagram protocol
  • st - st datagram mode
  • tcp - transmission control protocol
  • udp - user datagram protocol
  • vmtp - versatile message transport
  • vrrp - virtual router redundancy protocol
  • xns-idp - xerox xns idp
  • xtp - xpress transfer protocol
mac-address up to 16 MAC addresses to filter
mac-protocol up 16 entries
  • 802.2 - 802.2 Frames (0x0004)
  • arp - Address Resolution Protocol (0x0806)
  • homeplug-av - HomePlug AV MME (0x88E1)
  • ip - Internet Protocol version 4 (0x0800)
  • ipv6 - Internet Protocol Version 6 (0x86DD)
  • ipx - Internetwork Packet Exchange (0x8137)
  • lldp - Link Layer Discovery Protocol (0x88CC)
  • loop-protect - Loop Protect Protocol (0x9003)
  • mpls-multicast - MPLS multicast (0x8848)
  • mpls-unicast - MPLS unicast (0x8847)
  • packing-compr - Encapsulated packets with compressed IP packing (0x9001)
  • packing-simple - Encapsulated packets with simple IP packing (0x9000)
  • pppoe - PPPoE Session Stage (0x8864)
  • pppoe-discovery - PPPoE Discovery Stage (0x8863)
  • rarp - Reverse Address Resolution Protocol (0x8035)
  • service-vlan - Provider Bridging (IEEE 802.1ad) & Shortest Path Bridging IEEE 802.1aq (0x88A8)
  • vlan - VLAN-tagged frame (IEEE 802.1Q) and Shortest Path Bridging IEEE 802.1aq with NNI compatibility (0x8100)
port up to 16 entries to filter by


[admin@SXT test] /tool sniffer> quick interface=ether1  
INTERFACE  TIME  NUM DI SRC-MAC           DST-MAC           VLAN SRC-ADDRESS                        
ether1    3.145  210 <- 00:24:1D:17:81:F7 00:0C:42:CB:DE:62      10.5.101.10:36771                  
ether1    3.145  211 -> 00:0C:42:CB:DE:62 00:24:1D:17:81:F7      10.5.101.15:8291 (winbox)          
ether1    3.183  212 <- 00:24:1D:17:81:F7 00:0C:42:CB:DE:62      10.5.101.10:36771                  
ether1    3.184  213 -> 00:0C:42:CB:DE:62 00:24:1D:17:81:F7      10.5.101.15:8291 (winbox)          
ether1    3.195  214 -> 00:0C:42:CB:DE:62 00:24:1D:17:81:F7      10.5.101.15:8291 (winbox)          
ether1    3.195  215 -> 00:0C:42:CB:DE:62 00:24:1D:17:81:F7      10.5.101.15:8291 (winbox)          
ether1    3.195  216 <- 00:24:1D:17:81:F7 00:0C:42:CB:DE:62      10.5.101.10:36771                  
ether1    3.217  217 <- 00:24:1D:17:81:F7 00:0C:42:CB:DE:62      10.5.101.10:36771                  
ether1    3.218  218 -> 00:0C:42:CB:DE:62 00:24:1D:17:81:F7      10.5.101.15:8291 (winbox)          
ether1     3.22  219 <- 00:0C:42:49:FC:EC 33:33:00:00:00:05      fe80::20c:42ff:fe49:fcec           
ether1    3.255  220 <- 00:0C:42:A1:6E:47 01:00:5E:00:00:05      192.168.15.6                       
ether1    3.256  221 <- 00:24:1D:17:81:F7 00:0C:42:CB:DE:62      10.5.101.10:36771                  
ether1    3.259  222 <- 00:24:1D:17:81:F7 00:0C:42:CB:DE:62      10.5.101.10:36771                  
ether1    3.294  223 -> 00:0C:42:CB:DE:62 00:24:1D:17:81:F7      10.5.101.15:8291 (winbox)          
ether1    3.325  224 -> 00:0C:42:CB:DE:62 00:24:1D:17:81:F7      10.5.101.15:8291 (winbox)          
ether1    3.325  225 -> 00:0C:42:CB:DE:62 00:24:1D:17:81:F7      10.5.101.15:8291 (winbox)          
ether1    3.326  226 <- 00:24:1D:17:81:F7 00:0C:42:CB:DE:62      10.5.101.10:36771                  
ether1     3.35  227 <- 00:0C:42:A8:ED:C2 33:33:00:00:00:01      fe80::20c:42ff:fea8:edc2           
ether1    3.391  228 <- 00:24:1D:17:81:F7 00:0C:42:CB:DE:62      10.5.101.10:36771                  
ether1    3.392  229 -> 00:0C:42:CB:DE:62 00:24:1D:17:81:F7      10.5.101.15:8291 (winbox)  

Note: Traffic-Generator packets will not be visible using the packet sniffer on the same interface unless fast-path parameter is set.


Download Sniffer Results

Sub-menu: /tool sniffer


Packet Sniffer results could be downloaded and viewed as file by specific program (for example Wireshark).


Property Description
file-name (string; Default: "") The name of the file where the sniffed packets will be saved to


Example

To save sniffed result to file set,

[admin@MikroTik] /tool sniffer set file-name=example

Run sniffer with required settings,

[admin@MikroTik] /tool sniffer start

Do not forget to stop sniffer after sniffing is done,

[admin@MikroTik] /tool sniffer stop


Sniffed results could be downloaded from /file by FTP client or Windows Drag-n-Drop (do not forget to use binary mode, when file is downloaded by FTP).

[admin@MikroTik] /file print
 # NAME              TYPE             SIZE                 CREATION-TIME       
 0 example           file             44092                jan/02/2010 01:11:59

[ Top | Back to Content ]