CALEA

From MikroTik Wiki
Revision as of 12:09, 18 May 2007 by Normis (talk | contribs) (→‎Data Retention Server)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

Communications Assistance for Law Enforcement Act requires the routers to have ability to intercept and log network traffic. RouterOS now provides this facility by means of firewall rules. RouterOS can also function as a data retention server if the additional calea package is installed.

Intercepting Packet Flow

The IP Firewall filters now have two additional actions:

  • sniff - generates a pcap stream that can be directed to any Wireshark (Ethereal) server
  • sniff-pc - generates a Packet Cable stream that can be directed to a MikroTik RouterOS system with the calea package installed

By selecting either action, the following options will be available:

  • sniff-id (Packet Cable protocol only) - packet stream case ID, that can be used to differentiate between separate traffic sets (e.g., between different users; or between client traffic and server traffic)
  • sniff-target - IP address of the data retention server
  • sniff-target-port - TCP port that the data retention server is listening on

Data Retention Server

The calea package provides an additional tool menu - /tool calea, that allows to save certain incoming data streams to a file. The server will create separate files for each packet stream (one data file and one hash file, if configured). The files will not grow indefinitely, but rather util a certain limit, after which a new set of files will be created for that stream. The limit is specified in size and extent of time, whichever is reached first.

Add a rule with the following properties:

  • case-id - case ID set by the intercepting router
  • intercept-ip - IP address of the intercepting router (IP address to receive the stream from)
  • intercept-port - TCP port to listen on (port to receive the stream on)
  • action - storage format (only pcap for now)
  • pcap-file-stop-interval - maximal interval between creating new fileset, if size limit is not reached earlier
  • pcap-file-stop-size - maximal filesize
  • pcap-file-hash-method - hashing algorithm (md5 or sha1) for the data file (saved once the data file is completed and closed); no file is created if set to none
Retrieved from "https://wiki.mikrotik.com/index.php?title=CALEA&oldid=4604"