Manual:Tools/Packet Sniffer: Difference between revisions

From MikroTik Wiki
Jump to navigation Jump to search
(No difference)

Revision as of 07:59, 13 August 2010


Applies to RouterOS: v2.9, v3, v4+


Sub-menu: /tool sniffer
Packages required: system

Packet sniffer is a tool that can capture and analyze packets that are going to, leaving or going through the router (except the traffic that passes only through the switch chip).

Packet Sniffer Configuration

Sub-menu: /tool sniffer

Property Description
file-limit (integer 10..1000000000; Default: 10) The limit of the file in KB. Sniffer will stop after this limit is reached
file-name (string; Default: "") The name of the file where the sniffed packets will be saved to
filter-address1 (IP address/netmask:port; Default: The first address to filter
filter-address2 (IP address/netmask:port; Default: The second address to filter
filter-protocol (all-frames | ip-only | mac-only-no-ip; Default: ip-only) Filter specific protocol
  • ip-only - Sniff IP packets only
  • all-frames - Sniff all packets
  • mac-only-no-ip - Sniff non-IP packets only
filter-stream (yes | no; Default: no) Sniffed packets that are devised for sniffer server are ignored
interface (all | ether1 | ...; Default: all) Interface management
memory-limit (integer 10..4294967295; Default: 10) Memory amount reached in KB to stop sniffing
memory-scroll (yes | no; Default: no)
only-headers (yes | no; Default: no) Save in the memory only packet's headers not the whole packet
running (read-only) If the sniffer is started then the value is yes otherwise no
streaming-enabled (yes | no; Default: no) Defines whether to send sniffed packets to sniffer's server or not
streaming-server (ip address; Default: ) Tazmen Sniffer Protocol (TZSP) stream receiver


filter-address1 and filter-address2 are used to specify the two participients in communication (i.e. they will match only in the case if one of them matches the source address and the other one matches the destination address of a packet). These properties are taken in account only if filter-protocol is ip-only.


In the following example streaming-server will be added, streaming will be enabled, file-name will be set to test and packet sniffer will be started and stopped after some time:

[admin@MikroTik] tool sniffer> set streaming-server= \
\... streaming-enabled=yes file-name=test
[admin@MikroTik] tool sniffer> print
            interface: all
         only-headers: no
         memory-limit: 10
            file-name: "test"
           file-limit: 10
    streaming-enabled: yes
        filter-stream: yes
      filter-protocol: ip-only
              running: no
[admin@MikroTik] tool sniffer> start
[admin@MikroTik] tool sniffer> stop

Running Packet Sniffer

Commands: /tool sniffer start, /tool sniffer stop, /tool sniffer save

The commands are used to control runtime operation of the packet sniffer. The start command is used to start/reset sniffering, stop - stops sniffering. To save currently sniffed packets in a specific file save command is used.


In the following example the packet sniffer will be started and after some time - stopped:

[admin@MikroTik] tool sniffer> start
[admin@MikroTik] tool sniffer> stop

Below the sniffed packets will be saved in the file named test:

[admin@MikroTik] tool sniffer> save file-name=test
[admin@MikroTik] tool sniffer> /file print
  # NAME                           TYPE         SIZE       CREATION-TIME
  0 test                           unknown      1350       apr/07/2003 16:01:52
[admin@MikroTik] tool sniffer>

Sniffed Packets

Sub-menu: /tool sniffer packet

This sub-menu allows to see the list of sniffed packets.

Property Description
data (read-only: text) Specified data inclusion in packets
direction (read-only: in | out) Indicates whether packet is entering (in) or leaving (out) the router
dscp (read-only: integer) IP DSCP field value
dst-address (read-only: IP address) Destination IP address
fragment-offset (read-only: integer) IP fragment offset
identification (read-only: integer) IP identification
interface (read-only: name) Name of the interface the packet has been captured on
ip-header-size (read-only: integer) The size of IP header
ip-packet-size (read-only: integer) The size of IP packet
ip-protocol (read-only: ddp | egp | encap | ggp | gre | hmp | icmp | icmpv6 | dpr-cmt | igmp | ip | ipencap | ipip | ipsec-ah | ipsec-esp | iso-tp4 | ospf | pim | pup | rdp | rspft | st | tcp | udp | vmtp | vrrp | xns-idp | xtp) The name/number of IP protocol
protocol (read-only: ip | arp | rarp | ipx | ipv6) The name/number of ethernet protocol
size (read-only: integer) Size of packet
src-address (read-only: IP address) Source IP address
src-mac (read-only: MAC address) Source MAC address
data (read-only: string) IP data
tcp-flags (read-only: ack | cwr | ece | fin | psh | rst | syn | urg) TCP flags
time (read-only: time) Time when packet arrived
ttl (read-only: integer) IP Time To Live
vlan-id (read-only: integer) VLAN-ID of the packet
vlan-priority (read-only: integer) VLAN-Priority of the packet

Packet Sniffer Protocols

Sub-menu: /tool sniffer protocol

In this submenu you can see all kind of protocols that have been sniffed.

Property Description
bytes (read-only: integer) Total number of data bytes
ip-protocol (read-only: ddp | egp | encap | ggp | gre | hmp | icmp | icmpv6 | dpr-cmt | igmp | ip | ipencap | ipip | ipsec-ah | ipsec-esp | iso-tp4 | ospf | pim | pup | rdp | rspft | st | tcp | udp | vmtp | vrrp | xns-idp | xtp) IP protocol
packets (read-only: integer) The number of packets
port (read-only: integer) The port of TCP/UDP protocol
protocol (read-only: ip | arp | rarp | ipx | ipv6) The name/number of the protocol
share (read-only: decimal) Specific type of traffic compared to all traffic in bytes


[admin@MikroTik] tool sniffer protocol> print
  0 ip                              77        4592    100 %
  1 ip       tcp                    74        4328    94.25 %
  2 ip       gre                    3         264     5.74 %
  3 ip       tcp      22 (ssh)      49        3220    70.12 %
  4 ip       tcp      23 (telnet)   25        1108    24.12 %
[admin@MikroTik] tool sniffer protocol>

Packet Sniffer Host

Sub-menu: /tool sniffer host

The submenu shows the list of hosts that were participating in data excange you've sniffed.

Property Description
address (read-only: IP address) IP address of the host
peek-rate (read-only: integer/integer) The maximum data-rate received/transmitted
rate (read-only: integer/integer) Current data-rate received/transmitted
total (read-only: integer/integer) Total packets received/transmitted


In the following example we'll see the list of hosts:

[admin@MikroTik] tool sniffer host> print
  # ADDRESS       RATE         PEEK-RATE           TOTAL
  0      0bps/0bps    704bps/0bps         264/0
  1    0bps/0bps    6.24kbps/12.2kbps   1092/2128
  2    0bps/0bps    12.2kbps/6.24kbps   2994/1598
  3    0bps/0bps    1.31kbps/4.85kbps   242/866
[admin@MikroTik] tool sniffer host>

Packet Sniffer Connections

Sub-menu: /tool sniffer connection

Here you can get a list of the connections that have been watched during the sniffing time.

Property Description
active (read-only: yes | no) Indicates whether connection is active or not
bytes (read-only: integer/integer) Bytes in the current connection
dst-address (read-only: IP address:port) Destination address
mss (read-only: integer/integer) Maximum segment size
resends (read-only: integer/integer) The number of packets resends in the current connection
src-address (read-only: IP address:port) Source address


The example shows how to get the list of connections:

[admin@MikroTik] tool sniffer connection> print
Flags: A - active
  #   SRC-ADDRESS       DST-ADDRESS             BYTES     RESENDS   MSS
  0 A (telnet)  6/42      60/0      0/0
  1 A (ssh)     504/252   504/0     0/0
[admin@MikroTik] tool sniffer connection>

[ Top | Back to Content ]