Manual:Tools/Packet Sniffer

From MikroTik Wiki
< Manual:Tools
Revision as of 13:16, 14 May 2010 by Kirshteins (talk | contribs) (Packet Sniffer Configuration)
Jump to: navigation, search

(needs editing)

Version.png

Applies to RouterOS: v2.9, v3, v4+

Summary

Sub-menu: /tool sniffer
Packages required: system


Packet sniffer is a tool that can capture and analyze packets that are going to, leaving or going through the router (except the traffic that passes only through the switch chip).

Packet Sniffer Configuration

Sub-menu: /tool sniffer


Property Description
interface (integer 10..1000000000; Default: 10) The limit of the file in KB. Sniffer will stop after this limit is reached
file-name (string; Default: "") The name of the file where the sniffed packets will be saved to
filter-address1 (IP address/netmask:port; Default: 0.0.0.0/0:0-65535) The first address to filter
filter-address2 (IP address/netmask:port; Default: 0.0.0.0/0:0-65535) The second address to filter
filter-protocol (all-frames | ip-only | mac-only-no-ip; Default: ip-only) Filter specific protocol
  • ip-only - Sniff IP packets only
  • all-frames - Sniff all packets
  • mac-only-no-ip - Sniff non-IP packets only
filter-stream (yes | no; Default: no) Sniffed packets that are devised for sniffer server are ignored
interface (all | ether1 | ...; Default: all) Interface management
memory-limit (integer 10..4294967295; Default: 10) Memory amount reached in KB to stop sniffing
memory-scroll (yes | no; Default: no)
only-headers (yes | no; Default: no) Save in the memory only packet's headers not the whole packet
running (read-only) If the sniffer is started then the value is yes otherwise no
streaming-enabled (yes | no; Default: no) Defines whether to send sniffed packets to sniffer's server or not
streaming-server (ip address; Default: ) Tazmen Sniffer Protocol (TZSP) stream receiver

Notes

filter-address1 and filter-address2 are used to specify the two participients in communication (i.e. they will match only in the case if one of them matches the source address and the other one matches the destination address of a packet). These properties are taken in account only if filter-protocol is ip-only.

Example

In the following example streaming-server will be added, streaming will be enabled, file-name will be set to test and packet sniffer will be started and stopped after some time:

[admin@MikroTik] tool sniffer> set streaming-server=192.168.0.240 \
\... streaming-enabled=yes file-name=test
[admin@MikroTik] tool sniffer> print
            interface: all
         only-headers: no
         memory-limit: 10
            file-name: "test"
           file-limit: 10
    streaming-enabled: yes
     streaming-server: 192.168.0.240
        filter-stream: yes
      filter-protocol: ip-only
      filter-address1: 0.0.0.0/0:0-65535
      filter-address2: 0.0.0.0/0:0-65535
              running: no
[admin@MikroTik] tool sniffer> start
[admin@MikroTik] tool sniffer> stop

Running Packet Sniffer

Sniffed Packets

Packet Sniffer Protocols

Packet Sniffer Host

Packet Sniffer Connections

[ Top | Back to Content ]

Retrieved from "https://wiki.mikrotik.com/index.php?title=Manual:Tools/Packet_Sniffer&oldid=17478"