Manual:Tools/Packet Sniffer

From MikroTik Wiki
< Manual:Tools
Revision as of 15:15, 14 May 2010 by Kirshteins (talk | contribs) (Sniffed Packets)
Jump to: navigation, search

(needs editing)


Applies to RouterOS: v2.9, v3, v4+


Sub-menu: /tool sniffer
Packages required: system

Packet sniffer is a tool that can capture and analyze packets that are going to, leaving or going through the router (except the traffic that passes only through the switch chip).

Packet Sniffer Configuration

Sub-menu: /tool sniffer

Property Description
interface (integer 10..1000000000; Default: 10) The limit of the file in KB. Sniffer will stop after this limit is reached
file-name (string; Default: "") The name of the file where the sniffed packets will be saved to
filter-address1 (IP address/netmask:port; Default: The first address to filter
filter-address2 (IP address/netmask:port; Default: The second address to filter
filter-protocol (all-frames | ip-only | mac-only-no-ip; Default: ip-only) Filter specific protocol
  • ip-only - Sniff IP packets only
  • all-frames - Sniff all packets
  • mac-only-no-ip - Sniff non-IP packets only
filter-stream (yes | no; Default: no) Sniffed packets that are devised for sniffer server are ignored
interface (all | ether1 | ...; Default: all) Interface management
memory-limit (integer 10..4294967295; Default: 10) Memory amount reached in KB to stop sniffing
memory-scroll (yes | no; Default: no)
only-headers (yes | no; Default: no) Save in the memory only packet's headers not the whole packet
running (read-only) If the sniffer is started then the value is yes otherwise no
streaming-enabled (yes | no; Default: no) Defines whether to send sniffed packets to sniffer's server or not
streaming-server (ip address; Default: ) Tazmen Sniffer Protocol (TZSP) stream receiver


filter-address1 and filter-address2 are used to specify the two participients in communication (i.e. they will match only in the case if one of them matches the source address and the other one matches the destination address of a packet). These properties are taken in account only if filter-protocol is ip-only.


In the following example streaming-server will be added, streaming will be enabled, file-name will be set to test and packet sniffer will be started and stopped after some time:

[admin@MikroTik] tool sniffer> set streaming-server= \
\... streaming-enabled=yes file-name=test
[admin@MikroTik] tool sniffer> print
            interface: all
         only-headers: no
         memory-limit: 10
            file-name: "test"
           file-limit: 10
    streaming-enabled: yes
        filter-stream: yes
      filter-protocol: ip-only
              running: no
[admin@MikroTik] tool sniffer> start
[admin@MikroTik] tool sniffer> stop

Running Packet Sniffer

Commands: /tool sniffer start, /tool sniffer stop, /tool sniffer save

The commands are used to control runtime operation of the packet sniffer. The start command is used to start/reset sniffering, stop - stops sniffering. To save currently sniffed packets in a specific file save command is used.


In the following example the packet sniffer will be started and after some time - stopped:

[admin@MikroTik] tool sniffer> start
[admin@MikroTik] tool sniffer> stop

Below the sniffed packets will be saved in the file named test:

[admin@MikroTik] tool sniffer> save file-name=test
[admin@MikroTik] tool sniffer> /file print
  # NAME                           TYPE         SIZE       CREATION-TIME
  0 test                           unknown      1350       apr/07/2003 16:01:52
[admin@MikroTik] tool sniffer>

Sniffed Packets

Sub-menu: /tool sniffer packet

This sub-menu allows to see the list of sniffed packets.

Property Description
data (read-only: text) Specified data inclusion in packets
direction (read-only)
dscp (read-only: integer) IP DSCP field value
dst-address (read-only: IP address) Destination IP address
fragment-offset (read-only: integer) IP fragment offset
identification (read-only: integer) IP identification
interface (read-only: name) Name of the interface the packet has been captured on
ip-header-size (read-only: integer) the size of IP header
ip-packet-size (read-only: integer) the size of IP packet
ip-protocol (read-only: ddp | egp | encap | ggp | gre | hmp | icmp | icmpv6 | dpr-cmt | igmp | ip | ipencap | ipip | ipsec-ah | ipsec-esp | iso-tp4 | ospf | pim | pup | rdp | rspft | st | tcp | udp | vmtp | vrrp | xns-idp | xtp) the name/number of IP protocol
protocol (read-only: ip | arp | rarp | ipx | ipv6) The name/number of ethernet protocol
size (read-only: integer) Size of packet
src-address (read-only: IP address) source IP address
src-mac (read-only: MAC address) Source MAC address
data (; Default: )
tcp-flags (; Default: )
time (read-only: time) time when packet arrived
ttl (read-only: integer) IP Time To Live
vlan-id (read-only: integer;) VLAN-ID of the packet
vlan-priority (read-only: integer) VLAN-Priority of the packet

Packet Sniffer Protocols

Packet Sniffer Host

Packet Sniffer Connections

[ Top | Back to Content ]