Arnt Gulbrandsen
About meAbout this blog
2011-08-15

tcpdump on Mikrotik

Mikrotik RouterOS doesn't have a tcpdump command. It has solutions for most/all of the problems I like to solve with tcpdump, though.

First, easiest: tool sniffer start and then tool sniffer connection print interval=0.2. tool sniffer stop stops sniffing. This prints various information about active TCP connections, updated every 0.2 seconds. It's not something one wants to do on a busy core router, but if the router is lightly loaded, this is a simple and quick way to see what a particular server is up to.

Second, Wireshark: Mikrotik routers can stream copies of the forwarded packets in real time to Wireshark running on a workstation using a protocol called TZSP, and Wireshark receives the TZSP stream and works with the transmitted packets.

Start Wireshark as root and select the interface facing the Mikrotik, which I will pretend has address 192.0.2.165. Apply filter udp.port == 37008 so that Wireshark will show you only the TZSP packets it receives from the Mikrotik, not random other packets seen by the same interface. You're now ready to start streaming packets from the Mikrotik: tool sniffer set streaming-server=192.0.2.165 streaming-enabled=yes and then tool sniffer start. The Wireshark window will immediately fill up and then scroll madly, since Wireshark is showing all the traffic passing through the Mikrotik. Add to Wireshark's filter order to limit the traffic to what you care about.

Third, sniffing to file. tool sniffer can dump traffic and save it to a file, which you can FTP elsewhere and look at. I've never done it and I have some misgivings about file size, but if you want to run e.g. tcpreplay, this is what you need. Look for tool sniffer set file-name and related options.

(Q: Why didn't I add this to the wiki or forum? A: I have too many passwords already, the Mikrotik people chose not to enable OpenID on the wiki, and google will find the information here too.)