tcpdump on Mikrotik

Mikrotik RouterOS doesn't have a tcpdump command. It has solutions for most/all of the problems I like to solve with tcpdump, though.

First, easiest: tool sniffer start and then tool sniffer connection print interval=0.2. tool sniffer stop stops sniffing. This prints various information about active TCP connections, updated every 0.2 seconds. It's not something one wants to do on a busy core router, but if the router is lightly loaded, this is a simple and quick way to see what a particular server is up to.

Second, wireshark: Mikrotik routers can stream copies of the forwarded packets in real time to Wireshark running on a workstation using a protocol called TZSP, and Wireshark receives the TZSP stream and works with the transmitted packets.

Start wireshark as root and select the interface facing the Mikrotik, which I will pretend has address 192.0.2.165. Apply filter udp.port == 37008. You're now ready to start streaming packets from the Mikrotik: tool sniffer set streaming-server=192.0.2.165 streaming-enabled=yes and then tool sniffer start. The Wireshark window will immediately fill up and then scroll madly. Add to wireshark's filter and find your answer.

Third, sniffing to file. tool sniffer can dump traffic and save it to a file, which you can FTP elsewhere and look at. I've never done it and I have some misgivings about file size, but if you want to run e.g. tcpreplay, this is what you need. Look for tool sniffer set file-name and related options.

(Q: Why didn't I add this to the wiki or forum? A: I have too many passwords already, the Mikrotik people chose not to enable OpenID on the wiki, and google will find the information here too.)