You might say that I’m renewing my vows to Wireshark this year as I am once again going to “cert-up” on my WCNA which expired a couple of years ago (it’s good for 3 years). And to be honest, before becoming a Mikrotik “true believer” I was heavily into the network/packet analysis world – still am. Steve Discher pointed out in his recent book “Router OS by Example – 2nd Edition” that the tools you get built in with Mikrotik are pretty good and, in my opinion, easy to use. That said, there are ways to screw it up even on something as seemingly straight forward as running a packet capture session on a Mikrotik device. So this month’s blog is on how to properly do a packet capture using the “Packet Sniffer” Tool in Router OS. I am going to assume you plan on using Wireshark so the file extensions will be ‘pcap’ or ‘pcapng’. In this series we will cover three ways or “methods” of doing a packet capture. And in this blog we’ll be covering the first and most commonly used one.
The three methods are;
- Create a pcap/pcapng file within the router and then download it to your PC
- Stream the capture to a pc running Wireshark
- Port Mirroring aka Port Spanning
In my opinion, you will likely do Method 1 most of the time since you can do this without having to be on site -. I’m all for not having to go there unless you have to.
To Do This The Simple Way ….
Under Tools you’ll see Packet Sniffer sandwiched between Netwatch and Ping. Click on it and Packet Sniffer Settings comes up at the General tab [image]. There are 4 fields you can change and sometimes you do and sometimes you don’t.
Memory Limit: the default is 100k. Just leave it.
Only Headers [this is a check box] – In theory, this is supposed to give you the packet less the data segment. This essentially truncates (fancy work for “cuts off”] a portion of the packet header limiting the total size of the packet to 60 bytes. The reasoning behind this is that the IP and TCP/UDP header will be between 40 and maybe 48 bytes (if there are TCP options set) plus the Ethernet header of 14 bytes. This is fine if all you’re looking for is general flow of if for some reason you are really pressed for space. Unfortunately, most of the time you are going to be interested in the content (i.e. the data portion of the packet) and therefore this approach, while great on space will come up short when it comes to trouble shooting the details of a problem.
File Limit: This is where you might tweak the values depending on what you’re looking for, how big a net you want to cast and how much bandwidth you have to transfer the file you create. Frankly, unless you’re on a low traffic network, 1000kb or 1Mb is not a lot. Once the size limit is reached, the capture stops but it will still say “running” in the status bar and you will still have to click “Stop” to stop the capture.
Tip – Packet capture files can get REALLY big, really fast even in a semi-busy network so plan on bumping this up to 10Mb or even 30Mb. Remember, you’re going to have to transfer this file to your PC when things are done so make sure you account for that as well. Be sure to delete it as well since you are taking up physical memory in the router. Wireshark purists will say that 32MB to 64MB is ideal but to be honest, I’ve gone up to 300Mb before it begins to choke. And again to be honest, if/when that happens, I’ll break it up into smaller chunks depending on what I’m looking for.
Moving on to the next set of buttons on the right which will be there and function on any of the tabs
OK, Cancel and Apply are pretty obvious. If you make any changes to the General tab and then press “OK” it will save the changes and close the window. Apply saves them and keeps the window open and Cancel just closes the window without saving anything. It can’t be more intuitive!
Start will start the packet capture – be sure to have the file name in there otherwise you will get an error. When you click on Start, two things will change, the “stopped” status will change to “running” and if you have a look at the File List window you will see the capture file appear and incrementing in size according to how much it is capturing. Once the File limit is reached you will see the size stop incrementing.
Stop will, you guessed it, stop the capture.
The next four buttons are interesting because I never really paid attention to them until I started to write this article. They are all real-time windows that you can open while the capture is in progress and see – in a crude way – what is being captured.
Packets – This window’s header will say “Packet Sniffer Packets” (sort of redundant …) and will show the packets coming across the wire in real time and basic header information. For example, you can see the Winbox login port number, Source and destination addresses and so on. It can tell you about the packet down to the transport layer – i.e. whether it’s tcp or udp – but no further. So you will not be able to tell if the tcp connection is http or an ftp session unless you know the ports (80 and 21 btw). There are more columns available than I’m showing in this screen capture and you can pick and choose which ones you want to display while running the capture. I do a lot of VoIP work so the TOS (Type Of Service, kind of an old term fyi) was nice as it showed the decimal value of the DSCP field in the IP header. That’s very helpful when you want to program the router for QoS. VLan ID is nice if you have to work with virtual LANs .
Connections will show you the sessions it has detected during the capture
Protocols – well this is more of a packet counter for IP packets (which is everything but arps) and whether it’s tcp/udp and the port. It has limited usefulness unless you are in search of very basic stuff.
How NOT to use Filters
I’m going to skip the “Streaming” tab since we’ll cover that in the follow up to this entry and as far as the “Filter” tab is concerned there are a few guidelines I highly recommend you follow (these guidelines apply to any of the capture methods);
- Pick an interface – whether it is “all” or one of those listed in the drop down menu. If you don’t pick one, you will still get a packet capture but there will not be any MAC addresses for any of the devices. Strange and I did not realize this until I had to find a hardware address and realized it was not there.
- Leave the “Direction” to “any” – unless you have a really really really (and I mean REALLY) good reason to capture just one direction (and I can’t think of one) don’t mess with it.
- Leave everything else blank – so you capture everything. I can’t tell you how many times someone gave me a capture file and excluded udp or bootp (that’s DHCP) or something along those lines because he only wanted to capture what he considered “traffic of interest”. News flash – It’s ALL INTERESTING !!
Once the capture is completed the next step is to get it from the router to your PC. Easy – just click on the file and drag it to your desktop. If it’s a big file, you’ll see the progress status as it moves over. If you already have Wireshark installed on your pc, it will automatically show it as a Wireshark file type (as long as you appended pcap or pcapng) and you’re done.
Next stop, Streaming and Port Mirroring.
See you then!
Copyright Eric Knaus, www.mikrotikminute.com, Jan 2017