Port Mirroring and Streaming

These next two methods are pretty handy and can make you look oh-so-cool to your lesser tech friends and coworkers.  Your name will be spoken in the same breath as the words “Guru”, “Brain”, 2017-02-23_10-46-23“THE Brain”, “The Brainster” and so on – you get the idea which, by the way, is the goal of these articles.  Sales people and  project managers will ask for you by name  “ …. and make sure Brain Man is at the job when we have to do this cut over so if any weird  issues come up with their network or the carrier, he can handle it  …”

Which one you  use the most will depend on how you service your customers (if you have a choice) and your circumstances.  With port mirroring, for example, you will most likely be on site.  For streaming, though, you can be anywhere as long as the Internet connection is good.  In either case the objective is to give you a means of being able to get granular with the best method possible.

Port Mirroring

Aka port spanning (if you have a Cisco-like back ground) and it usually goes like this;

You plug a device in a certain port of your Mikrotik (eg port 3) and have all the packets copied/echoed/mirrored  to port 4 where your pc is running Wireshark.  You can do it one of two ways – command line or through the “Switch” tab via Winbox.

Via Command Line

From Telnet, SSH or New Terminal, just do this;2017-02-22_23-45-57

You would think that the wiki.mikrotik rendition of this would have been something along this line but … no.  So what exactly is meant by “switch1”?  Well, I’ll tell you.2017-02-23_0-51-25

In order to do port mirroring, the physical ports have to be on the same physical switch.  On the smaller router boards like the 751/951 series there is only one physical switch and the way you know this is by going to Switch/Port in Winbox and seeing how many switches (i.e. physical switches) there are and which port is on which switch.  You can also see this under Interfaces/Ethernet and click on the particular interface or add the ‘switch’ column to be displayed and you will see it there.  An RB3011 will have two switches.  Ports 1 through 5 are on switch 1 and 6 through 10 are on switch 2.  On that device, for example, you could  mirror port 1 to port 4 but not to port 6.  Another footnote, even though they can’t mirror 1 to 6, they can still be on the same logical bridge. There are reasons why the physical switches are segmented like that … but I’m not going to go into them.  For an in-depth explanation and description of how Mikrotik  designs their switches, get Steve Discher’s book “RouterOS by Example, 2nd Edition” and read chapter 18.  Click here (after you finish reading this!) to read my review of his book and click here to go to ISP Supplies to order it.2017-02-25_20-46-54

Via WinBox

Go to Switch/ and right away you will see under the first tab, “Switch”, the name, type and  – ta-daaa! –Mirror Source and Mirror Target.  Talk about being hidden in plain sight!  Of course, how many times have you actually had a reason to go to this section?  Oddly enough, you won’t see this mentioned anywhere in the wiki – just sayin’.  So enter the Source/Target accordingly and you’re good to go.  Test this by plugging your PC in eg port 4 (or whatever you set the Mirror Target to be) with Wireshark running and then some device on the Mirror Source port.  Without port mirroring set up, ping the device from the router using Tools/Ping and source it from the Bridge.  You should not see any of the ICMP traffic going back and forth from the router to the device.  Next, set the source and target for mirroring and start pinging again.  If you did it right, you will see the ICMP packets from the Mikrotik hitting the device and the replies.

The upshot of all of this is that you now have a simple – and cool – method of doing “on-the-fly” port mirroring on premise that is both convenient AND portable.

“Portable?” you ask?  Oh yes!2017-02-25_20-52-40

Before I got into RouterOS, I would carry around a little Dual-Comm (www.dual-comm.com) mirrored switch (still do and I’ll explain why in a minute) – cost is about $70 plus shipping.  As of this article, the newer RB952Ui’s are under that and it’s a router and it has WiFi so in effect you get a Leatherman multi-tool version of a device versus a single tool device.  You can also run a regular packet sniffer session while mirroring if you have to leave your Mikrotik device there for some reason.

There are, however,  2 potential issues;

  1. If you do a lot of VoIP and the phones/devices are all PoE, you’re going to need a power supply for that device to work. Even though you see “PoE” on the switch ports, that’s for another Mikrotik device and NOT your VoIP phone.
  2. Again power related, the Dual-Comm can be powered by your pc’s USB port and the Mikrotik cannot.

I therefore carry both since they are both very small.  Believe it or not, there are places that I work at that don’t use a Mikrotik router! (I know, I know but I’m a charitable guy and have a passion for the uninformed and less fortunate).  So  If I am on a site that does not have a Mikrotik router  and need to do a packet capture, I’ll whip out the Mikrotik and put it on the device/network in question.  One safety tip with that scenario, be sure to turn DHCP off of the Mikrotik – things can get really awkward if you don’t.

Oh, and trust me, there are a lot of things you can do with a Mikrotik behind someone else’s network which I’ll cover in later installments.


On the surface, this method is pretty straight forward.  Under Tools/Packet Sniffer/Streaming check the Streaming Enable check box and the destination server IP that you are running Wireshark on.  Click on the Filter Stream check box and in the Filter tab, at a minimum, choose an interface and direction.  Click Apply and then Start to begin streaming.  Bt2017-02-26_12-49-38w, here’s a tip, you can run a regular packet capture AND stream at the same time.  To do this, just fill in the normal information you would in the General tab.  Both processes are executed when you hit Start.

The first time you try this, have your laptop/pc on the LAN and make sure you have Wireshark running – it’s pretty simple and at least you will know it works.  Once you get comfortable, try running it through a pptp connection from the site to your office.  When you get really brave and have some time, forward it to your WAN and build some firewall rules that send it to your Wireshark pc at the office – btw  that’s when it can get involved and not so straight forward.  It’s all do-able (having done it) – my personal preference is either through an MPLS or pptp connection if I can’t be on site.  Keep in mind too that streaming is real-time and all the display rules that you know and love about Wireshark apply just as though you were on premise.  Cool right?  Maybe, maybe not.

Here’s the caveat ….

RouterOS has a very clever method of remote capturing – and then streaming – by pre-pending a frame with a TZSP (Tazmen Sniffer Protocol)   header and putting everything in a upd packet.  That means 2 important things;

  • Instead of being a layer 2 packet you now have a Layer 3 – and routable – packet. So, in theory and in practice, you can stream a packet capture session to a remote pc running Wireshark to just about anywhere.
  • When you look at the packets, it will definitely throw you off at first. You will see 2 sets of Ethernet headers (one from the remote network and one from the local one) and, similar to an ICMP packet, you will see 2 sets of IP headers followed by the rest of the packet’s contents.  Fortunately Wireshark can dissect this so in the Protocol column you will still see ARP, TCP, HTTP,  DHCP and so on.  In the capture image below, you can see that Wireshark identified the TZSP method and then correctly identified packet 1813 it as TCP.  Once the SYN, SYN/ACK, ACK part of the standard TCP handshake is completed, Wireshark then correctly dissects it as an HTTP session.

If you plan on streaming to an offsite server just remember that you are going to take up bandwidth equivalent to whatever you are capturing.  So if your interface is the bridge and there is no other filter in play,  you will get ALL the traffic – including things that are normally not routed such as ARP, Multicasts and DHCP –  transported to you through the customer’s Internet connection. Btw, Tazmen uses UDP port 37008 so be sure to set up your Firewall/NAT rules accordingly if you are shipping this information off-premise.2017-02-26_14-06-40

Final Thoughts

So now you know all the packet capture “magic” that a Mikrotik can do – at least the ones I know about.  Of the 3, I tend to just remote in and start a capture using the settings in the General tabs and filter.  However, there have been a handful of times when I’ve had to do the others.  And while I alluded to it earlier, I’ll spell it out for you here – all of these methods can be done concurrently!  Why you would do that is another story and maybe another entry.  If you have a story where you did that, let me know.

Next month, Cool Things you Can Do with The Dude!