Obsidean_VM/01-Documentation/Routers/Mikrotik - Network Redes/Wireshark - Sniffer capture.md

103 lines
3.2 KiB
Markdown
Raw Normal View History

2025-02-18 05:37:27 -03:00
Packet Sniffer
## 1) Wireshark Installation
On Fedora you install Wireshark by:
```
$ sudo dnf install wireshark
```
Then add your user to a “wireshark” group:
```
$ sudo usermod -a -G wireshark "$USER"
```
Then log out and log in again to let the usermod change to take effect or simply reboot your system:
```
$ sudo reboot
```
## 2) Configure Wireshark filter
In Wireshark menu, click on “capture” and then select “capture filters”.
It will open a new window with capture filters.
Click on “+” button to add a new line to the list. On the added line, write there a name of the filter (for example “MikroTik sniffing”) and set “**udp port 37008**” as the filter.
## 3) Start the capture in Wireshark
On Wiresharks main screen, select the filter you just created (click on the small green flag) and then start the capture.
## 4) Configure MikroTik router to forward captured traffic
You can do this configuration via SSH, Telnet, WinBox or WebFig.
I will show you how to do this via SSH/Telnet.
First, connect to the device (ssh in my example):
```
ssh ADMIN_USER@IP_ADDRESS_OF_YOUR_ROUTER -p PORT
```
Then configure sniffer options:
```
/tool sniffer set streaming-enabled=yes streaming-server=192.168.1.100
/tool sniffer set filter-interface wlan1,wlan2
/tool sniffer set filter-ip-address 192.168.1.150/32
```
- **streaming-enabled**  enables forwarding of packets.
- **streaming-server**  IP address of the host where the Wireshark is running.
- **filter-interface**  interface(s) where the capture will happen. (In my case, I have two radios 2,4 GHz & 5 GHz and I selected both)
- **filter-ip-address**  you can limit the sniffing to only a specific IP address(es). (In my case, I selected only IP of my Smart TV as I wanted to see what kind of traffic it sends/receives from Internet)
Start the capture:
```
/tool sniffer start
```
Review the sniffer status:
```
[MYUSER@MikroTik] > /tool sniffer print
only-headers: no
memory-limit: 100KiB
memory-scroll: yes
file-name:
file-limit: 1000KiB
streaming-enabled: yes
streaming-server: 192.168.1.100
filter-stream: yes
filter-interface: wlan1,wlan2
filter-mac-address:
filter-mac-protocol:
filter-ip-address: 192.168.1.150/32
filter-ipv6-address:
filter-ip-protocol:
filter-port:
filter-cpu:
filter-size:
filter-direction: any
filter-operator-between-entries: or
running: yes
```
Stop capture:
```
/tool sniffer stop
```
And thats it!
![](https://tojaj.com/wp-content/uploads/2020/03/wireshark_screenshot-1024x576.jpg)
This is how it could look like in your Wireshark GUI in the end.
In this screenshot, you can see that I applied two extra display filters to see really only traffic from/to 192.168.1.150 IP and DNS related traffic.
I did this as I was investigating if my Pi-Hole works as expected and blocks beaconing hostnames for Samsung Smart TVs.