Packet Sniffer ## 1) Wireshark Installation On Fedora you install Wireshark by: ``` $ sudo dnf install wireshark ``` Then add your user to a “wireshark” group: ``` $ sudo usermod -a -G wireshark "$USER" ``` Then log out and log in again to let the usermod change to take effect or simply reboot your system: ``` $ sudo reboot ``` ## 2) Configure Wireshark filter In Wireshark menu, click on “capture” and then select “capture filters”. It will open a new window with capture filters. Click on “+” button to add a new line to the list. On the added line, write there a name of the filter (for example “MikroTik sniffing”) and set “**udp port 37008**” as the filter. ## 3) Start the capture in Wireshark On Wireshark’s main screen, select the filter you just created (click on the small green flag) and then start the capture. ## 4) Configure MikroTik router to forward captured traffic You can do this configuration via SSH, Telnet, WinBox or WebFig. I will show you how to do this via SSH/Telnet. First, connect to the device (ssh in my example): ``` ssh ADMIN_USER@IP_ADDRESS_OF_YOUR_ROUTER -p PORT ``` Then configure sniffer options: ``` /tool sniffer set streaming-enabled=yes streaming-server=192.168.1.100 /tool sniffer set filter-interface wlan1,wlan2 /tool sniffer set filter-ip-address 192.168.1.150/32 ``` - **streaming-enabled** – enables forwarding of packets. - **streaming-server** – IP address of the host where the Wireshark is running. - **filter-interface** – interface(s) where the capture will happen. (In my case, I have two radios 2,4 GHz & 5 GHz and I selected both) - **filter-ip-address** – you can limit the sniffing to only a specific IP address(es). (In my case, I selected only IP of my Smart TV as I wanted to see what kind of traffic it sends/receives from Internet) Start the capture: ``` /tool sniffer start ``` Review the sniffer status: ``` [MYUSER@MikroTik] > /tool sniffer print only-headers: no memory-limit: 100KiB memory-scroll: yes file-name: file-limit: 1000KiB streaming-enabled: yes streaming-server: 192.168.1.100 filter-stream: yes filter-interface: wlan1,wlan2 filter-mac-address: filter-mac-protocol: filter-ip-address: 192.168.1.150/32 filter-ipv6-address: filter-ip-protocol: filter-port: filter-cpu: filter-size: filter-direction: any filter-operator-between-entries: or running: yes ``` Stop capture: ``` /tool sniffer stop ``` And that’s it! ![](https://tojaj.com/wp-content/uploads/2020/03/wireshark_screenshot-1024x576.jpg) This is how it could look like in your Wireshark GUI in the end. In this screenshot, you can see that I applied two extra display filters to see really only traffic from/to 192.168.1.150 IP and DNS related traffic. I did this as I was investigating if my Pi-Hole works as expected and blocks beaconing hostnames for Samsung Smart TVs.