Miguel
/
Obsidean_VM
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
Obsidean_VM/01-Documentation/Routers/Mikrotik - Network Redes/Wireshark - Sniffer capture.md

103 lines
3.2 KiB
Markdown
Raw Permalink Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

Packet Sniffer
## 1) Wireshark Installation
On Fedora you install Wireshark by:
```
$ sudo dnf install wireshark
```
Then add your user to a “wireshark” group:
```
$ sudo usermod -a -G wireshark "$USER"
```
Then log out and log in again to let the usermod change to take effect or simply reboot your system:
```
$ sudo reboot
```
## 2) Configure Wireshark filter
In Wireshark menu, click on “capture” and then select “capture filters”.
It will open a new window with capture filters.
Click on “+” button to add a new line to the list. On the added line, write there a name of the filter (for example “MikroTik sniffing”) and set “**udp port 37008**” as the filter.
## 3) Start the capture in Wireshark
On Wiresharks main screen, select the filter you just created (click on the small green flag) and then start the capture.
## 4) Configure MikroTik router to forward captured traffic
You can do this configuration via SSH, Telnet, WinBox or WebFig.
I will show you how to do this via SSH/Telnet.
First, connect to the device (ssh in my example):
```
ssh ADMIN_USER@IP_ADDRESS_OF_YOUR_ROUTER -p PORT
```
Then configure sniffer options:
```
/tool sniffer set streaming-enabled=yes streaming-server=192.168.1.100
/tool sniffer set filter-interface wlan1,wlan2
/tool sniffer set filter-ip-address 192.168.1.150/32
```
- **streaming-enabled**  enables forwarding of packets.
- **streaming-server**  IP address of the host where the Wireshark is running.
- **filter-interface**  interface(s) where the capture will happen. (In my case, I have two radios 2,4 GHz & 5 GHz and I selected both)
- **filter-ip-address**  you can limit the sniffing to only a specific IP address(es). (In my case, I selected only IP of my Smart TV as I wanted to see what kind of traffic it sends/receives from Internet)
Start the capture:
```
/tool sniffer start
```
Review the sniffer status:
```
[MYUSER@MikroTik] > /tool sniffer print
only-headers: no
memory-limit: 100KiB
memory-scroll: yes
file-name:
file-limit: 1000KiB
streaming-enabled: yes
streaming-server: 192.168.1.100
filter-stream: yes
filter-interface: wlan1,wlan2
filter-mac-address:
filter-mac-protocol:
filter-ip-address: 192.168.1.150/32
filter-ipv6-address:
filter-ip-protocol:
filter-port:
filter-cpu:
filter-size:
filter-direction: any
filter-operator-between-entries: or
running: yes
```
Stop capture:
```
/tool sniffer stop
```
And thats it!
![](https://tojaj.com/wp-content/uploads/2020/03/wireshark_screenshot-1024x576.jpg)
This is how it could look like in your Wireshark GUI in the end.
In this screenshot, you can see that I applied two extra display filters to see really only traffic from/to 192.168.1.150 IP and DNS related traffic.
I did this as I was investigating if my Pi-Hole works as expected and blocks beaconing hostnames for Samsung Smart TVs.
Reference in New Issue View Git Blame Copy Permalink