Packet Sniffer
Packet Sniffer
Section titled “Packet Sniffer”TL;DR (Quick Start)
Section titled “TL;DR (Quick Start)”For the impatient: capture packets on an interface and save to file.
/tool sniffer set filter-interface=ether1 memory-limit=1000/tool sniffer startWait for traffic, then:
/tool sniffer stop/tool sniffer save file-name=capture.pcapDownload capture.pcap from Files and open in Wireshark.
Overview
Section titled “Overview”What this does: Packet Sniffer captures network traffic passing through the router for analysis. It can filter by IP, MAC, port, protocol, or VLAN, save captures to PCAP files, and stream packets in real-time to Wireshark using TZSP protocol.
When to use this:
- Troubleshooting network connectivity issues
- Analyzing protocol behavior or application traffic
- Diagnosing firewall rule problems
- Investigating security incidents
- Debugging VoIP/SIP issues
- Verifying traffic flow through the router
Prerequisites:
- Access to RouterOS via Winbox, SSH, or WebFig
- Wireshark installed on workstation (for analysis)
- Sufficient free memory for capture buffer
Configuration Steps
Section titled “Configuration Steps”Step 1: Configure Sniffer Settings
Section titled “Step 1: Configure Sniffer Settings”Set up the capture filter and memory allocation.
/tool sniffer set filter-interface=ether1 memory-limit=1000Step 2: Start Capture
Section titled “Step 2: Start Capture”Begin capturing packets.
/tool sniffer startStep 3: View Captured Packets
Section titled “Step 3: View Captured Packets”Check captured data in real-time.
/tool sniffer packet printExpected output:
# INTERFACE TIME NUM DIR SRC-ADDRESS DST-ADDRESS PROTOCOL SIZE 0 ether1 00:00:01.234 1 rx 192.168.1.100:443 192.168.1.1:52341 tcp 1500 1 ether1 00:00:01.235 2 tx 192.168.1.1:52341 192.168.1.100:443 tcp 52Step 4: Stop and Save
Section titled “Step 4: Stop and Save”Stop the capture and save to file.
/tool sniffer stop/tool sniffer save file-name=capture.pcapStep 5: Download and Analyze
Section titled “Step 5: Download and Analyze”Download the file from /file via Winbox, FTP, or WebFig and open in Wireshark.
Common Scenarios
Section titled “Common Scenarios”Scenario: Quick Real-Time View
Section titled “Scenario: Quick Real-Time View”Use the quick command for immediate filtered output:
/tool sniffer quick interface=ether1Press Ctrl+C to stop. This shows packets in real-time without saving.
Scenario: Filter by IP Address
Section titled “Scenario: Filter by IP Address”Capture traffic to/from specific hosts:
/tool sniffer set filter-interface=ether1 \ filter-ip-address=192.168.1.100,10.0.0.0/8 \ memory-limit=2000/tool sniffer startScenario: Filter by Port
Section titled “Scenario: Filter by Port”Capture web traffic only:
/tool sniffer set filter-interface=ether1 \ filter-port=80,443 \ memory-limit=2000/tool sniffer startExclude SSH (useful when capturing over SSH):
/tool sniffer set filter-port=!22Scenario: Filter by Protocol
Section titled “Scenario: Filter by Protocol”Capture only ICMP (ping) traffic:
/tool sniffer set filter-interface=ether1 \ filter-ip-protocol=icmp/tool sniffer startOther protocols: tcp, udp, ospf, gre, ipsec-ah, ipsec-esp, igmp
Scenario: Stream to Wireshark (TZSP)
Section titled “Scenario: Stream to Wireshark (TZSP)”Stream packets in real-time to Wireshark for live analysis:
/tool sniffer set streaming-enabled=yes \ streaming-server=192.168.1.100 \ streaming-port=37008 \ filter-interface=ether1 \ filter-stream=yes/tool sniffer startIn Wireshark:
- Start capture on any interface
- Filter:
udp.port == 37008 - Wireshark automatically decodes TZSP payload
Alternative: Use “UDP Listener” remote capture if available.
Scenario: Capture Headers Only
Section titled “Scenario: Capture Headers Only”Reduce capture size by omitting payload:
/tool sniffer set only-headers=yes \ filter-interface=ether1 \ file-limit=10000/tool sniffer startUseful for high-traffic captures or when only interested in packet metadata.
Scenario: Capture on All Interfaces
Section titled “Scenario: Capture on All Interfaces”Monitor traffic across all router interfaces:
/tool sniffer set filter-interface=all memory-limit=5000/tool sniffer startScenario: View Statistics
Section titled “Scenario: View Statistics”Analyze protocol distribution and active hosts:
# Protocol breakdown/tool sniffer protocol print
# Active hosts/tool sniffer host print
# Active connections/tool sniffer connection printScenario: Continuous Capture to File
Section titled “Scenario: Continuous Capture to File”Save directly to file for long-running captures:
/tool sniffer set file-name=longcapture.pcap \ file-limit=50000 \ filter-interface=ether1/tool sniffer startCapture stops automatically when file-limit is reached.
Verification
Section titled “Verification”Check 1: Verify Sniffer is Running
Section titled “Check 1: Verify Sniffer is Running”/tool sniffer printExpected: Shows running=yes when active.
Check 2: Check Packet Count
Section titled “Check 2: Check Packet Count”/tool sniffer packet print count-onlyExpected: Shows number of captured packets.
Check 3: Verify Streaming Connectivity
Section titled “Check 3: Verify Streaming Connectivity”/ping 192.168.1.100 count=3Expected: Streaming server is reachable.
Troubleshooting
Section titled “Troubleshooting”| Symptom | Cause | Solution |
|---|---|---|
| No packets captured on bridge | Hardware offloading bypasses CPU | Disable hw-offload: /interface bridge set [find] hw=no |
| Traffic between bridge ports missing | Switch fabric handles traffic | Sniff on physical interfaces, not bridge; or use port mirroring |
| TZSP not decoded in Wireshark | Wireshark not decoding payload | Use “UDP Listener” capture or filter udp.port==37008 |
| Capture includes streaming packets | filter-stream=no | Set filter-stream=yes to exclude TZSP traffic |
| Older packets lost | Memory buffer overflow | Increase memory-limit or save to file |
| Router slow during capture | High traffic volume | Reduce capture scope with filters; use only-headers=yes |
| Wireless client traffic missing | Client-to-client forwarding | Disable forwarding or use wireless sniffer mode |
| Traffic generator packets missing | Fast-path enabled | Disable fast-path on traffic generator |
| Captured data disappears | 10-minute memory timeout | Save to file or increase capture frequency |
Common Mistakes
- Don’t capture on bridge with hw-offload - Traffic switched in hardware bypasses the CPU and sniffer
- Don’t forget
filter-stream=yes- Without it, TZSP streaming creates feedback loop - Don’t set file-limit larger than free memory - Can cause router instability
- Don’t capture unfiltered on busy interfaces - High CPU usage and buffer overflow
- Don’t expect encrypted payloads - Sniffer captures packets as-is; encrypted traffic stays encrypted
Filter Reference
Section titled “Filter Reference”IP Filters (up to 16 entries each)
Section titled “IP Filters (up to 16 entries each)”| Property | Description |
|---|---|
filter-ip-address | Match source or destination IPv4 |
filter-src-ip-address | Match source IPv4 only |
filter-dst-ip-address | Match destination IPv4 only |
filter-ipv6-address | Match source or destination IPv6 |
Port Filters
Section titled “Port Filters”| Property | Description |
|---|---|
filter-port | Match source or destination port |
filter-src-port | Match source port only |
filter-dst-port | Match destination port only |
Prefix with ! to exclude (e.g., !22 excludes SSH).
Protocol Filters
Section titled “Protocol Filters”| Property | Values |
|---|---|
filter-ip-protocol | tcp, udp, icmp, ospf, gre, ipsec-ah, ipsec-esp, igmp |
filter-mac-protocol | ip, ipv6, arp, vlan, pppoe, mpls-unicast, lldp, lacp |
Related Topics
Section titled “Related Topics”Traffic Analysis
Section titled “Traffic Analysis”- Torch - real-time traffic monitoring (no capture)
- Traffic Flow - NetFlow/IPFIX export
- Traffic Monitor - interface statistics
Troubleshooting
Section titled “Troubleshooting”- Ping Tool - connectivity testing
- Traceroute - path discovery
- Bandwidth Test - throughput testing
Firewall
Section titled “Firewall”- Firewall Basics - log matched packets
- Logging - configure packet logging
Reference
Section titled “Reference”Properties Reference
Section titled “Properties Reference”| Property | Type | Default | Description |
|---|---|---|---|
filter-interface | name/all | all | Target interface(s) |
filter-direction | any/rx/tx | any | Traffic direction |
memory-limit | KiB | 100 | Buffer size for capture |
memory-scroll | yes/no | yes | Overwrite old data when full |
file-name | string | - | Output file path |
file-limit | KiB | 1000 | Max file size before stop |
only-headers | yes/no | no | Capture headers only |
streaming-enabled | yes/no | no | Enable TZSP streaming |
streaming-server | IP | 0.0.0.0 | TZSP receiver IP |
streaming-port | port | 37008 | TZSP destination port |
filter-stream | yes/no | yes | Exclude streaming packets |
Command Reference
Section titled “Command Reference”| Command | Description |
|---|---|
/tool sniffer start | Begin capture |
/tool sniffer stop | Stop capture |
/tool sniffer save file-name=X | Save to file |
/tool sniffer quick | Real-time filtered view |
/tool sniffer packet print | View captured packets |
/tool sniffer protocol print | View protocol statistics |
/tool sniffer host print | View participating hosts |
/tool sniffer connection print | View active connections |
/tool sniffer print | Show configuration |
/tool sniffer set | Configure settings |