Packet Captures are one of the best and primary troubleshooting tools in networking. RouterOS includes three different ways ( 4 if you include CALEA) that you can capture packets. There is the Packet Sniffer tool that is used for everything except wireless packets. There is the Wireless Sniffer specifically for wireless packets and then there is the firewall (mangle has the ability to sniff packets). This tutorial will only cover the Packet Sniffer tool found under the main Tools menu. First, we’ll look at the settings, then we’ll look at how to save the packet capture to the router, and finally, we’ll look at streaming the packet capture to a PC running Wireshark.
Packet Sniffer Settings
Built in Analysis Tools
Saving a Packet Capture as a file
To save your packet capture to your router, all that is required is to give the file a name and ensure that the File Limit size makes sense for what you are trying do. The Only Headers option and the Memory Scroll option should also be evaluated for their use. Using the Filters will make the packet capture easy to understand. Once the file is saved to the Files menu, it can be download by dropping and dragging through Winbox, downloading from the router’s webpage, FTP, or any other means you would normally use.
Streaming the Packet Capture to Wireshark
Streaming your packet capture to Wireshark can be very valuable for three main reasons. First, you can analyze the information in real time. Second, the PC that is running Wireshark (or some other packet analysis tool) will probably be faster and have more storage space than the router. And last, but not least, the analysis tools that you then have at your disposal are far more robust that what the router can provide all by itself.
To configure the router for streaming, ensure that there is not a File Name specified on the General tab. On the Streaming tab, enable streaming and specify the address of the PC running your packet analysis tool. Evaluate whether or not to enable the Filter Stream option (when in doubt, leave it unchecked).
To configure Wireshark to receive the stream, open Wireshark and you will be met with a window to select what interface to start the packet capture with. In this example, I was communicating with my router through my wireless interface, so I highlighted “Wi-Fi” and then I specified a filter for the selected interfaces. The router sends the information as a UDP stream on port 37008 so you will have to add a filter as well:
udp port 37008
If you forget or just want to verify the port number, the stream will show up in Torch. To start the packet capture you click on the Shark Fin icon below the File menu.
If you already have Wireshark open, you go to the Capture Menu and choose Options. this will bring you to the settings that you are met with when the program starts. See example below:
Hope you enjoyed this tutorial! If you have any questions or insights, please add a comment below.