Live packet captures using MikroTik RouterOS and Wireshark

on April 26th, 2017 by Hades | No Comments »

Wireshark is commonly used network protocol analyzer for Unix and Windows, it’s available for free download from project homepage, http://www.wireshark.org/. This was tested on RouterOS v6.38.5 (mipsbe), but it should work mostly the same everywhere. I was using MacOS Sierra 10.12.5 Beta (16F67a) and Wireshark 2.2.1 (v2.2.1-0-ga6fbd27 from master-2.2), on a MacBook pro using a 802.11 ac card.

How do I get it working?

First, launch Wireshark, and start a capture on the interface that’s connected to the MikroTik box. This may be a wired or wireless interface. To accept sniffer TZSP (TaZmen Sniffer Protocol) stream, you have to set the configuration.

  • To accept only TZSP traffic, Capture Filter like this can be used

 

  • Make sure you accept UDP in Wireshark (as TZSP uses UDP to transport data);
  • You may need to disable WCCP protocol in Wireshark (Analyze/Enabled Protocols), as that collides with TZSP and by default frames may be considered WCCP, not TZSP;
  • For streaming wireless sniffer captures (interface wireless sniffer), make sure you have newest Wireshark and newest RouterOS.

Next, configure the sniffer tool on the MikroTik box.

Finally, start the sniffer.

That’s it! You should start to see frames streaming in on the Wireshark display. Don’t forget to stop the sniffer later, otherwise it will keep running until rebooted.