用Wireshark抓routeros的包

简介:


If you as I need to get some traffic from a Mikrotik router and /tool sniffer quick doesn’t cut it, as you need not just the headers the best way is stream the traffic to the a Linux box. The Mikrotik configuration is easy, just set the server you want to stream to:

/tool sniffer set streaming-enabled=yes streaming-server=<ip_of_the_server>

Configure a filter as you don’t want to stream everything:

/tool sniffer set filter-ip-address=<an_example_filter_ip>

and now you need only to start it with

/tool sniffer start

and check with

/tool sniffer print

if everything is running.

But now comes the part that is not documented that well. Searching through the internet I found some posts/articles on how to use Wireshark for capturing, but that does not work correctly – at least not for me.

capture_filter

If you configure the capture filter to udp port 37008 to get everything the router sends via TZSP you will see following lines

fragmented_ip_protocol2

If you now set the display filter to show only TZSP these packets are not displayed any more. This packets contain information we need and I was not able to configure Wireshark 1.10.2 to work correctly. If you know how to get it to work, please write a comment. I changed my approach to use an other program to write the packets to disk and look at them later with Wireshark. And I found a program from Mikrotik directly which does that.  Go to the download page and download Trafr and extract and use it like this:

$ tar xzf trafr.tgz
$ ./trafr
usage: trafr <file | -s> [ip_addr]
-s      write output to stdout. pipe it into tcpdump for example:
./trafr -s | /usr/sbin/tcpdump -r -
ip_addr use to filter one source router by ip address
$ ./trafr test.pcap <ip_of_the_router>

After you stopped the program you can open the file in Wireshark and no packets are missing.










本文转自 h2appy  51CTO博客,原文链接:http://blog.51cto.com/h2appy/1678891,如需转载请自行联系原作者
目录
相关文章
【已解决】charles抓不了包!!原来是证书过期了
【已解决】charles抓不了包!!原来是证书过期了
|
6月前
|
网络协议
Wireshark 如何过滤抓到的网络包?
Wireshark 如何过滤抓到的网络包?
|
6月前
|
缓存 网络协议
Wireshark中的ARP协议包分析
Wireshark可以跟踪网络协议的通讯过程,本节通过ARP协议,在了解Wireshark使用的基础上,重温ARP协议的通讯过程。 ARP(Address Resolution Protocol)地址解析协议,是根据IP地址获取物理地址的一个TCP/IP协议。 主机发送信息时将包含目标IP地址的ARP请求广播到局域网络上的所有主机,并接收返回消息,以此确定目标的物理地址;收到返回消息后将该IP地址和物理地址存入本机ARP缓存中并保留一定时间,下次请求时直接查询ARP缓存以节约资源。 在Wireshark界面,我们可以看到19、20号数据包,就是一对标准的ARP请求和响应包。
|
网络协议
Wireshark 抓包工具介绍
Wireshark 抓包工具介绍
126 0
|
Web App开发 安全
Burpsuite+Proxifier抓取exe数据包
Burpsuite+Proxifier抓取exe数据包
275 0
|
缓存 监控 网络协议
Wireshark网络抓包(四)——工具
1. File:了解抓包文件的各种属性,例如抓包文件的名称、路径、文件所含数据包的规模等信息 2. Time:获悉抓包的开始、结束和持续时间 3. Capture:抓包文件由哪块网卡生成、OS版本、Wireshark版本等信息 4. Display:剩下的是汇总统计信息,数据包的总数、数量以及占比情况、网速等
Wireshark网络抓包(四)——工具
|
监控 JavaScript 网络协议
nmap扫描工具,tcpdump抓包工具的安装和使用
扫描:以获取一些公开的、非公开信息为目的。检测潜在的风险,查找可攻击的目标,收集 设备、主机、系统、软件信息,发现可利用的漏洞。 **扫描方式:主动探测(scan)、被动监听嗅探(sniff)、抓包(capture) 常用的分析工具:扫描器(NMAP)、协议分析(tcpdumpWireShar.
2447 0
|
网络协议 Linux Windows
使用tcpdump+wireshark抓包分析网络数据包
最近和学弟在调试一个GPRS通信模块,需求是通过GPRS模块通过http协议发送数据到服务器,但是http协议一直失败,服务器返回400,通过查询http状态码得知,http400错误是请求无效,因为GPRS模块没有实现http协议的封装,需要在TCP协议的基础上,手动拼装http格式的报文.
3913 0