Mikrotik… need I say More?
Show MenuHide Menu

Packet Sniffer Streaming to Wireshark from your Mikrotik

March 2, 2013

Packet Sniffer Streaming to Wireshark from your Mikrotik HOW TO by Travis Kenner

Equipment:
Mikrotik RB 750GL running package 6.0rc11
Windows 7 Pro Workstation 64 bit
Wireshark version 1.8.5 64 bit

 

How to Stream Packet Sniffing from your Mikrotik to your workstation running Wireshark:

Start Wireshark on your workstation

image

Log onto your Mikrotik and click on the Tools Menu on the left side

image

Under Tools choose Packet Sniffer

image

Under General set the settings as you see fit

image

Under the Streaming TAB

image

Check the box for Streaming Enabled to enable streaming

Server: This will be the IP Address of your workstation running Wireshark

NOT sure at this point what Filter Stream does but I left it checked

Now go to the Filter TAB

image

Interfaces: Choose your LAN interface (for me this was ether2-master-local)

IP Address: This is the IP address or address range of the device or devices you are trying to redirect packet sniffing to your workstation that has Wireshark listening

Set protocols and Port to whatever you want or are trying to capture if needed

Direction: leave as “any”

 

On the right side click the Start and Stop buttons to live stream or stop streaming the Mikrotik Packer captures to Wireshark.

 

image

 

NOTE: Here is a capture filter I used to nail down just tzsp and UDP port 5070 traffic from my VOIP phone to try and sniff and get its IP Differentiated Services Field (TOS) number so that I could mangle it in Mikrotik and setup a queue to prioritize VOIP traffic over all other traffic when bandwidth was getting sucked up by large downloads and I was on the phone!!!

image

Wireshark Capture Filters: tzsp or udp.port==5070

6 Comments
Livingstone
September 30, 2016 at 4:55 am

helo, nice tutorial on mikrotik. Now after starting the wireshark how do you configure it to capture on the packets from mikrotik

oonuma
September 10, 2016 at 11:13 am

I can’t captured tzsp because `netstat -n` is not showed 37008 port.

how to open 37008 port on wireshark.

please tell me.(I’m windows but linux ok.)

Jonathan
November 6, 2015 at 6:15 am

@Artis Start wireshark to capture packets on the interface that you are streaming to

Chr. Zürcher
December 25, 2014 at 9:12 pm

Nice tutorial, got it up & running in no time.

Artis
May 14, 2014 at 1:03 pm

how to view streamed data in wireshark?
tutorial to set-up sniffer is clear, but with shark?

    Jonathan
    November 6, 2015 at 6:16 am

    Start wireshark to capture packets on the interface that you are streaming to

Leave a Reply

Your email address will not be published. Required fields are marked *


8 visitors online now
8 guests, 0 members
Max visitors today: 16 at 01:18 pm UTC
This month: 24 at 03-22-2017 03:55 pm UTC
This year: 47 at 01-03-2017 08:06 pm UTC
All time: 47 at 01-03-2017 08:06 pm UTC