Packet Analysis on MikroTik: Sniffing and SIP Tracing with Wireshark

Packet analysis is an essential skill for network administrators, offering insights into the health and security of a network. MikroTik routers, equipped with the powerful Sniffer tool, provide a robust platform for capturing network traffic. This guide will walk you through the process of dumping packets on a MikroTik router, exporting them to a pcap file, and analyzing them in Wireshark with a focus on SIP (Session Initiation Protocol) tracing. We will also explore how to stream packets in real-time to Wireshark using the TZSP (TaZmen Sniffer Protocol).

Capturing Packets with MikroTik Sniffer Tool

The Sniffer tool on MikroTik RouterOS allows you to capture packets traversing your network, giving you a window into the traffic flow and activity.

Step 1: Configuring the Sniffer Tool

1. Access your MikroTik router via Winbox or SSH.
2. Navigate to the Sniffer tool. If using Winbox, go to Tools > Sniffer. For terminal access, you'll use the /tool sniffer command.
3. Set the capture parameters. You need to specify the interface on which to capture packets and other criteria like the direction (tx, rx, or both), whether to capture on all interfaces, and any specific filters. For SIP tracing, you might not need a specific filter at this stage. Use the following command as an example:

/tool sniffer set streaming-enabled=yes streaming-server=192.168.88.1 interface=ether1

Replace 192.168.88.1 with the IP address of your computer running Wireshark and ether1 with the interface you wish to monitor.

Step 2: Starting the Capture

• Activate the sniffer by executing: /tool sniffer start. This begins the packet capture process based on your defined parameters.

Exporting Captured Packets to a pcap File

After capturing the necessary packets, you may want to export them for analysis in Wireshark.

1. Stop the capture by running /tool sniffer stop.
2. Export the capture with the command: /tool sniffer save file-name=mycapture. This saves the captured packets to a file named mycapture.
3. Download the pcap file to your computer. If you're using Winbox, navigate to Files, find mycapture, and click Download.

Analyzing Packets in Wireshark

With your pcap file ready, it's time to dive into the analysis with Wireshark.

1. Open Wireshark and select File > Open. Navigate to your downloaded pcap file and open it.
2. Filter for SIP traffic by entering sip in the filter bar and pressing Enter. This filters the displayed packets to show only SIP-related traffic.
3. Conduct your SIP trace. Look for SIP INVITE requests and their responses, such as 200 OK, to understand the call setup. Pay attention to the call flow and any errors or unusual patterns that might indicate issues.

Streaming Packets to Wireshark in Real-Time

For real-time analysis, MikroTik and Wireshark can work together using the TZSP.

1. Configure Wireshark for TZSP. Go to Edit > Preferences > Protocols > TZSP and set the appropriate network interface and port (typically port 37008).
2. Start the capture in Wireshark. Select your network interface and begin capturing. Ensure your firewall allows traffic on the TZSP port.
3. Configure MikroTik for TZSP streaming as shown in the configuration step, ensuring streaming-enabled=yes and your computer's IP address is correctly set as the streaming-server.

This setup allows you to view packets as they traverse your network in real time, offering immediate insights and drastically reducing the time to identify and resolve network issues.

Conclusion

Packet sniffing and analysis are crucial for maintaining a healthy, secure network. By leveraging MikroTik's Sniffer tool and Wireshark's powerful analysis capabilities, network administrators can gain deep insights into network traffic, troubleshoot issues more effectively, and ensure optimal network performance. Whether you're performing a detailed SIP trace or monitoring network activity in real time, the combination of MikroTik and Wireshark provides a comprehensive toolkit for network diagnostics and troubleshooting.