Sep 2, 2012 - Network administrators often use Protocol Sniffers to debug remote. How to configure WireShark to receive MikroTik RouterOS Sniffer Stream. Packet sniffer is a feature that catches all the data travelling over the network, that it is able to get (when using switched network, a computer may catch only the data addressed to it or is forwarded through it).
Besides doing capture on local interfaces Wireshark is capable of reaching outacross the network to a so called capture daemon or service processes to receivecaptured data from.
Microsoft Windows only |
---|
This dialog and capability is only available on Microsoft Windows. On Linux/Unixyou can achieve the same effect (securely) through an SSH tunnel.
|
The Remote Packet Capture Protocol service must first be running on thetarget platform before Wireshark can connect to it. The easiest way isto install Npcap from {npcap-download-url} on the target. Onceinstallation is completed go to the Services control panel, find theRemote Packet Capture Protocol service and start it.
Note |
---|
Make sure you have outside access to port 2002 on the target platform. This isthe port where the Remote Packet Capture Protocol service can be reached bydefault.
|
To access the Remote Capture Interfaces dialog use the “Add New Interfaces -Remote” dialog. See Figure 4.9, “The “Add New Interfaces - Remote Interfaces” dialog box” and select .
Figure 4.10. The “Remote Capture Interfaces” dialog box
You have to set the following parameters in this dialog:
- Host
- Enter the IP address or host name of the target platform where the Remote PacketCapture Protocol service is listening. The drop down list contains the hoststhat have previously been successfully contacted. The list can be emptied bychoosing “Clear list” from the drop down list.
- Port
- Set the port number where the Remote Packet Capture Protocol service islistening on. Leave open to use the default port (2002).
- Null authentication
- Select this if you don’t need authentication to take place for a remote captureto be started. This depends on the target platform. Configuring the targetplatform like this makes it insecure.
- Password authentication
- This is the normal way of connecting to a target platform. Set the credentialsneeded to connect to the Remote Packet Capture Protocol service.
The remote capture can be further fine tuned to match your situation. The button in Figure 4.4, “The “Edit Interface Settings” dialog box” givesyou this option. It pops up the dialog shown inFigure 4.11, “The “Remote Capture Settings” dialog box”.
![Mikrotik Packet Sniffer Wireshark Mikrotik Packet Sniffer Wireshark](http://h1x.com/jing/2010-05-25_0839.png)
Figure 4.11. The “Remote Capture Settings” dialog box
You can set the following parameters in this dialog:
- Do not capture own RPCAP traffic
-
This option sets a capture filter so that the traffic flowing back from theRemote Packet Capture Protocol service to Wireshark isn’t captured as well andalso send back. The recursion in this saturates the link with duplicate traffic.You only should switch this off when capturing on an interface other than theinterface connecting back to Wireshark.
- Use UDP for data transfer
- Remote capture control and data flows over a TCP connection. This option allowsyou to choose an UDP stream for data transfer.
- Sampling option None
- This option instructs the Remote Packet Capture Protocol service to send backall captured packets which have passed the capture filter. This is usually not aproblem on a remote capture session with sufficient bandwidth.
- Sampling option 1 of x packets
- This option limits the Remote Packet Capture Protocol service to send only a subsampling of the captured data, in terms of number of packets. This allowscapture over a narrow band remote capture session of a higher bandwidthinterface.
- Sampling option 1 every x milliseconds
- This option limits the Remote Packet Capture Protocol service to send only a subsampling of the captured data in terms of time. This allows capture over anarrow band capture session of a higher bandwidth interface.