Sniffing traffic on Mikrotik routers

Mikrotik routers are great hardware. With one you can mirror traffic that go thru on so you will be able to sniff trafic as you would being directly connected between target and router (or behind one)

#enable sniffing tool
/tool sniffer set streaming-enabled=yes streaming-server=ip.you.will.operate
/tool sniffer start

#enable sniffing tool

/tool sniffer set streaming-enabled=yes streaming-server=ip.you.will.operate

/tool sniffer start

This way you can run tool like wireshak on your computer (the ip you put as streaming-server) and look thru it.

Remamber that mirrored traffic will be transported as TZSP (udp port 37008)

Mikrotik – Send email with information about clients connecting to WiFi network

Mikrotik devices give a lot of configuration options to play with, and this post is one of those configuration which automatically register information about login/logouts in wifi network, and at daily basis send them to custom email address.

Let assume you have already configure email capability in mikrotik system.

Next we want to set topic of information we want to store to file (ex. wifi.log):

#winbox
system > logging > actions > add > wifilog, type:disk, filename: wifi.log
system > logging > rules > add > topics: wireless, info action: wifilog

#console
/system logging action add name=wifilog disk-file-name=wifi.log target=disk
/system logging add action=wifilog topics=wireless

#winbox

system > logging > actions > add > wifilog, type:disk, filename: wifi.log

system > logging > rules > add > topics: wireless, info action: wifilog

#console

/system logging action add name=wifilog disk-file-name=wifi.log target=disk

/system logging add action=wifilog topics=wireless

Next lets create script that will be backuping log file, send it to your email account, delete backup to free up some space and delete user that will do those things to not make it a easy target:

#winbox 
system > scripts > add > name: event_wifi

#console
/system script add name=event_wifi

#wklejamy zawartość skryptu:
/user group add name=wifi policy=ftp,read comment="wifi log"
/user add name=wifi group=wifi address=127.0.0.1 comment="wifi log" password=your_password disabled=no
/tool fetch address=127.0.0.1 mode=ftp user=wifi password=your_password src-path=wifi.log.0.txt dst-path=wifi34.txt
:delay 10
/tool e-mail send file=wifi.txt to="your_email@example.com" body="raport" subject=([/system identity get name] . " " . [/system clock get time] . " " . [/system clock get date] . " WiFi Log")
/file set wifi.log.0.txt contents=""
:delay 30
/file remove wifi.txt
/user remove "wifi"
/user group remove "wifi"

#winbox

system > scripts > add > name: event_wifi

#console

/system script add name=event_wifi

#wklejamy zawartość skryptu:

/user group add name=wifi policy=ftp,read comment="wifi log"

/user add name=wifi group=wifi address=127.0.0.1 comment="wifi log" password=your_password disabled=no

/tool fetch address=127.0.0.1 mode=ftp user=wifi password=your_password src-path=wifi.log.0.txt dst-path=wifi34.txt

:delay 10

/tool e-mail send file=wifi.txt to="your_email@example.com" body="raport" subject=([/system identity get name] . " " . [/system clock get time] . " " . [/system clock get date] . " WiFi Log")

/file set wifi.log.0.txt contents=""

:delay 30

/file remove wifi.txt

/user remove "wifi"

/user group remove "wifi"

Don’t forget to setup scheduler that will run our script on daily basis:

#winbox
system > scheduler > add > name: wifi interval: 24:00:00 on event: event_wifi

#console
/system scheduler add name=wifi interval=24:00:00 on-event=event_wifi

#winbox

system > scheduler > add > name: wifi interval: 24:00:00 on event: event_wifi

#console

/system scheduler add name=wifi interval=24:00:00 on-event=event_wifi

Mikrotik and Squid = Transparent Proxy

In business networks there is a big usage of transparent proxy also home networks can use it also.

Thanks to that kind of server we can monitoring a lot of meta data and value information from client network and also prevent a lot of virus infections.

Lets assume that our server (192.168.0.10) have Ubuntu or Debian operation system installed on it and the lan network is 192.168.0.0/24.

#install squid
apt-get install squid3

#lets make our own squid config file
mv /etc/squid3/squid.conf /etc/squid3/squid.conf.bak
vim /etc/squid3/squid.conf
###begging squid.conf ###
debug_options ALL,1
acl localnet src 192.168.0.0/24
acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl CONNECT method CONNECT
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
http_access allow localnet
http_access allow localhost
http_access deny all
http_port 192.168.0.10:8888
http_port 192.168.0.10:3128 intercept
coredump_dir /var/spool/squid3
refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern -i (/cgi-bin/|?) 0     0%      0
refresh_pattern (Release|Packages(.gz)*)$      0       20%     2880
refresh_pattern .               0       20%     4320

cache_dir /data/cache 100 16 256
cache_log /var/log/squid3/cache.log
cache_mem 16 MB
cache_mgr webmaster
cache_replacement_policy lru
cache_store_log /var/log/squid3/store.log
cache_swap_high 95
cache_swap_low 90
client_lifetime 1 days
connect_timeout 2 minutes
error_directory /usr/share/squid3/errors/en
ftp_passive on
maximum_object_size 4096 KB
memory_replacement_policy lru
### end squid.conf ###
service squid

#install squid

apt-get install squid3

#lets make our own squid config file

mv /etc/squid3/squid.conf /etc/squid3/squid.conf.bak

vim /etc/squid3/squid.conf

###begging squid.conf ###

debug_options ALL,1

acl localnet src 192.168.0.0/24

acl SSL_ports port 443

acl Safe_ports port 80 # http

acl Safe_ports port 21 # ftp

acl Safe_ports port 443 # https

acl Safe_ports port 70 # gopher

acl Safe_ports port 210 # wais

acl Safe_ports port 1025-65535 # unregistered ports

acl Safe_ports port 280 # http-mgmt

acl Safe_ports port 488 # gss-http

acl Safe_ports port 591 # filemaker

acl Safe_ports port 777 # multiling http

acl CONNECT method CONNECT

http_access deny !Safe_ports

http_access deny CONNECT !SSL_ports

http_access allow localhost manager

http_access deny manager

http_access allow localnet

http_access allow localhost

http_access deny all

http_port 192.168.0.10:8888

http_port 192.168.0.10:3128 intercept

coredump_dir /var/spool/squid3

refresh_pattern ^ftp: 1440 20% 10080

refresh_pattern ^gopher: 1440 0% 1440

refresh_pattern -i (/cgi-bin/|?) 0 0% 0

refresh_pattern (Release|Packages(.gz)*)$ 0 20% 2880

refresh_pattern . 0 20% 4320

cache_dir /data/cache 100 16 256

cache_log /var/log/squid3/cache.log

cache_mem 16 MB

cache_mgr webmaster

cache_replacement_policy lru

cache_store_log /var/log/squid3/store.log

cache_swap_high 95

cache_swap_low 90

client_lifetime 1 days

connect_timeout 2 minutes

error_directory /usr/share/squid3/errors/en

ftp_passive on

maximum_object_size 4096 KB

memory_replacement_policy lru

### end squid.conf ###

service squid

On server there is also software firewall (iptables) which we will use to forward connection using commands below:

iptables -t nat -A PREROUTING -s 192.168.0.10 -p tcp --dport 80 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 3128
iptables -t nat -A POSTROUTING -j MASQUERADE
iptables -t mangle -A PREROUTING -p tcp --dport 3128 -j DROP

iptables -t nat -A PREROUTING -s 192.168.0.10 -p tcp --dport 80 -j ACCEPT

iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 3128

iptables -t nat -A POSTROUTING -j MASQUERADE

iptables -t mangle -A PREROUTING -p tcp --dport 3128 -j DROP

Next, on Mikrotik router we will add firewall rules to forward chosen clients (via list SQUID_CLIENTS) to server with squid proxy:

/ip firewall mangle
add chain=prerouting comment=squid dst-port=80 protocol=tcp src-address=192.168.0.10
add action=mark-routing chain=prerouting dst-port=80 in-interface=ether3 new-routing-mark=2 protocol=tcp src-address-list=SQUID_CLIENTS
add chain=prerouting routing-mark=2

/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1 src-address=192.168.0.0/24

/ip route
add distance=1 gateway=192.168.0.10 routing-mark=2

/ip firewall mangle

add chain=prerouting comment=squid dst-port=80 protocol=tcp src-address=192.168.0.10

add action=mark-routing chain=prerouting dst-port=80 in-interface=ether3 new-routing-mark=2 protocol=tcp src-address-list=SQUID_CLIENTS

add chain=prerouting routing-mark=2

/ip firewall nat

add action=masquerade chain=srcnat out-interface=ether1 src-address=192.168.0.0/24

/ip route

add distance=1 gateway=192.168.0.10 routing-mark=2

This way we finished configuration of proxy server which will capture web traffic and don’t need to be configure on client side.

November 2018
M	T	W	T	F	S	S
« Oct
			1	2	3	4
5	6	7	8	9	10	11
12	13	14	15	16	17	18
19	20	21	22	23	24	25
26	27	28	29	30