is there a way to get a tcpdump package onto mikrotik On Fri, Oct 9, 2015 at 1:00 PM, Forrest Christian (List Account) < [email protected]> wrote:
> If you can capture the traffic, you may find that it is legitimate > traffic for a misconfigured domain. I.e. some domain has their name > servers listed including that ip. A capture should show which domain the > query is for. > > I seem to recall the sniffer functionality in a mikrotik will either > decode this, or more likely save and/or stream it so that you can use > Wireshark on a PC to decode. > On Oct 9, 2015 9:12 AM, "That One Guy /sarcasm" <[email protected]> > wrote: > >> My policy on this interface is default deny, so it is dropping them, but >> its still going on to just the one IP out if the /28 subnet. I dont mind >> dropping them, its not noticable bandwidth, I just cant figure out why it >> is the traffic is focused there, I almost wonder if I ws to stick a DNS >> server on that IP if it would increase >> >> On Fri, Oct 9, 2015 at 8:08 AM, David <[email protected]> wrote: >> >>> DDOSDNS bot trying to find a live host for pushing responses. >>> >>> add rule >>> input udp dest-port 53 interface=to internet drop in your firewall >>> >>> hate those little bastards dont have anything else to do except do what >>> their programmed to do >>> >>> >>> >>> >>> >>> >>> On 10/08/2015 11:42 PM, That One Guy /sarcasm wrote: >>> >>> So I'm at home, turning up a subnet on a mikrotik on the network. Mind >>> you this subnet hasn't been in use in 6 months. This is for some servers so >>> I create a default deny policy with logging. One of the IPs is being >>> hammered on port 53 udp per the packet sniffer. The IP isn't live, its just >>> dropping because of the policy. Its not much bandwidth but as best I can >>> tell its constantl and different IPs. >>> >>> Is the packet sniffer on these things similar to tcpdump, the manual >>> page didn't seem so. All I can guess is these are part of something I'm not >>> related to and since this IP hasn't been live in 6 months its spoofed or >>> something and these are some sort of response packet to a denial of service >>> somewhere else. >>> but this subnet, not this particular IP, will house a couple DNS >>> servers, I just want to make sure theres no shenanigans going on before I >>> turn anything up >>> Without being at the office to wireshark this from a switch, how do I >>> get more out of this mikrotik packet sniffer >>> >>> -- >>> If you only see yourself as part of the team but you don't see your team >>> as part of yourself you have already failed as part of the team. >>> >>> >>> >> >> >> -- >> If you only see yourself as part of the team but you don't see your team >> as part of yourself you have already failed as part of the team. >> > -- If you only see yourself as part of the team but you don't see your team as part of yourself you have already failed as part of the team.
