You run the packet sniffer, save the file and open it with Wireshark.
bp
<part15sbs{at}gmail{dot}com>
On 10/9/2015 12:52 PM, That One Guy /sarcasm wrote:
is there a way to get a tcpdump package onto mikrotik
On Fri, Oct 9, 2015 at 1:00 PM, Forrest Christian (List Account)
<[email protected] <mailto:[email protected]>> wrote:
If you can capture the traffic, you may find that it is
legitimate traffic for a misconfigured domain. I.e. some domain
has their name servers listed including that ip. A capture
should show which domain the query is for.
I seem to recall the sniffer functionality in a mikrotik will
either decode this, or more likely save and/or stream it so that
you can use Wireshark on a PC to decode.
On Oct 9, 2015 9:12 AM, "That One Guy /sarcasm"
<[email protected] <mailto:[email protected]>> wrote:
My policy on this interface is default deny, so it is dropping
them, but its still going on to just the one IP out if the /28
subnet. I dont mind dropping them, its not noticable
bandwidth, I just cant figure out why it is the traffic is
focused there, I almost wonder if I ws to stick a DNS server
on that IP if it would increase
On Fri, Oct 9, 2015 at 8:08 AM, David <[email protected]
<mailto:[email protected]>> wrote:
DDOSDNS bot trying to find a live host for pushing responses.
add rule
input udp dest-port 53 interface=to internet drop in your
firewall
hate those little bastards dont have anything else to do
except do what their programmed to do
On 10/08/2015 11:42 PM, That One Guy /sarcasm wrote:
So I'm at home, turning up a subnet on a mikrotik on the
network. Mind you this subnet hasn't been in use in 6
months. This is for some servers so I create a default
deny policy with logging. One of the IPs is being
hammered on port 53 udp per the packet sniffer. The IP
isn't live, its just dropping because of the policy. Its
not much bandwidth but as best I can tell its constantl
and different IPs.
Is the packet sniffer on these things similar to tcpdump,
the manual page didn't seem so. All I can guess is these
are part of something I'm not related to and since this
IP hasn't been live in 6 months its spoofed or something
and these are some sort of response packet to a denial of
service somewhere else.
but this subnet, not this particular IP, will house a
couple DNS servers, I just want to make sure theres no
shenanigans going on before I turn anything up
Without being at the office to wireshark this from a
switch, how do I get more out of this mikrotik packet sniffer
--
If you only see yourself as part of the team but
you don't see your team as part of yourself you
have already failed as part of the team.
--
If you only see yourself as part of the team but you don't see
your team as part of yourself you have already failed as part
of the team.
--
If you only see yourself as part of the team but you don't see your
team as part of yourself you have already failed as part of the team.
