tools > sniffer
Josh Luthman Office: 937-552-2340 Direct: 937-552-2343 1100 Wayne St Suite 1337 Troy, OH 45373 On Fri, Oct 9, 2015 at 3:52 PM, That One Guy /sarcasm < thatoneguyst...@gmail.com> wrote: > is there a way to get a tcpdump package onto mikrotik > > On Fri, Oct 9, 2015 at 1:00 PM, Forrest Christian (List Account) < > li...@packetflux.com> wrote: > >> If you can capture the traffic, you may find that it is legitimate >> traffic for a misconfigured domain. I.e. some domain has their name >> servers listed including that ip. A capture should show which domain the >> query is for. >> >> I seem to recall the sniffer functionality in a mikrotik will either >> decode this, or more likely save and/or stream it so that you can use >> Wireshark on a PC to decode. >> On Oct 9, 2015 9:12 AM, "That One Guy /sarcasm" < >> thatoneguyst...@gmail.com> wrote: >> >>> My policy on this interface is default deny, so it is dropping them, but >>> its still going on to just the one IP out if the /28 subnet. I dont mind >>> dropping them, its not noticable bandwidth, I just cant figure out why it >>> is the traffic is focused there, I almost wonder if I ws to stick a DNS >>> server on that IP if it would increase >>> >>> On Fri, Oct 9, 2015 at 8:08 AM, David <dmilho...@wletc.com> wrote: >>> >>>> DDOSDNS bot trying to find a live host for pushing responses. >>>> >>>> add rule >>>> input udp dest-port 53 interface=to internet drop in your firewall >>>> >>>> hate those little bastards dont have anything else to do except do what >>>> their programmed to do >>>> >>>> >>>> >>>> >>>> >>>> >>>> On 10/08/2015 11:42 PM, That One Guy /sarcasm wrote: >>>> >>>> So I'm at home, turning up a subnet on a mikrotik on the network. Mind >>>> you this subnet hasn't been in use in 6 months. This is for some servers so >>>> I create a default deny policy with logging. One of the IPs is being >>>> hammered on port 53 udp per the packet sniffer. The IP isn't live, its just >>>> dropping because of the policy. Its not much bandwidth but as best I can >>>> tell its constantl and different IPs. >>>> >>>> Is the packet sniffer on these things similar to tcpdump, the manual >>>> page didn't seem so. All I can guess is these are part of something I'm not >>>> related to and since this IP hasn't been live in 6 months its spoofed or >>>> something and these are some sort of response packet to a denial of service >>>> somewhere else. >>>> but this subnet, not this particular IP, will house a couple DNS >>>> servers, I just want to make sure theres no shenanigans going on before I >>>> turn anything up >>>> Without being at the office to wireshark this from a switch, how do I >>>> get more out of this mikrotik packet sniffer >>>> >>>> -- >>>> If you only see yourself as part of the team but you don't see your >>>> team as part of yourself you have already failed as part of the team. >>>> >>>> >>>> >>> >>> >>> -- >>> If you only see yourself as part of the team but you don't see your team >>> as part of yourself you have already failed as part of the team. >>> >> > > > -- > If you only see yourself as part of the team but you don't see your team > as part of yourself you have already failed as part of the team. >
