Ask Your Question
0

Decoding a TZSP stream

asked 2020-09-09 15:00:16 +0000

p3r3gr1nus gravatar image

In the past, I used packet the sniffer on a Mikrotik Router and I was able to see on Wireshark the packets as sent by the devices connected on the Router. The sniffer sends a TZSP packet stream and the Wireshark was able to decode this stream and show the packets in the same way they transit in the router.

Recently (I have the latest FW of the RouterOS and the latest Wireshark), Wireshark shows the traffic sent by the router to my PC as TZSP packets with the Router IP address as souce IP and PC IP address as destination IP.

It looks like as Wireshark is not able to decode this traffic. It only shows the TZSP packets as are send by the router.

The same happens both streaming the TZSP than saving a file on the router and then opening this with wireshark.

I followed all the instructions provided here: https://wiki.mikrotik.com/wiki/Ethere...

I suppose there could be some option to enable the stream decoding.

Is there a way to fix this issue?

edit retag flag offensive close merge delete

Comments

What are your versions for RouterOS (MikroTik) and Wireshark?
Tested here with Wireshark 3.2.6 and the decode works great.

Frame 4: 301 bytes on wire (2408 bits), 301 bytes captured (2408 bits) on interface \Device\NPF_xxxxx
Ethernet II, Src: Routerbo_xx:xx:xx (4c:5e:0c:xx:xx:xx), Dst: Dell_xx:xx:xx (ec:f4:bb:xx:xx:xx)
Internet Protocol Version 4, Src: 192.168.10.111, Dst: 192.168.10.250
User Datagram Protocol, Src Port: 44400, Dst Port: 37008
TZSP: Ethernet 
Ethernet II, Src: xxxxxxx_xx:xx:xx (xx:xx:xx:xx:xx:xx), Dst: Routerbo_xx:xx:xx (4c:5e:0c:xx:xx:xx)
Internet Protocol Version 4, Src: 208.xx.xx.xx, Dst: 68.xx.xx.xx
Transmission Control Protocol, Src Port: 80, Dst Port: 47154, Seq: 2457, Ack: 1, Len: 188
Chuckc gravatar imageChuckc ( 2020-09-09 16:20:26 +0000 )edit

Have you verified that TZSP UDP port is set to 37008 and that is that port being streamed to?

Edit->Preferences...->Advanced : Search: tzsp
Edit->Preferences...->Protocols->TZSP
Chuckc gravatar imageChuckc ( 2020-09-09 16:39:22 +0000 )edit

Can you post a sample capture file?

cmaynard gravatar imagecmaynard ( 2020-09-09 16:43:07 +0000 )edit

Thank you all. I am working with Mikrotik 6.47.3 and Wireshark 3.2.6. I have verified the port 37008 (which is set in wireshark capture filter). Here a capture example: 192.168.0.21 is my PC. 192.168.0.240 is the router streaming the TZSP packets.

p3r3gr1nus gravatar imagep3r3gr1nus ( 2020-09-10 14:10:45 +0000 )edit

Can you make another capture without the capture filter? The packets are fragmented at the IP level.

Chuckc gravatar imageChuckc ( 2020-09-10 15:32:41 +0000 )edit
add a comment

1 Answer

Sort by ยป oldest newest most voted
0

answered 2020-09-09 17:23:48 +0000

Chuckc gravatar image

Ha! (not an answer) It still looks at the default port even when preference is set to different port.
image description

edit flag offensive delete link more

Comments

Thank you Chickc.I only see the udp 37008

p3r3gr1nus gravatar imagep3r3gr1nus ( 2020-09-10 14:19:49 +0000 )edit

Screenshot from: View->Internals->Dissector Tables

Chuckc gravatar imageChuckc ( 2020-09-10 15:34:22 +0000 )edit

This is a capture I made saving the file on the Router (not streaming to wireshark). Same problem.

p3r3gr1nus gravatar imagep3r3gr1nus ( 2020-09-10 15:54:42 +0000 )edit

It's a circular capture. You're getting the streamed captures packets coming back into the capture which get streamed again which get captured then streamed ......
Can you configure the capture on the MikroTik to exclude the interface that the capture stream exits on or exclude UDP port 37008?

Chuckc gravatar imageChuckc ( 2020-09-10 16:18:51 +0000 )edit

Thank you very much Chuck, you are right. If I exclude the port 37008 or if I filter by interface I am able to get the packet capture. Now I have another problem since I don't see an UDP stream which I am sure is trasmitted/received by selected interface, but this is another problem, I will investigate. Thank you very much for the support.

p3r3gr1nus gravatar imagep3r3gr1nus ( 2020-09-11 08:13:44 +0000 )edit
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

2 followers

subscribe to rss feed

Stats

Asked: 2020-09-09 15:00:16 +0000

Seen: 323,864 times

Last updated: Sep 09 '20

Related questions

Capture incoming packets from remote web server

How to set packet metadata in realtime?

Monitor device

Why would I be getting "LEN 1 (Malformed Packet)"... "(Malformed Packet: RTCP)" on UDP Packets

What is wrong with my internets?!

How do I dissect multiple packets?

How do I get relative ack number greater than sequence number?

How do I use the fragment_add_seq_check function in UDP packet reassembly?

Is it possible to use reassembly on non-split packets?

How do I dissect packets if the dissection depends on information from earlier packets?