Ask Your Question

Packet sniff noise

asked 2019-04-17 08:42:42 +0000

Kai Hendry gravatar image

Hi there!

I'm looking to update

and I'm up and running here:

But there are lots of spurious entries like:

  • Code: 3 (Port unreachable)
  • [TCP Dup ACK 114#1]
  • [TCP Out-Of-Order]

Is it a misconfiguration as to how I packet sniff with my Mikrotik? Am I missing a filter?

Many thanks,

edit retag flag offensive close merge delete

2 Answers

Sort by » oldest newest most voted

answered 2019-04-17 16:41:00 +0000

sindy gravatar image

updated 2019-04-17 16:42:12 +0000

It is rather a question for the Mikrotik forum, however the answer is that you haven't chosen a particular interface to sniff at, so the Mikrotik sniffs at all of them. And as each packet captured on the /interface wireless is encapsulated into TZSP and sent out via one /interface ethernet to the internet and possibly via another /interface ethernet to your PC running Wireshark, I'm actually surprised that you don't have even more mess there, so I suspect Mikrotik doesn't copy packets which already have a TZSP header in them to the TZSP destination again (and again, and again...)

So to me, the Mikrotik receives a frame at the /interface wireless, the sniffer copies it to your PC with a TZSP header added, sends it out the uplink to the internet, and the sniffer sees it on the uplink interface again and so it copies it to your PC again.

On top of that, as you sniff not only on the /interface wireless and the uplink but also on the interface to which your PC is connected (or the same interface is used for uplink and for connection of your PC, I don't know your particular setup) and as no application at your PC listens at the TZSP port, the PC's network stack sends the ICMP destination unreachable to the Mikrotik.

So try to set the sniffing filter to wlan1 or what is the name of the /interface wireless you use and try again.

edit flag offensive delete link more


Thank you for your replies. I asked the Mikrotik community here:

This prompted me to try MacOS and bizarrely, though wired to the network in exactly the same way in my LAN, I don't see these Code: 3 (Port unreachable) errors on the MBP!

Some one on the Mikrotik forum (linked above) suggests "udp port 37008" as a interface filter (instead of tzsp), but on both OSes when I try follow the stream I get "bytes missing in capture file". What's up with that?!!?!

So now I'm of the opinion that I should filter out these "Port unreachable" messages on Arch and move on with my life.

However what I find very frustrating with Wireshark is that I can't seem to setup tzsp as an interface filter. So when I follow a stream, it's an utter pain to clear back ...(more)

Kai Hendry gravatar imageKai Hendry ( 2019-04-19 09:19:52 +0000 )edit

you could filter on tzsp after capturing both, and then "export specified packets" to a new pcapng file and open that to work on just the tzsp packets.

Jasper gravatar imageJasper ( 2019-04-21 10:11:52 +0000 )edit

udp port 37008 is a capture filter, which tells the sniffing engine (WinPcap/npcap) which packets out of those seen on the wire to forward to Wireshark during capture; tzsp is a display filter which tells Wireshark which packets found in the capture file (or memory buffer during live capture) to show on the screen. The two are to be set in different fields of the GUI.

But the icmp complaints come back to Mikrotik which encapsulates them into TZSP (because you sniff on the interface through which you send the TZSP-encapsulated copies of sniffed packets to the Wireshark machine) and sends them back to you, so even by using a capture filter udp port 37008 you won't get rid of them unless you stop sniffing on that interface.

sindy gravatar imagesindy ( 2019-04-22 19:30:08 +0000 )edit

answered 2019-04-17 11:29:40 +0000

Jasper gravatar image

That looks like a misconfiguration - that many errors are highly unlikely and are usually a result of an improper capture setup. I'm guessing you captured duplicates of packets which is why you get so many warnings. It's better to capture with a device that isn't part of the active communication, and simply recording what others do. That way no duplicates should happen.

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools



Asked: 2019-04-17 08:42:42 +0000

Seen: 1,888 times

Last updated: Apr 19 '19