Ask Your Question

Packet sniff noise

asked 2019-04-17 08:42:42 +0000

Hi there!

I'm looking to update

and I'm up and running here:

But there are lots of spurious entries like:

  • Code: 3 (Port unreachable)
  • [TCP Dup ACK 114#1]
  • [TCP Out-Of-Order]

Is it a misconfiguration as to how I packet sniff with my Mikrotik? Am I missing a filter?

Many thanks,

edit retag flag offensive close merge delete

2 Answers

Sort by » oldest newest most voted

answered 2019-04-17 16:41:00 +0000

sindy gravatar image

updated 2019-04-17 16:42:12 +0000

It is rather a question for the Mikrotik forum, however the answer is that you haven't chosen a particular interface to sniff at, so the Mikrotik sniffs at all of them. And as each packet captured on the /interface wireless is encapsulated into TZSP and sent out via one /interface ethernet to the internet and possibly via another /interface ethernet to your PC running Wireshark, I'm actually surprised that you don't have even more mess there, so I suspect Mikrotik doesn't copy packets which already have a TZSP header in them to the TZSP destination again (and again, and again...)

So to me, the Mikrotik receives a frame at the /interface wireless, the sniffer copies it to your PC with a TZSP header added, sends it out the uplink to the internet, and the sniffer sees it on the uplink interface again and so it copies it to your PC again.

On top of that, as you sniff not only on the /interface wireless and the uplink but also on the interface to which your PC is connected (or the same interface is used for uplink and for connection of your PC, I don't know your particular setup) and as no application at your PC listens at the TZSP port, the PC's network stack sends the ICMP destination unreachable to the Mikrotik.

So try to set the sniffing filter to wlan1 or what is the name of the /interface wireless you use and try again.

edit flag offensive delete link more

answered 2019-04-17 11:29:40 +0000

Jasper gravatar image

That looks like a misconfiguration - that many errors are highly unlikely and are usually a result of an improper capture setup. I'm guessing you captured duplicates of packets which is why you get so many warnings. It's better to capture with a device that isn't part of the active communication, and simply recording what others do. That way no duplicates should happen.

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower


Asked: 2019-04-17 08:42:42 +0000

Seen: 32 times

Last updated: yesterday