RouterOS Packet Sniffer: Capturing Traffic for Troubleshooting
| Configuration Guide | md-xzlv |
|---|---|
| Date | March 2026 |
| RouterOS Version | 7.x |
| Package Required | None (built-in) |
| Prerequisites | Basic RouterOS CLI knowledge; Wireshark installed on workstation for pcap analysis |
Overview
Section titled “Overview”The RouterOS packet sniffer (/tool sniffer) captures live traffic on one or more interfaces for troubleshooting connectivity issues, inspecting protocol behavior, and identifying unexpected traffic sources. Captured packets can be:
- Saved to a
.pcapfile on the router for later analysis in Wireshark - Streamed in real time to a remote Wireshark host via TZSP (TaZmen Sniffer Protocol)
- Inspected inline using quick mode for immediate host visibility
Typical use cases:
- Diagnosing where a packet is dropped or modified in the forwarding path
- Detecting rogue DHCP servers on a LAN segment
- Verifying DNS queries and responses are flowing correctly
- Capturing a specific application flow (HTTP, HTTPS, VoIP) for analysis
- Confirming traffic arrives on the expected interface
Capture Modes
Section titled “Capture Modes”RouterOS provides two capture modes:
| Mode | Description |
|---|---|
| File capture | Records packets to a .pcap file on the router filesystem |
| TZSP streaming | Streams packets live to a remote Wireshark host over UDP |
Both modes support the same filter set and can run simultaneously.
File Capture
Section titled “File Capture”Basic File Capture
Section titled “Basic File Capture”Configure the sniffer to write captured packets to a file, then start and stop it:
/tool sniffer set file-name=capture.pcap file-limit=10240/tool sniffer start# ... wait for traffic .../tool sniffer stopfile-limit is the maximum capture file size in KiB. The sniffer stops automatically when this limit is reached.
Capture on a Specific Interface
Section titled “Capture on a Specific Interface”/tool sniffer set filter-interface=ether1 file-name=ether1-capture.pcap/tool sniffer start/tool sniffer stopLeave filter-interface unset (or set to all) to capture on all interfaces simultaneously.
Download the Capture File
Section titled “Download the Capture File”After stopping the sniffer, download the .pcap file from the router:
# From your workstation (using scp)Then open in Wireshark:
wireshark capture.pcapTZSP Live Streaming to Wireshark
Section titled “TZSP Live Streaming to Wireshark”Stream packets in real time without saving to the router filesystem. This is useful when storage is limited or you want immediate live analysis.
Configure Streaming Target
Section titled “Configure Streaming Target”/tool sniffer set \ streaming-enabled=yes \ streaming-server=192.168.88.10:37008/tool sniffer startReplace 192.168.88.10:37008 with the IP address and port of your Wireshark workstation. RouterOS does not have a separate streaming-port parameter — the port is embedded in the streaming-server address after a colon. The default TZSP port is 37008.
Wireshark Setup for TZSP
Section titled “Wireshark Setup for TZSP”- Open Wireshark on the receiving workstation.
- Start a capture on the interface facing the router.
- Wireshark auto-decodes TZSP-encapsulated frames and displays the inner packets directly.
Note: If Wireshark does not decode TZSP automatically, apply the display filter
tzspto confirm packets are arriving, then checkAnalyze > Decode Asand add a UDP port 37008 → TZSP mapping.
Filters
Section titled “Filters”All filters are set via /tool sniffer set before starting the capture. Multiple values are comma-separated; up to 16 entries per filter. Prepend ! to negate a filter.
Interface Filter
Section titled “Interface Filter”/tool sniffer set filter-interface=ether1IP Address Filters
Section titled “IP Address Filters”# Capture traffic to or from a host or subnet/tool sniffer set filter-ip-address=192.168.88.0/24
# Source only/tool sniffer set filter-src-ip-address=192.168.88.10/32
# Destination only/tool sniffer set filter-dst-ip-address=8.8.8.8/32
# Multiple entries/tool sniffer set filter-ip-address=192.168.1.0/24,10.0.0.0/8Port Filters
Section titled “Port Filters”# Capture DNS traffic/tool sniffer set filter-port=53
# Capture HTTP and HTTPS/tool sniffer set filter-port=80,443
# Exclude SSH from capture/tool sniffer set filter-port=!22
# Source and destination port variants/tool sniffer set filter-src-port=12345/tool sniffer set filter-dst-port=httpsMAC Address Filters
Section titled “MAC Address Filters”# Match a specific host by OUI (first 3 octets)/tool sniffer set filter-mac-address=DC:2C:6E:00:00:00/FF:FF:FF:00:00:00
# Source MAC only/tool sniffer set filter-src-mac-address=AA:BB:CC:DD:EE:FF/FF:FF:FF:FF:FF:FF
# Broadcast traffic only/tool sniffer set filter-dst-mac-address=FF:FF:FF:FF:FF:FF/FF:FF:FF:FF:FF:FFProtocol Filters
Section titled “Protocol Filters”# TCP only/tool sniffer set filter-ip-protocol=tcp
# UDP and ICMP/tool sniffer set filter-ip-protocol=udp,icmp
# Everything except ICMP/tool sniffer set filter-ip-protocol=!icmpSupported protocols include: tcp, udp, icmp, gre, esp, ah, sctp.
Exclude Streaming Traffic
Section titled “Exclude Streaming Traffic”When using TZSP streaming, prevent the sniffer from capturing its own TZSP packets in the stream:
/tool sniffer set filter-stream=yesCombining Filters
Section titled “Combining Filters”All active filters apply with AND logic — a packet must match every configured filter to be captured:
/tool sniffer set \ filter-interface=ether1 \ filter-ip-protocol=udp \ filter-port=53 \ file-name=dns-capture.pcap/tool sniffer startQuick Host Inspection
Section titled “Quick Host Inspection”While a capture is running, view a live summary of hosts seen in the traffic:
/tool sniffer host printThis shows source and destination addresses observed since the sniffer started — useful for quickly identifying unexpected talkers without opening a pcap file.
Complete Worked Examples
Section titled “Complete Worked Examples”Capture All Traffic on WAN Interface
Section titled “Capture All Traffic on WAN Interface”/tool sniffer set \ filter-interface=ether1 \ file-name=wan-capture.pcap \ file-limit=20480/tool sniffer start# Reproduce the issue, then:/tool sniffer stopCapture DNS Traffic (Verify Queries Leaving the Router)
Section titled “Capture DNS Traffic (Verify Queries Leaving the Router)”/tool sniffer set \ filter-interface=ether1 \ filter-ip-protocol=udp \ filter-port=53 \ file-name=dns-check.pcap/tool sniffer start/tool sniffer stopOpen dns-check.pcap in Wireshark and verify both outbound queries (from router to resolver) and inbound replies appear. If only queries appear, the resolver is not responding.
Capture DHCP Traffic (Rogue DHCP Investigation)
Section titled “Capture DHCP Traffic (Rogue DHCP Investigation)”/tool sniffer set \ filter-interface=bridge-lan \ filter-ip-protocol=udp \ filter-port=67,68 \ file-name=dhcp-capture.pcap/tool sniffer start# Trigger a DHCP request from a client, then:/tool sniffer stopIn Wireshark, filter by bootp (DHCP). Multiple DHCP Offer packets from different source MACs indicate a rogue server.
Alternative: RouterOS has a dedicated rogue DHCP detection mechanism at
/ip dhcp-server alertthat monitors DHCP replies and alerts on unknown servers without requiring manual pcap analysis.
Stream HTTPS Flow to Wireshark Live
Section titled “Stream HTTPS Flow to Wireshark Live”/tool sniffer set \ filter-interface=ether1 \ filter-ip-protocol=tcp \ filter-port=443 \ streaming-enabled=yes \ streaming-server=192.168.88.10:37008 \ filter-stream=yes/tool sniffer startStart Wireshark on 192.168.88.10 before running the command above.
Verification
Section titled “Verification”Confirm the sniffer is running and check current settings:
/tool sniffer printExpected output shows running: yes with active filter and file/streaming settings.
Check captured host activity:
/tool sniffer host printVerify the pcap file was created on the router:
/file print where name~"capture"Troubleshooting
Section titled “Troubleshooting”Sniffer starts but pcap file is empty
Section titled “Sniffer starts but pcap file is empty”- Confirm traffic is actually present on the selected interface: check
/interface monitor-traffic <interface>for activity. - Verify filters are not too restrictive — temporarily remove all filters and retry.
- Check available disk space:
/file print; if storage is full, the file will not grow.
TZSP stream arrives but Wireshark shows raw UDP, not decoded frames
Section titled “TZSP stream arrives but Wireshark shows raw UDP, not decoded frames”- In Wireshark, go to
Analyze > Decode As, add a rule for UDP port 37008 → TZSP. - Confirm the
streaming-serverIP matches the Wireshark host IP exactly (not a different interface). - Ensure no firewall on the workstation is blocking UDP 37008.
Capture file is very large very quickly
Section titled “Capture file is very large very quickly”- Add a tighter filter (
filter-ip-address,filter-port, orfilter-ip-protocol) to reduce captured volume. - Lower
file-limitto cap size; the sniffer stops automatically at the limit. - Use TZSP streaming instead of file capture when disk space is constrained.
Sniffer misses traffic on bridge interfaces
Section titled “Sniffer misses traffic on bridge interfaces”- Capture on the bridge master interface (e.g.,
bridge-lan) rather than individual bridge ports — the sniffer sees frames at the bridge level. - On switch-offloaded bridges (CRS switches), some frames may be forwarded in hardware and bypass the CPU; consider temporarily disabling hardware offload for diagnostic purposes.
/tool sniffer host print shows no entries
Section titled “/tool sniffer host print shows no entries”- The host table populates only while the sniffer is actively running — confirm with
/tool sniffer printthatrunning: yes. - Host entries are reset each time the sniffer is started; let it run for at least 10–15 seconds before printing.
See Also
Section titled “See Also”- RouterOS Traffic Flow / NetFlow / IPFIX — export flow data to external collectors without capturing full packets
- RouterOS Graphing — bandwidth usage graphs per interface over time
- RouterOS Logging — system and firewall event logging
- RouterOS Firewall Connection State Guide — understand connection tracking alongside captures