Packet Sniffer
Packet Sniffer
Section titled “Packet Sniffer”The RouterOS Packet Sniffer captures full packet payloads on one or more interfaces. Unlike Torch, which shows traffic metadata in real time, the sniffer records actual packet contents for protocol-level inspection.
Captured packets can be:
- Saved to a
.pcapfile on the router for later download and analysis in Wireshark or tcpdump - Streamed live over the network to Wireshark using the TZSP protocol
Basic Usage
Section titled “Basic Usage”Configure, start, and stop the sniffer from the /tool sniffer menu.
Quick Capture to File
Section titled “Quick Capture to File”# Configure a capture on ether1, save to flash/tool sniffer set interface=ether1 file-name=capture.pcap file-limit=10000000
# Start capturing/tool sniffer start
# ... reproduce the problem ...
# Stop capturing/tool sniffer stopDownload the file via Winbox (Files panel) or FTP/SCP for analysis.
Quick Print (CLI Preview)
Section titled “Quick Print (CLI Preview)”View captured packets directly in the terminal without saving to a file:
/tool sniffer quick interface=ether1 ip-address=10.0.0.50 protocol=tcpQuick-print runs a brief capture and dumps decoded packet headers to the console. It does not produce a .pcap file.
Configuration Parameters
Section titled “Configuration Parameters”Set parameters with /tool sniffer set ... before calling start:
Capture Scope
Section titled “Capture Scope”| Property | Description |
|---|---|
| interface | Interface(s) to capture on. Comma-separate multiple interfaces, or use all |
| filter-interface | Limit capture to a specific interface (used with all scope) |
| memory-limit | Maximum RAM to use for capture buffer in KB (default: 100). Increase for high-traffic captures |
| file-name | Filename on the router’s filesystem to save the capture (e.g. capture.pcap). Omit to capture only to RAM |
| file-limit | Maximum file size in bytes before capture stops or wraps |
Packet Filters
Section titled “Packet Filters”Apply filters to reduce capture volume. Filters are combined with AND logic.
| Property | Description |
|---|---|
| filter-ip-address | Capture only packets matching this source or destination IP address |
| filter-port | Capture only packets with this source or destination port |
| filter-protocol | Protocol filter: tcp, udp, icmp, etc. |
| filter-mac-address | Capture only packets from or to this MAC address |
| filter-stream | Set yes to exclude TZSP streaming traffic from the capture (prevents capture feedback loops) |
Streaming to Wireshark
Section titled “Streaming to Wireshark”| Property | Description |
|---|---|
| streaming-enabled | Set yes to enable live TZSP stream to a remote host |
| streaming-server | IP address of the Wireshark host |
| streaming-port | UDP port on the streaming server (default: 37008) |
Examples
Section titled “Examples”Capture Traffic From a Specific Host
Section titled “Capture Traffic From a Specific Host”/tool sniffer set interface=ether1 filter-ip-address=192.168.88.50 \ file-name=host50.pcap file-limit=5000000/tool sniffer startCapture Only ICMP
Section titled “Capture Only ICMP”/tool sniffer set interface=ether1 filter-protocol=icmp file-name=icmp.pcap/tool sniffer startCapture TCP Port 443
Section titled “Capture TCP Port 443”/tool sniffer set interface=ether1 filter-protocol=tcp filter-port=443 \ file-name=https.pcap/tool sniffer startStream Live to Wireshark
Section titled “Stream Live to Wireshark”On the router:
/tool sniffer set interface=ether1 streaming-enabled=yes \ streaming-server=192.168.88.100 streaming-port=37008 filter-stream=yes/tool sniffer startSetting filter-stream=yes prevents the sniffer from capturing its own TZSP packets, which would create a feedback loop.
In Wireshark (on 192.168.88.100):
- Start a capture on the interface facing the router
- Apply display filter:
port 37008 and not host 192.168.88.1(Replace192.168.88.1with your router’s IP) - Wireshark automatically decodes TZSP-encapsulated packets
Quick Print — Debug ARP Requests
Section titled “Quick Print — Debug ARP Requests”/tool sniffer quick interface=bridge protocol=arpDisplays ARP request/reply headers in the terminal without saving to disk.
Sniffer vs. Quick-Print
Section titled “Sniffer vs. Quick-Print”| Feature | sniffer start/stop | sniffer quick |
|---|---|---|
Saves to .pcap file | ✓ (if file-name set) | ✗ |
| Live stream via TZSP | ✓ | ✗ |
| Terminal output | ✗ | ✓ |
| Long-running capture | ✓ | ✗ (brief) |
| Best for | Deep analysis, Wireshark | Quick CLI inspection |
Limitations
Section titled “Limitations”FastTrack and hardware-offloaded traffic — Packets accelerated by FastTrack or switch-chip hardware offloading bypass the CPU and will not appear in the sniffer. Disable FastTrack before capturing if you need to see established TCP/UDP flows:
/ip firewall filter disable [find action=fasttrack-connection]Re-enable after troubleshooting is complete.
CPU and memory impact — Packet capture consumes CPU resources, particularly on high-throughput interfaces. On production routers, apply narrow filters to reduce load. Set memory-limit appropriately to avoid OOM conditions.
No payload decryption — The sniffer captures raw bytes. Encrypted traffic (TLS, IPsec, WireGuard) requires the keys to decrypt offline in Wireshark.
Bridge traffic — To capture traffic bridged between ports, capture on the bridge interface rather than individual member ports. Member port captures may not show all forwarded frames.
Downloading the Capture File
Section titled “Downloading the Capture File”After stopping the sniffer:
- Winbox: Files → locate the
.pcapfile → drag to desktop - FTP:
ftp <router-ip>and retrieve the file - SCP:
scp admin@<router-ip>:/capture.pcap ./
Open in Wireshark or analyze with tcpdump -r capture.pcap.
Related Resources
Section titled “Related Resources”- Torch — Real-time traffic metadata without full packet capture
- Ping — Connectivity and latency testing
- RouterOS Troubleshooting Methodology — When to use the packet sniffer in a diagnostic workflow
- Firewall — FastTrack configuration that affects sniffer visibility