Wireshark (formerly Ethereal) is a traffic analyzer program for computer networks. Tshark is the console version, wireshark is the GUI version.Continue reading “Installing and using Tshark & Wireshark”
I will give an example of creating a bootable flash drive with Kali Linux.
Kali Linux is a security testing tool.
Enable Traffic Flow on the Mikrotik router:
ip traffic-flow set enabled=yes cache-entries=4k set active-flow-timeout=30m inactive-flow-timeout=15s interfaces=all
ip traffic-flow print
Specify the IP address and port of the computer that will receive the Traffic-Flow packets:
ip traffic-flow target add address=192.168.88.240:1234 disabled=no version=9 v9-template-refresh=20 v9-template-timeout=30m
ip traffic-flow target add address=192.168.88.240:1234 disabled=no version=5
ip traffic-flow target print
To configure through the GUI, the settings can be found in the menu IP -> Traffic Flow.
For monitoring under Windows, you can install the program ManageEngine NetFlow Analyzer, which will work as a server, receive packets from the specified port and generate graphs and statistics via a web server that can be opened by the browser.
For monitoring under Linux, you can install and configure for example flow-tools.
Here is an example of viewing statistics:
cat ft-v05.2015-05-01.000759+0300 | flow-stat -f 10 -S 3 | less cat ft-v05.2015-05-01.000759+0300 | flow-stat -n -p -w -f 26 -S 2 | less flow-cat ft-v05.2017-12-07.170236+0200 | flow-print | less
You can see the flow-stat tips by typing:
I will give an example of exporting data to another format (for example, in csv, which can then be opened in windows by any convenient program):
flow-cat ft-v05.2015-05-01.000759+0300 | flow-export -f 2 | less flow-cat ft-v05.2015-05-01.000759+0300 | flow-export -f 2 > csv.csv
You can display the list with the specified source address with the following command:
flowdumper -se '"192.168.0.1" eq $srcip' ft-v05.2015-06-17.175701+0300
Export the list only with the specified source address to a file, for example, with the following command:
flowdumper -se '"192.168.0.1" eq $srcip' ft-v05.2015-06-17.175701+0300 > file.txt
Example of exporting from multiple files:
flowdumper -se '"192.168.0.1" eq $srcip' /backup/flows/acct/first/2016/2016-01/ft-v05.2015-06-17* > /backup/result.txt
Installing and using flow-tools