First time here? Check out the FAQ!
THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

Decoding a TZSP stream

In the past, I used packet the sniffer on a Mikrotik Router and I was able to see on Wireshark the packets as sent by the devices connected on the Router. The sniffer sends a TZSP packet stream and the Wireshark was able to decode this stream and show the packets in the same way they transit in the router.

Recently (I have the latest FW of the RouterOS and the latest Wireshark), Wireshark shows the traffic sent by the router to my PC as TZSP packets with the Router IP address as souce IP and PC IP address as destination IP.

It looks like as Wireshark is not able to decode this traffic. It only shows the TZSP packets as are send by the router.

The same happens both streaming the TZSP than saving a file on the router and then opening this with wireshark.

I followed all the instructions provided here: https://wiki.mikrotik.com/wiki/Ethere...

I suppose there could be some option to enable the stream decoding.

Is there a way to fix this issue?

p3r3gr1nus's avatar
1
p3r3gr1nus
asked 2020-09-09 15:00:16 +0000
edit flag offensive 0 remove flag close merge delete

Comments

What are your versions for RouterOS (MikroTik) and Wireshark?
Tested here with Wireshark 3.2.6 and the decode works great.

Frame 4: 301 bytes on wire (2408 bits), 301 bytes captured (2408 bits) on interface \Device\NPF_xxxxx
Ethernet II, Src: Routerbo_xx:xx:xx (4c:5e:0c:xx:xx:xx), Dst: Dell_xx:xx:xx (ec:f4:bb:xx:xx:xx)
Internet Protocol Version 4, Src: 192.168.10.111, Dst: 192.168.10.250
User Datagram Protocol, Src Port: 44400, Dst Port: 37008
TZSP: Ethernet 
Ethernet II, Src: xxxxxxx_xx:xx:xx (xx:xx:xx:xx:xx:xx), Dst: Routerbo_xx:xx:xx (4c:5e:0c:xx:xx:xx)
Internet Protocol Version 4, Src: 208.xx.xx.xx, Dst: 68.xx.xx.xx
Transmission Control Protocol, Src Port: 80, Dst Port: 47154, Seq: 2457, Ack: 1, Len: 188
Chuckc's avatar Chuckc (2020-09-09 16:20:26 +0000) edit
more
  • delete

Have you verified that TZSP UDP port is set to 37008 and that is that port being streamed to?

Edit->Preferences...->Advanced : Search: tzsp
Edit->Preferences...->Protocols->TZSP
Chuckc's avatar Chuckc (2020-09-09 16:39:22 +0000) edit
more
  • delete

Can you post a sample capture file?

cmaynard's avatar cmaynard (2020-09-09 16:43:07 +0000) edit
more
  • delete

Thank you all. I am working with Mikrotik 6.47.3 and Wireshark 3.2.6. I have verified the port 37008 (which is set in wireshark capture filter). Here a capture example: 192.168.0.21 is my PC. 192.168.0.240 is the router streaming the TZSP packets.

p3r3gr1nus's avatar p3r3gr1nus (2020-09-10 14:10:45 +0000) edit
more
  • delete

Can you make another capture without the capture filter? The packets are fragmented at the IP level.

Chuckc's avatar Chuckc (2020-09-10 15:32:41 +0000) edit
more
  • delete
add a comment see more comments

1 Answer

0

Ha! (not an answer) It still looks at the default port even when preference is set to different port.
image description

Chuckc's avatar
3k
Chuckc
answered 2020-09-09 17:23:48 +0000
edit flag offensive 0 remove flag delete link
more

Comments

Thank you Chickc.I only see the udp 37008

p3r3gr1nus's avatar p3r3gr1nus (2020-09-10 14:19:49 +0000) edit
more
  • delete

Screenshot from: View->Internals->Dissector Tables

Chuckc's avatar Chuckc (2020-09-10 15:34:22 +0000) edit
more
  • delete

This is a capture I made saving the file on the Router (not streaming to wireshark). Same problem.

p3r3gr1nus's avatar p3r3gr1nus (2020-09-10 15:54:42 +0000) edit
more
  • delete

It's a circular capture. You're getting the streamed captures packets coming back into the capture which get streamed again which get captured then streamed ......
Can you configure the capture on the MikroTik to exclude the interface that the capture stream exits on or exclude UDP port 37008?

Chuckc's avatar Chuckc (2020-09-10 16:18:51 +0000) edit
more
  • delete

Thank you very much Chuck, you are right. If I exclude the port 37008 or if I filter by interface I am able to get the packet capture. Now I have another problem since I don't see an UDP stream which I am sure is trasmitted/received by selected interface, but this is another problem, I will investigate. Thank you very much for the support.

p3r3gr1nus's avatar p3r3gr1nus (2020-09-11 08:13:44 +0000) edit
more
  • delete
add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer