Hello everyone, I use my MikroTik for capture remote wi-fi traffic and it works good with WireShark, but sometimes I need clearance this packets from TZSP header. May be someone can help me, - how I can save only payload from captured wi-fi packages without TZSP header?
TZSP is the wrapper protocol that MikroTik uses to stream the capture to another device.
To remove TZSP you can either:
Thanks Graham, Yes, I'm use capture on file and it's 100% good way for smal captures but MikroTik don't have lot of memory for long time monitoring. I tred to use tzsp2pcap but it's don't work correct with wi-fi trafic.
If the TZSP header is a constant length, you can remove it with editcap.
$ editcap.exe -C 47 ./200909_MikroTik_TZSP.pcapng ./200909_MikroTik_TZSP_chop.pcapng
The Mikrotik I tested with had a 47 byte header:
14 (eth) + 20 (IP) + 8 (UDP) + 5 (TZSP) = 47
There are many option tags available in TZSP that could make the header length variable but my test device didn't use them. YMMV.
TZSP: Ethernet
Version: 1
Type: Received packet (0)
Encapsulation: Ethernet (1)
End
Option Tag: End (1)
Thanks, Chuck. It's a good idea, this method requires manual adjustments to the pcap file, but works well. I think this will solve my problem.
Comments