Mikrotik Packet Sniffer to Security Onion

Some Mikrotik devices have a TAP-like capability for ethernet interfaces. The issue arises in that the data is sent from Microtik to another device via the TaZmen Sniffer Protocol (TZSP). Security Onion doesn't parse this natively, but thankfully we have the tzsp2pcap project to help us with the conversion.

An excellent use case is monitoring your wireless network (if using a combination wireless and wired router such as the RB2011) or other interfaces such as PPoE or VPN tunnels that might not otherwise be tapped without additional hardware.

You’ll need tzsp2pcap, git, and some development libraries.

Configure your Mikrotik Router

  1. Winbox > Tools > Packet Sniffer.
  2. Enable Streaming server (insert IP address of your Security Onion Management interface)
  3. Enable Filter Stream.
  4. Ensure interfaces are selected that you want to “tap”.
  5. Start the packet sniffer.

Configure Security Onion

  1. Open port 37008 on the local firewall:
    sudo ufw allow 37008
  2. Install required packages:
    sudo apt install git build-essential libpcap0.8-dev
  3. Clone tzsp2pcap git project:
    git clone https://github.com/thefloweringash/tzsp2pcap.git
  4. Build the executable:
  5. [Optional] Copy the executable to /usr/local/bin:
    sudo cp tzsp2pcap /usr/local/bin
  6. Start the capture:
    sudo tzsp2pcap -vv -f | sudo tcpreplay --topspeed -i  -

You will now be capturing traffic from your selected Mikrotik interfaces and dumping it to your Security Onion capture interface.

Note that this can have a large impact to the performance of your Mikrotik device. The more interfaces you choose to sniff, the more processing overhead when those interfaces become loaded with traffic. As an example, a Mikrotik RB2011 loaded with 50Mbit of ethernet traffic from a total of three sniffed interfaces maxed the CPU (“overlocked” to 750MHz) at 100% and started severly impacting other services running on the device.