But, I haven't dug far enough in that direction yet to have a solution.Īm I going the wrong way on this all together? I do have open ports on the router and could hang a Raspberry Pi off it running Zeek, listening on the wired interface and use the wireless interface for management.Īny thoughts or help would be appreciated. I have found the utility tzsp2pacp, which may offer a path forward. packet running Wireshark using the TZSP protocol capturing Wireshark. Has anyone else gotten something like this running? I haven't been able to find any sort of Zeek plugin which would handle the TZSP de-encapsulation. A number of tools are accessible to wireshark, tcpdump, etherape, netsniff-ng. Stable Release: 4.0. As far as it is concerned, all of the packets it's seeing are on port 37008/udp and it's not able to extract information as one would normally expect. Download Wireshark The current stable release of Wireshark is 4.0.4. However, I have not yet found a way to get Zeek to do a similar de-encapsulation. Using tcpdump and WireShark, it's possible to analyze the traffic manually, as Wireshark natively understands TZSP and will de-encapsulate the data. Building Wireshark from source under UNIX. This makes sense, as it skips the need for a dedicated SPAN port on the router and a dedicated interface on the server. Wireshark Users Guide: For Wireshark 2.1 by Ulf Lamping, Richard Sharpe. However, the data is encapsulated using the TaZmen Sniffer Protocol (TZSP). The setup seemed straight forward enough, the Packet Sniffer tool can forward the traffic to the server and I can see that the data is coming across the wire. As part of my setup, I'd like to begin mirroring traffic from the WAN interface (ether1 in my case) to a system running Zeek for traffic analysis. I currently have a RB2011UiAS-2HnD, running RouterOS 7.6, acting as a router for my home network.
0 Comments
Leave a Reply. |