How to set up Sniffer

Overview
--------
The tool consists of two apps: a service and a viewer (user interface). The
service is required because only one app can retrieve traffic data from a mikrotik
router. The viewer can be run on multiple machines and retrieves data from the
service.

The setup works best when you use the miktorik router for DCHP and optionally DNS.
It requires creating a special ssh user on the mikrotik device to allow retrieval
of the ip info (you can use the admin credentials too if you like). You also need
to enable IP Accounting.

Note that this readme assumes you are using the mikrotik default subnet of
192.169.88.0/24 with the mikrotik router on 192.168.88.1. Please adjust as
required.

On Mikrotik
-----------
Create an SSH user for getting DHCP lease names and DNS entries
/user
group add name=sniffer policy="ssh,read"
add address=192.168.88.0/24 disabled=no group=sniffer name=sniffer

Enable accounting, required for graph

/ip accounting
set account-local-traffic=no enabled=yes threshold=2560
/ip accounting web-access
set accessible-via-web=yes address=192.168.88.XX/32
(XX is the IP of the Windows machine where SnifferService will run)

check on http://192.168.88.1/accounting/ip.cgi that it works (from specified

machine)

Service on Windows machine

--------------------------
- Copy files to C:\Program Files (x86)\Sniffer
- Configure snifferservice.ini and adjust as per comments in file
- Open command line (run as Administrator)
- install sniffer service:
SnifferService.exe /install

- start service (Service "Sniffer" in Services Manager)

- check snifferservice.log for any errors
- If the service does not start up, ensure port 80 is available. Alternatively set
the ServicePort variable
in the snifferservice.ini.
- check in the mikrotik log that the user 'sniffer' logs in when you start the
service

- Ensure Windows firewall allows incoming connections on port 80

Check that it works

- From another PC connect to http://192.168.88.xx to see traffic text (xx is
machine where service runs)
- connect to http://192.168.88.xx/ip to see IP text

Viewer on Windows machine

-------------------------
- Copy the Viewer files to your machine (any windows machine on the LAN)
- Configure sniffer.ini as per comments (add a port number to the ip if you are not
using port 80 for the
SnifferService, i.e. SnifferService=localhost:81)
- Start up SnifferViewer.exe

FAQ
---
Q: How does the tool work?
A: The Sniffer service gathers traffic information from the mikrotik via a web
interface, i.e.
http://192.168.88.1/accounting/ip.cgi. This happens every second. It also
collects all the DNS
entries and DHCP leases from the Mikrotik router with ssh, using the 'sniffer'
user that was
created. This is updated every 5 minutes. All the information is processed and
the Viewer
collects everything from the service using Rest and displays it.

Q: Can I track usage for each machine?

A: Yes, simply set ClearSchedule=monthly in snifferservice.ini. This will track
the usage for the
whole month (instead of just one week) and also write out a CSV file i.e.
201312.txt (yyyymm.txt)
in the service folder.

Q: Can I track multiple subnets?

A: Yes, simply specify comma separated values for network and mask in
snifferservice.ini