About how to remove NetFlow from the microsoft with traffic on the server in the Internet is not difficult to find. But it was necessary to save the contents of the traffic, and here there were some minor difficulties.
In principle, about the sniffer mode itself, everything is very well described on the Mikrotik wiki , difficulties have arisen with saving traffic to an external server.
The fact is that the captured packets are ready to be sent to the server, but encapsulating them into the Tazmen Sniffer Protocol (TZSP) . But how then to extract them for work, say, with the same tcpdump, this is the task. Google found that this protocol out of the box is understood by Wireshark , but the same Google said that Wireshark does not save received data to a file. And it was very necessary.
In the Internet, the mention of the trafr program was encountered - a native program from Mikrotik. Judging by the description, it solves the problem. One minus, it was written back in 2004. And it is 32 bit. This is what I saw when I tried to start it:
mike@monitoring:~$]./trafr -bash: ./trafr: No such file or directory mike@monitoring:~$]file trafr trafr: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, for GNU/Linux 2.2.0, stripped
This problem is solved in two ways. First: select a separate server and put on it 32-bit OSes. Second, enable support for these applications. For example, for ubuntu:
apt-get update apt-get install libc6:i386 libncurses5:i386 libstdc++6:i386 apt-get install multiarch-support
Next, we save / filter / process the received traffic as we need:
./trafr -s | /usr/sbin/tcpdump -r - -n "(port 22 or 23 or 135 or 137 or 138 or 139 or 389 or 445)" -w test.pcap
And an example of the inclusion of a sniffer on microtic:
/tool sniffer set streaming-enabled=yes streaming-server=192.168.0.23 interface=WAN /tool sniffer start
I hope that someone will reduce the time for searching and experiments.
UPD. mais_es suggested that there is also the tzsp2pcap utility, which actually does the same thing as trafr .