How to set up Sniffer

Overview
--------
The tool consists of two apps: a service and a viewer (user interface).  The service is required because only one app can retrieve traffic data from a mikrotik router.  The viewer can be run on multiple machines and retrieves data from the service.

The setup works best when you use the miktorik router for DCHP and optionally DNS.  It requires creating a special ssh user on the mikrotik device to allow retrieval of the ip info (you can use the admin credentials too if you like).  You also need to enable IP Accounting.

Note that this readme assumes you are using the mikrotik default subnet of 192.169.88.0/24 with the mikrotik router on 192.168.88.1.  Please adjust as required.


On Mikrotik
-----------
Create an SSH user for getting DHCP lease names and DNS entries
 /user 
 group add name=sniffer policy="ssh,read"
 add address=192.168.88.0/24 disabled=no group=sniffer name=sniffer 

Enable accounting, required for graph
 /ip accounting
 set account-local-traffic=no enabled=yes threshold=2560
 /ip accounting web-access
 set accessible-via-web=yes address=192.168.88.XX/32
   (XX is the IP of the Windows machine where SnifferService will run)

check on http://192.168.88.1/accounting/ip.cgi that it works (from specified machine)



Service on Windows machine
--------------------------
- Copy files to C:\Program Files (x86)\Sniffer
- Configure snifferservice.ini and adjust as per comments in file
- Open command line (run as Administrator)
- install sniffer service:
SnifferService.exe /install

- start service (Service "Sniffer" in Services Manager)
- check snifferservice.log for any errors
- If the service does not start up, ensure port 80 is available.  Alternatively set the ServicePort variable 
  in the snifferservice.ini. 
- check in the mikrotik log that the user 'sniffer' logs in when you start the service

- Ensure Windows firewall allows incoming connections on port 80

Check that it works
- From another PC connect to http://192.168.88.xx to see traffic text (xx is machine where service runs)
- connect to http://192.168.88.xx/ip to see IP text


Viewer on Windows machine
-------------------------
- Copy the Viewer files to your machine (any windows machine on the LAN)
- Configure sniffer.ini as per comments (add a port number to the ip if you are not using port 80 for the 
  SnifferService, i.e. SnifferService=localhost:81)
- Start up SnifferViewer.exe


FAQ
---
Q: How does the tool work?
A: The Sniffer service gathers traffic information from the mikrotik via a web interface, i.e. 
   http://192.168.88.1/accounting/ip.cgi.  This happens every second.  It also collects all the DNS 
   entries and DHCP leases from the Mikrotik router with ssh, using the 'sniffer' user that was 
   created.  This is updated every 5 minutes.  All the information is processed and the Viewer 
   collects everything from the service using Rest and displays it.

Q: Can I track usage for each machine?
A: Yes, simply set ClearSchedule=monthly in snifferservice.ini.  This will track the usage for the
   whole month (instead of just one week) and also write out a CSV file i.e. 201312.txt (yyyymm.txt) 
   in the service folder. 
   
Q: Can I track multiple subnets?
A: Yes, simply specify comma separated values for network and mask in snifferservice.ini

Q: Can I install multiple services on one box?
A: Yes, create a separate service folder for each instance and modify the 'ServiceName' property in 
   SnifferService.ini