Hi all, I have a Mikrotik Rb750Gr3 and it is running RouterOS v6.49.13 (stable). I connect my laptop to the router using a LAN cable and the Mikrotik connects to the internet through a USB hotspot (with an android phone providing the USB hotspot through a USB cable). It works well.

Recently, I noticed that when WinBox is open, there is a lot of traffic between the Mikrotik and my computer. Even when the Mikrotik is not connected to the internet, I see a consistent +-500 packets per second between the two at a consistent speed of about 300KiB/s.

Is this normal?

This is annoying because when I run Wireshark to capture packets while I'm online, I end up with several hundred MBs of data from this conversation alone - it drowns out the other traffic and make the PCAP files too large for what seems like an unnecessary reason. As soon as I close WinBox, it stops.

Questions:
1. Is this normal, should I just run Wireshark with a capture filter to ignore this conversation?
2. If not, any advice on how I can trouble-shoot to find out what is causing this?

Attached is a graph of the number of packets per second - for the entirety of this graph neither the Mikrotik nor my laptop are connected to the internet, this is all traffic between the Mikrotik and the laptop and in fact has the Wireshark filter of "ip.addr == LAPTOPIP && ip.addr == ROUTERIP" so this is only traffic between the two devices.

EDIT: The traffic is mostly going from the Mikrotik to my computer

Just to add, a few minutes after submitting the post it seems to have stopped (look around time 500 in the attached) - even though WinBox is still open and I didn't change any settings

I have the PCAP from when it was transmitting constantly so if anyone has advice on how to try and figure out what was being transmitted please let me know.

Just to add what the Wireshark graph looks like with normal light browsing (green) and that compared to what I raised as the question of this post - constant 500 packets / second traffic from my Mikrotik to my computer

Generally when winbox is connected to RIS device, there will be some traffic. How much depends on windows open in winbox, some get constantly updated with statistics, some don't cause a lot (or any) traffic. Depending on windows open and CPU power in ROS device also CPU load can increase considerably.

So yes, it is normal to see traffic between winbox device and router. Telling if the amount you see is normal or not is a pretty much a different question.

There is always traffic between the two, that is expected - the volume is what is in question so I'm more looking to hear if anyone else has had something like this and can explain it or if I should assume something malicious is going on.

The windows I have open in WinBox are the same all of the time (log, firewall, interface list, files). Despite this the traffic volume will sometimes increase for a time and then decrease again so the traffic I'm seeing appears to be independent of which windows are open in WinBox.


Has anyone ever seen traffic like this and do they maybe know what it is?

Otherwise, can anyone guide me on how I can investigate this further? For example, how do I make sense of the packets captured between the two devices? Is it possible? If I can "decode" the packets maybe the answer will be right there

Winbox uses tcp.port == 8291 and I see about 50 packets/sec with a bunch of windows open which update regularly. What is the distribution of your high traffic load? Is it all 8291/TCP? There are other sources of L3 traffic to a Mikrotik box - DNS, NTP, web proxy, SSH port forwarding, and more.

In Wireshark, when you are using the filter you describe, go to Statistics --> Conversations and make sure Limit to display filter is checked. What do you have under the various tabs? This will break out the various L2/L3/L4 traffic types and shows stats around the traffic flows. I am assume https://ask.wireshark.org/question/3442 ... -mikrotik/ is a cross post over on the Wireshark forum?

Thanks @robertkjonesjr, it's helpful to know that "normal" traffic is about 50 packets per second so the 300 is definitely not normal.

All of the traffic is on port 8291 (well I changed the default WinBox port for security reasons in IP -> Services -> WinBox - Port and all traffic is on that port)

The protocol distribution is as attached. This is after filtering as ip.addr == MIKROTIK and ip.addr == LAPTOP so it's only traffic between the two devices (and I confirmed it's all on WinBox port by looking at the TCP tab of Conversations which shows the conversations by port)

It's odd to see these but then maybe it's just WireShark not decoding the packets properly (I had asked about something similar previously, see thread here: https://ask.wireshark.org/question/3353 ... -protocol/)
Thrift
Tabular Data Stream
Sinec H1 Protocol

Most of the ICMP traffic is related to DNS and is the Mikrotik telling my computer that the destination is unreachable (which is not surprising given the Mikrotik was not connected to the internet during this capture). Within ICMP, the DNS queries are for URLs I'm familiar with (they relate to my antivirus, operating system upgrades, etc). Of the ICMP that does not relate to DNS, it's for IP addresses that belong to my antivirus provider.

The ICMP traffic does not look odd to me but I do want to better understand the TCP traffic

Wireshark does its best to decode the protocols, but is not perfect. Some decoders are linked to specific ports in use so changing those could confuse Wireshark and require a config change for Wireshark to know of the change. A winbox decoder is https://github.com/Cisco-Talos/Winbox_P ... _Dissector - give it a try if you want and see what you find.

Thank you, that is exactly what I was looking for