An interesting idea. I'm already capturing and storing those packets in pcap files as part of the router error logging, under the heading of 'inner destination broadcast address'. I think it would be a relatively simple thing to do to separate them out by the UDP port number.
However, there aren't all that many gateways sending them. (In the last day, there have only been 8 hosts sending broadcast destination packets to the UCSD gateway, and I don't know how many of them are sending to port 5678.) I suppose that some sort of post-capture-analysis could examine the already-generated error pcap files and separate those MNDP packets out and put them into a separate file.
I don't know if it would be worth the effort to decode them into a text file since they are already available for download.
What information is in them that might be of general interest? - Brian
On Mon, May 29, 2017 at 09:41:29PM +0200, Rob Janssen wrote:
Maybe one of the interesting "things to do" would be to write a small daemon that captures those UDP packets to 255.255.255.255 port 5678 (MNDP) and stores the latest one received from each source. It would have to have access to the outer IPIP header to do that. Then, it could regularly dump the collected "latest packets" in a tabulated text file with the fields that there are in these packets each in a column. When you look in wireshark (which knows about this format) you see it is quite easy to do.
This table would present an overview of the MikroTik routers in use, and could help identify possible problems with the tunneling they do. You could also stop handling them as an error condition.
How would such a daemon have to be written so it can run at the gateway? Could it just do a pcap with the appropriate filter?
Rob