One of my sites is undergoing some increase in anomalous traffic activity pointed at one of our ingress endpoints (a mikrotik router.)

* Is it possible to mirror an interface traffic so I can do further analysis on the ingress traffic?

* Can I log all SYN packets ingressing to an interface?

Thank you!

Absolutely! You can mirror traffic from one interface to another on your MikroTik router using the Packet Sniffer feature. Simply navigate to the Tools menu, select Packet Sniffer, and choose the desired interfaces. This allows you to monitor traffic without disrupting the original flow. Additionally, you can log SYN packets ingressing to an interface by creating a firewall rule in the router's settings. Specify the protocol, destination port, and action to log, enabling you to analyze incoming SYN packets for potential issues pinny fix

like this?
/ip firewall filter add action=passthrough chain=input comment="Syn from outside" connection-state=new in-interface=ether1 log=yes log-prefix="syn from outside"
and make this rule the first rule of the list.

For the mirror interface, there is also the possibility of using the Switches mirroring function.
(Needs to be a router with a switch chip which is many/most of them)

Need to ensure the destination port is on the same switch as the source port.
In cases where the router has more than 1 switch chip.