Traffic Sniffer from the port does not work with active Hardware Offloading for this port (i.e., Traffic Sniffer is work, but does not capture anything except stp).
When disabling Hardware Offloading for a port, it is possible to capture packets from port, but when I turn on Hardware Offloading back, traffic will not forward until you turn off/on the port.
Also, port mirroring does not work.
When I trying to do:
/interface ethernet switch set mirror-source=ether2 mirror-target=ether3 switch1
I get: failure: port mirroring not supported
When enabling copying traffic to the CPU for the subsequent sniff:
only packets transmitted to the port are captured.
Is there a way to capture traffic with active hardware offload on the ports?
Why port mirroring does not work?
RSPAN is not available in the Router OS, is it planned to add it?
I share the answer from the support of Mikrotik (maybe it will be useful to someone too).
A sniffer will only capture packets that are processed by the software. When you are using HW offloading, the forwarded packets between switch ports are processed only by the switch chip, so they cannot be sniffed directly. To inspect these packets you should use either port mirroring or “copy-to-cpu” feature.
Switch mirror-source and mirror-target properties have been fixed in the latest RouterOS stable version 6.47. Please try to upgrade your switch and let us know the results.
Yes, switch rules are working only with ingress packets, so you will only see packets that are transmitted to the port.
RSPAN is not available in RouterOS and I cannot say whether this will be added in future RouterOS releases.
