Internal traffic from switch showing in torch.

I have recently noticed connections made directly to our cisco switch are showing up in our interface and in torch. The Rx rate on my vlan5 started jumping from a consistent couple hundred kb to several mb, which prompted me to torch the connection. There is no packets being transmitted in response by the mikrotik, and inter-LAN networking is working as should, just throws my upstream off, as its registering as received packets. i.e. rx traffic from 192.168.1.60 shows to 192.168.1.44 in one entry, and rx traffic from 192.168.1.44 show to 192.168.1.60 in another entry.

I have added a set of mangle rules to load balance between two ISPs, and believe this is when the interface traffic started showing up. I have followed the PCC load balance example off the manual, with the additional change of copying the LAN interface mangle rules and changing it for each of the vlans i have want to load balance (vlan5/private and vlan99/public).

 0   chain=prerouting action=accept dst-address=69.xx.xx.0/25 in-interface=vlan99 
 1   chain=prerouting action=accept dst-address=69.xx.xx.0/25 in-interface=vlan5 
 2   chain=prerouting action=accept dst-address=69.xx.xx.192/28 in-interface=vlan99 
 3   chain=prerouting action=accept dst-address=69.xx.xx.192/28 in-interface=vlan5 
 4   chain=prerouting action=mark-connection new-connection-mark=ISP1_conn passthrough=yes in-interface=E1 - WAN connection-mark=no-mark 
 5   chain=prerouting action=mark-connection new-connection-mark=ISP2_conn passthrough=yes in-interface=E7 - WAN2 connection-mark=no-mark 
 6   chain=prerouting action=mark-connection new-connection-mark=ISP1_conn passthrough=yes dst-address-type=!local in-interface=vlan99 connection-mark=no-mark per-connection-classifier=both-addresses:2/0 
 7   chain=prerouting action=mark-connection new-connection-mark=ISP1_conn passthrough=yes dst-address-type=!local in-interface=vlan5 connection-mark=no-mark per-connection-classifier=both-addresses:2/0 
 8   chain=prerouting action=mark-connection new-connection-mark=ISP2_conn passthrough=yes dst-address-type=!local in-interface=vlan99 connection-mark=no-mark per-connection-classifier=both-addresses:2/1 
 9   chain=prerouting action=mark-connection new-connection-mark=ISP2_conn passthrough=yes dst-address-type=!local in-interface=vlan5 connection-mark=no-mark per-connection-classifier=both-addresses:2/1 
10   chain=prerouting action=mark-routing new-routing-mark=ISP1 passthrough=yes in-interface=vlan99 connection-mark=ISP1_conn 
11   chain=prerouting action=mark-routing new-routing-mark=ISP1 passthrough=yes in-interface=vlan5 connection-mark=ISP1_conn 
12   chain=prerouting action=mark-routing new-routing-mark=ISP2 passthrough=yes in-interface=vlan99 connection-mark=ISP2_conn 
13   chain=prerouting action=mark-routing new-routing-mark=ISP2 passthrough=yes in-interface=vlan5 connection-mark=ISP2_conn 
14   chain=output action=mark-routing new-routing-mark=ISP1 passthrough=yes 
     connection-mark=ISP1_conn 
15   chain=output action=mark-routing new-routing-mark=ISP2 passthrough=yes 
     connection-mark=ISP2_conn

There is no hotspot on the public interface, using dhcp and dns servers only on a RB1100. I am using src-nat to direct the traffic out certain addresses.

Any help would be greatly appreciated.

It would probably be worth poisting more info on the routeros config to allow a better overview. Some info on the types of traffic being seen on the upstream interface would be useful too.

You mention several Mbps appearing on the upstream interface. Is there multicast or streaming occuring on the local network? If so then perhaps the forward chain is allowing that traffic out onto the upstream interface. I suggest aploading all of the firewall config so we can have a look.