One of my sites is undergoing some increase in anomalous traffic activity pointed at one of our ingress endpoints (a mikrotik router.)
Is it possible to mirror an interface traffic so I can do further analysis on the ingress traffic?
Can I log all SYN packets ingressing to an interface?
Thank you!
like this?
/ip firewall filter add action=passthrough chain=input comment=“Syn from outside” connection-state=new in-interface=ether1 log=yes log-prefix=“syn from outside”
and make this rule the first rule of the list.
For the mirror interface, there is also the possibility of using the Switches mirroring function.
(Needs to be a router with a switch chip which is many/most of them)
Need to ensure the destination port is on the same switch as the source port.
In cases where the router has more than 1 switch chip.