Hello guys.
I have a specific situation with game server and I need to log incoming packets along with their TTL. I’m digging thru Mikrotik docs but can’t find anything TTL related.
Firewall log doesn’t have TTL 
forward: in:internet out:ether5, connection-state:established,dnat src-mac 34:16:2a:39:75:32, proto UDP, 7.113.237.22:1318->192.168.1.1:33033, NAT 7.113.237.22:1318->(4.5.6.7:33033->192.168.145.209:33033), len 52
Regards,
J
The firewall logs what it logs, so you cannot add value to the output. You can set the TTL if that’s what’s needed via a mangle rule. But not read/log.
One nifty trick that may help is a mangle rule that uses “sniff-tzsp” as an action on the traffic you want to inspect for TTL (or anything else). That action send the any packet that match the rule to Wireshark on a desktop IP that listen on an interface to Mikrotik, and inside Wireshark you filter for “TZSP” in Wireshark search box. You can do same for all traffic using Tool > Sniffer if you don’t want to use “mangle” + “sniff-tzsp”.
I have problem with ddos attacks (from spoofed IP). At first coming real packet with proper TTL, so I want to log it, process it and set rule to accept traffic from that IP with maching TTL (with some timeout like 12 hours). All other packets with wrong TTL will be dropped. I’m trying to do it directly on my Mikrotik without involving different equipment.
You can match on the “wrong” TTL and those to an address-list. Or more complex, use multiple rules, one for each TTL value 65, 64, etc, and the add those to a “ttl-is-65”, “ttl-is-64”, etc address-list… then use those address-list to process into a new address-list that controls blocking.