Hello,
I’m trying to send any DNS traffic from mikrotik which operates in bridge mode to a remote server. I discovered three ways to accomplish this - a calea options, a firewall mangle sniff TZSP action and /tool sniffer. I set up a linux server with a tcpdump capturing port 37008 in a ring buffer.
I think I need this option to use any firewall level function on a bridge:
/interface bridge settings set use-ip-firewall=yes
Option 1: tool sniffer
/tool sniffer set file-limit=10KiB filter-interface=all filter-ip-protocol=tcp,udp filter-port=dns filter-stream=yes memory-scroll=no streaming-enabled=yes streaming-server=10.0.0.1
seems to work, but get disabled after a while or after a reboot, so it looks not like a permanent solution, rather a troubleshooting tool, right?
Option 2: action=sniff-tzsp
/ip firewall mangle add action=sniff-tzsp chain=forward dst-address=0.0.0.0 dst-port=53 port="" protocol=udp sniff-target=10.0.0.1 sniff-target-port=37008 src-address=0.0.0.0
doesn’t work in bridge mode, even with use-ip-firewall=yes option
Option 3: /interface bridge calea
/interface bridge calea add action=sniff chain=forward disabled=yes sniff-target=10.0.0.1 sniff-target-port=37008
doesn’t work 
what is the right way to send DNS traffic to IDS? What are the differences between these three methods? Can you suggest what need to be adjusted in the configuration to make it work?