Do I understand this correctly?:
The Torch tool will capture and list all packets that somehow reach the Mikrotik device (similar to “promiscuous mode”),
while the Packet Sniffer tool will only capture packets that actually go through the Mikrotik device (e.g. routing) and are processed by it?
This is important for me because the Torch tool shows that the IPCam indeed sends ICMP response packets, while the Packet Sniffer will not list them (only the ICMP request packets going to the IPCamera).
The packet sniffer is far more powerful, it generates an actual wireshark capture file you can copy to your computer, and open with wireshark, and see every piece of info on every packet. Just like you captured it locally with your computer. You can also specify tx, rx or both on an interface which is very handy if you have high throughput on links and only really are looking for something that’s being forwarded or received.
It is important to note, if using bridge ports utilizing hardware mode, during the capture, you will need to disable hardware mode on the bridge port, perform the capture, then re-enable hardware mode. Otherwise you will only capture cpu generated packets such as rstp and so on.
Personally, I prefer to use mangle action “sniff tzsp” because it is clear when it gets executed and you can actually choose - prerouting, forward, postrouting … (look at packet flow). You can even sniff the same packet multiple times (once in prerouting, once in postrouting) and send them to different ports (so you can have multiple wiresharks running on the same computer and watching it simultaneously). Another advantage is that it is more stable than sniffer (e.g. sniffer stops when your router restarts). Finally - thanks to really powerful matching in mangle, you can filter very precisely, what you want to sniff.
Obvious disadvantage is, that you need to fully understand what you are matching, otherwise you may miss something.
The solution you describe works nicely and I agree with you on the matter, BUT I found something very weird which I do not understand.
So I have this mangle rule which gets executed in postrouting and only sniff the traffic sniff-TZSP to a server. All seems to work ok with one observation:
Only when the rule is active (sniffing takes place) I see ICMP traffic being generated from the server (that is processing the tzsp traffic) back to the router.
Basically i see invalid ICMP connection (in both INPUT and FORWARD chains) coming from the server back to the router. I’m runnning on the latest 7.8 ROS.