Used
/tool sniffer
set file-limit=10000KiB file-name=le-pcap.pcap filter-ip-address=192.168.20.254/32 filter-stream=yes memory-limit=1000KiB streaming-enabled=yes streaming-server=192.168.20.254
to capture it, neither the TZSP stream shows the packets nor the le-pcap.pcap file contains the needed packets...
What I see tho, is this:
Which may explain the reason why some UDP packets are not captured, due to them being fast-tracked.
I saw this post, would you say that marking a connection and then not fast-tracking that one, will increase the CPU usage by a ton? Or due to most of the connections being fast tracked, the impact will be negligible?
Full on port mirroring may only be a solution if I were to have something much more powerful than a raspberry pi (notably that QUIC and newer streaming protocols are rather using UDP than TCP; which would make plenty of stuff going unnecessarily into the raspi). My Switch has this:
However, it would still send all UDP traffic - including video streams, potentially downloads, QUIC, ... - and would make the raspi to do all filtering.