if it help to describe the solution , yes, think that we already know the src priavte ip/port and dst /port and we want to know the modified public src ip/port as built by src nat rule. The reqirement is that this natted src ip/port must be recorded/logged automaically by a firewall/filter/nat rule.
-Create a bridge which includes the internet connected interface.
-Change interface of the external IP to the bridge.
-Create a mangle rule in the firewall forward chain with action mark connection and passthrough
-Create a second mangle rule in the firewall forward chain which uses the connection mark to mark the packets.
-Finaly, create a log rule in the bridge output chain that's using the packet mark.
Prepare to have a massive log, but that's an other problem
Edit:
/ip firewall mangle
add action=mark-connection chain=forward dst-address=8.8.8.8 new-connection-mark=GDNS-conn
add action=log chain=forward connection-mark=GDNS-conn connection-state=new log-prefix=FW-GDNS
add action=mark-packet chain=forward connection-mark=GDNS-conn connection-state=new new-packet-mark=GDNS-pack passthrough=no
/interface bridge filter
add action=log chain=output log-prefix=BR-GDNS packet-mark=GDNS-pack
This will result in logged packets only for new connection establishing
Results in log:
23:18:39 firewall,info FW-GDNS forward: in:pppoe-rt-bfs-3 out:br-int, proto UDP, 172.32.1.2:1142->8.8.8.8:53, len 68
23:18:39 firewall,info BR-GDNS output: in:(none) out:ether5, src-mac 00:0c:42:b4:8a:61, dst-mac 00:33:43:79:c3:d0, eth-proto 0800, UDP, 96.110.62.55:1142->8.8.8.8
:53, len 68
23:18:39 firewall,info FW-GDNS forward: in:pppoe-rt-bfs-3 out:br-int, proto UDP, 172.32.1.2:1143->8.8.8.8:53, len 64
23:18:39 firewall,info BR-GDNS output: in:(none) out:ether5, src-mac 00:0c:42:b4:8a:61, dst-mac 00:33:43:79:c3:d0, eth-proto 0800, UDP, 96.110.62.55:1143->8.8.8.8
:53, len 64