I was monitoring one of our customers equipment and noticed .5-2Mbps of random traffic on it. After troubleshooting and running tcpdump it looks like somehow the Mikrotik router is forwarding certain netflix traffic to all devices on the bridge at the same time which results in these random spikes of 100-200Mbps. There is probably other traffic in there as well but netflix is standing out. All these ports are isolated using split horizon on the bridge as well. MIkrotik is running 6.10 firmware and does NAT. Any ideas what is going on and how to isolate. Thanks.

I pulled some of the traffic from the tcp dump, and matched the ip address to mac address and traced out. I could locate the mac in the next switch off one port of the main router in its host table for its bridge but not in another that it was also getting sent through. Is this some sort of multicast thing happening?

This is probably a problem with the mac table of some switch. It gets full, it cannot store any new mac addresses and the traffic broadcasts to all ports because there is no information about the destination.

How would you tell if the table is getting full and is there an easy way to track it down as we have close to a 100 switches in our network.

Also is it possible to increase its size once tracked down?

This happens mostly on dumb switched, because they have a smaller mac table. You can't be sure if this is exactly what is happening, but from what you describe that is the problem.
There are 2 solutions. One of them is segment your network so you have less mac addresses in each segment. The other is replace the affected switches.

There are a few thousand mac addresses and ip's on this segment of the network so there is no way it is getting maxed. Basicically we have a mikrotik switch that feeds different sites which in turn deed smaller sites. Could a switch way out at the edge of the network feeding maybe 50 devices cause the main switch to send certain traffic everyones ways. How do you trouble shoot this issues as when I look up the ip that the rouge traffic is destined to, there is an entry for it in the main router arp table so why is it sending it out on all legs of the network.

The main switch will not be affected. If the entry is in the mac table it will unicast the packets.
But several thousand macs are a lot. For a good managed switch is nothing, most have 8K or even 32K mac table. But a dumb switch has 1K mac table and some older switches even less.

Should the switches that are connected into the main router have all their ports and bridges set to proxy-arp or just arp like everything is in the main router?

These are all mikrotik switches. Basically a 1100ah2 feeds a dozen rb1200's which in turn feed a bunch of 750UP's at all the various sites.

Also all the Mikrotik switches that are fed off the main router are nothing more than bridges. All ports are bridged on these routers and split horizon is used to isolate all the ports in the bridge.

Friends don't let friends bridge networks.... ;-)

Is RTSP enabled everywhere? One switch / hub / bridge on the network with a cable plugged between two ports on the same segment can completely ruin your day. That cable could be between two ports on the same device or ports on two different devices which are connected to each other, possibly three hops up the chain.

LOL no bridging loops, its impossible to do as each switch is at a remote site from another site and everything is isolated. Traffic flows fine except for these random bursts of traffic every 30 secs to a minute. If I trace out the ip and mac that it should be going to they exist on all different parts of the network so there is no correlation in that regard and this traffics is on all ports like the main router has no idea where to send those packets even though it has entries for that ip address in its arp table.

I have noticed sometimes that when I look up the rogue traffic there is an entry in the arp table of where it should be going to and the interface will be the bridge, but if you go to the bridge host table that MAC address listed next to the ip address will sometimes not be there. Any reason for this? The bridge ageing timeout is set to 5 minutes and the Arp timeout is set to 3 minutes so it should clear out of the arp table long before the mac gets flushed in the host table along with its entry of where to route it on the bridge.

How many entries in the bridging host table?

Around 2000. I think what I am seeing is unicast flooding where a bridge which doesn't have the mac address listed in its host table will send out the packets to all interfaces connected to the bridge. Cisco has an easy way to disable this but I am unable to find out how to block unicast flooding on Mikrotik after searching high and low. Does any one know how?