Hello,

I'm trying to send any DNS traffic from mikrotik which operates in bridge mode to a remote server. I discovered three ways to accomplish this - a calea options, a firewall mangle sniff TZSP action and /tool sniffer. I set up a linux server with a tcpdump capturing port 37008 in a ring buffer.

I think I need this option to use any firewall level function on a bridge:
Option 1: tool sniffer seems to work, but get disabled after a while or after a reboot, so it looks not like a permanent solution, rather a troubleshooting tool, right?

Option 2: action=sniff-tzsp doesn't work in bridge mode, even with use-ip-firewall=yes option

Option 3: /interface bridge calea doesn't work

what is the right way to send DNS traffic to IDS? What are the differences between these three methods? Can you suggest what need to be adjusted in the configuration to make it work?

Option 2 can't catch anything because 0.0.0.0 is exactly one address with four zeroes, you won't find many packets like that. Either remove src/dst-address completely, or use 0.0.0.0/0.

Thanks Sob, this solves the issue!