Some Mikrotik devices have a TAP-like capability for ethernet interfaces. The issue arises in that the data is sent from Microtik to another device via the TaZmen Sniffer Protocol (TZSP). Security Onion doesn't parse this natively, but thankfully we have the tzsp2pcap project to help us with the conversion.
An excellent use case is monitoring your wireless network (if using a combination wireless and wired router such as the RB2011) or other interfaces such as PPoE or VPN tunnels that might not otherwise be tapped without additional hardware.
You’ll need tzsp2pcap, git, and some development libraries.
sudo ufw allow 37008
sudo apt install git build-essential libpcap0.8-dev
git clone https://github.com/thefloweringash/tzsp2pcap.git
sudo cp tzsp2pcap /usr/local/bin
sudo tzsp2pcap -vv -f | sudo tcpreplay --topspeed -i
You will now be capturing traffic from your selected Mikrotik interfaces and dumping it to your Security Onion capture interface.
Note that this can have a large impact to the performance of your Mikrotik device. The more interfaces you choose to sniff, the more processing overhead when those interfaces become loaded with traffic. As an example, a Mikrotik RB2011 loaded with 50Mbit of ethernet traffic from a total of three sniffed interfaces maxed the CPU (“overlocked” to 750MHz) at 100% and started severly impacting other services running on the device.