Mikrotik RouterOS doesn't have a tcpdump command. It has solutions for most/all of the problems I like to solve with tcpdump, though.
tool sniffer start and then
connection print interval=0.2.
tool sniffer stop stops
sniffing. This prints various information about active TCP
connections, updated every 0.2 seconds. It's not something one wants
to do on a busy core router, but if the router is lightly loaded, this
is a simple and quick way to see what a particular server is up to.
Second, Wireshark: Mikrotik routers can stream copies of the forwarded packets in real time to Wireshark running on a workstation using a protocol called TZSP, and Wireshark receives the TZSP stream and works with the transmitted packets.
Start Wireshark as root and select the interface facing the
Mikrotik, which I will pretend has address 192.0.2.165. Apply filter
udp.port == 37008 so that Wireshark will show you only the TZSP
packets it receives from the Mikrotik, not random other packets seen
by the same interface. You're now ready to start streaming packets
from the Mikrotik:
tool sniffer set streaming-server=192.0.2.165
streaming-enabled=yes and then
tool sniffer start. The
Wireshark window will immediately fill up and then scroll madly, since
Wireshark is showing all the traffic passing through the Mikrotik. Add
to Wireshark's filter order to limit the traffic to what you care
Third, sniffing to file.
tool sniffer can dump traffic and
save it to a file, which you can FTP elsewhere and look at. I've never
done it and I have some misgivings about file size, but if you want to
run e.g. tcpreplay, this is what you need. Look for
set file-name and related options.
(Q: Why didn't I add this to the wiki or forum? A: I have too many passwords already, the Mikrotik people chose not to enable OpenID on the wiki, and google will find the information here too.)