Date: Thu, 28 Mar 2024 14:18:13 +0200 (EET) Message-ID: <1303619094.13061.1711628293091@help.mikrotik.com> Subject: Exported From Confluence MIME-Version: 1.0 Content-Type: multipart/related; boundary="----=_Part_13060_1723750992.1711628293087" ------=_Part_13060_1723750992.1711628293087 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Content-Location: file:///C:/exported.html
MikroTik Traffic-Flow is a system that provides statistical information = about packets that pass through the router. Besides network monitoring and = accounting, system administrators can identify various problems that may oc= cur in the network. With help of Traffic-Flow, it is possible to analyze an= d optimize the overall network performance. As Traffic-Flow is compatible w= ith Cisco NetFlow, it can be used with various utilities which are designed= for Cisco's NetFlow.
Traffic Flow is able to process only that traffic which is processed by = the router CPU, thus HW offloaded traffic will not be seen in Traffic Flow = flows (for example, HW offloaded bridged traffic).
Traffic-Flow supports the following NetFlow formats:
Sub-menu: /ip traff=
ic-flow
This section lists the configuration properties of Traffic-Flo= w.
Property | Description |
---|---|
interfaces (string | all; Default: all) | Names of those interfaces will be used to gather= statistics for traffic-flow. To specify more than one interface, separate = them with a comma. |
cache-entries (128k | 16k |= 1k | 256k | 2k | ... ; Default: 4k) | Number of flows which can be in router's memory = simultaneously. |
active-flow-timeout (time= em>; Default: 30m) | Maximum life-time of a flow. |
inactive-flow-timeout (time= ; Default: 15s) | How long to keep the flow active, if it is idle.= If a connection does not see any packet within this timeout, then traffic-= flow will send a packet out as a new flow. If this timeout is too small it = can create a significant amount of flows and overflow the buffer. |
packet-sampling (no | yes= em>; Default: no) | Enable or disable packet sampling feature. |
sampling-interval (integer<= /em>; Default: 0) | The number= of packets that are consecutively sampled. |
sampling-space (integer; Default: 0) |
The n= umber of packets that are consecutively omitted. |
info
Packet sampling available since RouterOS v7.1rc5!
In the following example:
/ip/traffic-flow/set pac= ket-sampling=3Dyes sampling-interval=3D2222 sampling-space=3D1111
2222 packet consecutive packets wi= ll be sampled and then 1111 will be omitted. Then the sampling cycle repeat= s in such a manner.
Sub-menu: /ip traffi=
c-flow target
With Traffic-Flow targets we specify those hosts which will gather the T= raffic-Flow information from the router.
Property | Description |
---|---|
address (IP:port; Defa= ult: ) | IP address and port (UDP) of the host which rece= ives Traffic-Flow statistic packets from the router. |
v9-template-refresh (intege= r; Default: 20) | Number of packets after which the template is se= nt to the receiving host (only for NetFlow version 9) |
v9-template-timeout (time= em>; Default: ) | After how long to send the template, if it has n= ot been sent. |
version (1 | 5 | 9; De= fault: ) | Which version format of NetFlow to use |
By looking at the = packet flow diagram you can see that traffic flow is at the end of the = input, forward, and output chain stack. It means that traffic flow will cou= nt only traffic that reaches one of those chains.
For example, you set up a mirror port on a switch, connect the mirror po= rt to a router and set traffic flow to count mirrored packets. Unfortunatel= y, such a setup will not work, because mirrored packets are dropped before = they reach the input chain.
Other interfaces will appear in the report if traffic is passing through= them and the monitoring interface.
This example shows how to configure Traffic-Flow on a router
Enable Traffic-Flow on the router:
[admin@MikroTik] ip traf= fic-flow> set enabled=3Dyes [admin@MikroTik] ip traffic-flow> print enabled: yes interfaces: all cache-entries: 1k active-flow-timeout: 30m inactive-flow-timeout: 15s [admin@MikroTik] ip traffic-flow>
Specify IP address and port of the host, which will receive Traffic-Flow= packets:
[admin@MikroTik] ip traf= fic-flow target> add dst-address=3D192.168.0.2 port=3D2055 version=3D9 [admin@MikroTik] ip traffic-flow target> print Flags: X - disabled=20 # SRC-ADDRESS DST-ADDRESS PORT VERSION 0 0.0.0.0 192.168.0.2 2055 9 =20 [admin@MikroTik] ip traffic-flow target>
Now the router starts to send packets with Traffic-Flow information.
Note
To use ntop-ng with MikroTik you need to use Nprobe, which is paid softw= are.