18/10/2019 Manual:IP/Traffic Flow - MikroTik Wiki

Manual:IP/Traffic Flow
From MikroTik Wiki
< Manual:IP

Contents Applies
to
RouterOS: 2.9, v3,
1 Summary v4 +
2 General
3 Targets
4 Notes
5 Examples
6 See more

Summary
Sub-menu: /ip traffic-flow

MikroTik Traffic-Flow is a system that provides statistic information about packets which pass through the router.
Besides network monitoring and accounting, system administrators can identify various problems that may occur in the
network. With help of Traffic-Flow, it is possible to analyze and optimize the overall network performance. As Traffic-
Flow is compatible with Cisco NetFlow, it can be used with various utilities which are designed for Cisco's NetFlow.

Traffic-Flow supports the following NetFlow formats:

version 1 - the first version of NetFlow data format, do not use it, unless you have to
version 5 - in addition to version 1, version 5 has possibility to include BGP AS and flow sequence number
information. Currently RouterOS does not include BGP AS numbers.
version 9 - a new format which can be extended with new fields and record types thank's to its template-style
design

General
Sub-menu: /ip traffic-flow

This section lists the configuration properties of Traffic-Flow.

Property Description
interfaces (string | all; Default: all) Names of those interfaces which will be used to gather statistics for
traffic-flow. To specify more than one interface, separate them with a
comma.
cache-entries (128k | 16k | 1k | 256k | 2k | ... Number of flows which can be in router's memory simultaneously.
; Default: 4k)
active-flow-timeout (time; Default: 30m) Maximum life-time of a flow.
inactive-flow-timeout (time; Default: 15s) How long to keep the flow active, if it is idle. If connection does not
see any packet within this timeout, then traffic-flow will send packet
out as new flow. If this timeout is too small it can create significant
amount of flows and overflow the buffer.
https://wiki.mikrotik.com/wiki/Manual:IP/Traffic_Flow 1/5
18/10/2019 Manual:IP/Traffic Flow - MikroTik Wiki

Note: Starting 6.0rc14 release setting interface will show RX and TX for the interface. Previously traffic-flow
reported only RX fraffic for the interface and to see bidirecional data it was required to set up more interfaces.

Targets
Sub-menu: /ip traffic-flow target

With Traffic-Flow targets we specify those hosts which will gather the Traffic-Flow information from router.

Property Description
address (IP:port; Default: ) IP address and port (UDP) of the host which receives Traffic-Flow
statistic packets from the router.
v9-template-refresh (integer; Default: 20) Number of packets after which the template is sent to the receiving
host (only for NetFlow version 9)
v9-template-timeout (time; Default: ) After how long to send the template, if it has not been sent.
version (1 | 5 | 9; Default: ) Which version format of NetFlow to use

Notes
By looking at packet flow diagram you can see that traffic flow is at the end of input, forward and output chain stack. It
means that traffic flow will count only traffic that reaches one of those chains.

For example, you set up mirror port on switch, connect mirror port to router and set traffic flow to count mirrored
packets. Unfortunately such setup will not work, because mirrored packets are dropped before they reach input chain.

Other interfaces will appear in report if traffic is passing thorugh them and monitored interface.

Examples
This example shows how to configure Traffic-Flow on a router

Enable Traffic-Flow on the router:

[admin@MikroTik] ip traffic-flow> set enabled=yes

[admin@MikroTik] ip traffic-flow> print
enabled: yes
interfaces: all
cache-entries: 1k
active-flow-timeout: 30m
inactive-flow-timeout: 15s
[admin@MikroTik] ip traffic-flow>

Specify IP address and port of the host, which will receive Traffic-Flow packets:

[admin@MikroTik] ip traffic-flow target> add dst-address=192.168.0.2 port=2055 version=9

[admin@MikroTik] ip traffic-flow target> print
Flags: X - disabled
# SRC-ADDRESS DST-ADDRESS PORT VERSION
0 0.0.0.0 192.168.0.2 2055 9
[admin@MikroTik] ip traffic-flow target>

https://wiki.mikrotik.com/wiki/Manual:IP/Traffic_Flow 2/5
18/10/2019 Manual:IP/Traffic Flow - MikroTik Wiki

Now the router starts to send packets with Traffic-Flow information.

Some screenshots from NTop program (http://www.ntop.org/get-started/download/), which has gathered Traffic-Flow
information from our router and displays it in nice graphs and statistics. For example, where what kind of traffic has
flown:

https://wiki.mikrotik.com/wiki/Manual:IP/Traffic_Flow 3/5
18/10/2019 Manual:IP/Traffic Flow - MikroTik Wiki

https://wiki.mikrotik.com/wiki/Manual:IP/Traffic_Flow 4/5
18/10/2019 Manual:IP/Traffic Flow - MikroTik Wiki

See more
NetFlow Fundamentals (http://etutorials.org/Networking/network+management/Part+II+Implementations+on+the
+Cisco+Devices/Chapter+7.+NetFlow/Fundamentals+of+NetFlow/)

[ Top | Back to Content ]

Retrieved from "https://wiki.mikrotik.com/index.php?title=Manual:IP/Traffic_Flow&oldid=29272"

Categories: Manual Monitoring

This page was last edited on 10 May 2017, at 16:47.

https://wiki.mikrotik.com/wiki/Manual:IP/Traffic_Flow 5/5