Configure NetFlow - Mikrotik

This area will help fast track you in planning, setting up and managing NetFlow in your environment. NetFlow is an embedded instrumentation within Cisco IOS Software to characterize network operation.

Network specialists of various levels within an organization need to be able to report on traffic traversing sites, key links and data centers without deploying probes. They use CySight powered by unique NetFlow Auditor methods of scalable collection, retention and Predictive AI Baslining to capture and analyze every NetFlow record with aggregation options and small footprint real-time and long-term storage. From Telco to SME you will recognize the superior reliability and performance of the CySight NetFlow Auditing solutions, as well as the management benefits offered.

Configure NetFlow - Mikrotik

Manual:IP/Traffic Flow

MikroTik Traffic-Flow is a system that provides statistic information about packets which pass through the router. Besides network monitoring and accounting, system administrators can identify various problems that may occur in the network. With help of Traffic-Flow, it is possible to analyze and optimize the overall network performance. As Traffic-Flow is compatible with Cisco NetFlow, it can be used with various utilities which are designed for Cisco's NetFlow.

Traffic-Flow supports the following NetFlow formats:
  • version 1 - the first version of NetFlow data format, do not use it, unless you have to
  • version 5 - in addition to version 1, version 5 has the BGP AS and flow sequence number information included
  • version 9 - a new format which can be extended with new fields and record types thank's to its template-style design
This section lists the configuration properties of Traffic-Flow.

interfaces (string | all; Default: all)
  • Names of those interfaces which will be used to gather statistics for traffic-flow. To specify more than one interface, separate them with a comma.
cache-entries (128k | 16k | 1k | 256k | 2k | ... ; Default: 4k)
  • Number of flows which can be in router's memory simultaneously.
active-flow-timeout (time; Default: 30m)
  • Maximum life-time of a flow.
inactive-flow-timeout (time; Default: 15s)
  • How long to keep the flow active, if it is idle. If connection does not see any packet within this timeout, then traffic-flow will send packet out as new flow. If this timeout is too small it can create significant amount of flows and overflow the buffer.
With Traffic-Flow targets we specify those hosts which will gather the Traffic-Flow information from router.

address (IP:port; Default: )
  • IP address and port (UDP) of the host which receives Traffic-Flow statistic packets from the router.
v9-template-refresh (integer; Default: 20)
  • Number of packets after which the template is sent to the receiving host (only for NetFlow version 9)
v9-template-timeout (time; Default: )
  • After how long to send the template, if it has not been sent.
version (1 | 5 | 9; Default: )
  • Which version format of NetFlow to use
Notes

By looking at packet flow diagram you can see that traffic flow is at the end of input, forward and output chain stack. It means that traffic flow will count only traffic that reaches one of those chains.

For example, you set up mirror port on switch, connect mirror port to router and set traffic flow to count mirrored packets. Unfortunately such setup will not work, because mirrored packets are dropped before they reach input chain.

Examples


This example shows how to configure Traffic-Flow on a router

Enable Traffic-Flow on the router:

[admin@MikroTik] ip traffic-flow> set enabled=yes
[admin@MikroTik] ip traffic-flow> print
enabled: yes
interfaces: all
cache-entries: 1k
active-flow-timeout: 30m
inactive-flow-timeout: 15s
[admin@MikroTik] ip traffic-flow>

Specify IP address and port of the host, which will receive Traffic-Flow packets:

[admin@MikroTik] ip traffic-flow target> add address=192.168.0.2:2055 \
\... version=9
[admin@MikroTik] ip traffic-flow target> print
Flags: X - disabled
# ADDRESS VERSION
0 192.168.0.2:2055 9
[admin@MikroTik] ip traffic-flow target>

Now the router starts to send packets with Traffic-Flow information.
Top

Return to “NetFlow”