Manufacturer: MikroTik
Model(s): All
Version(s): RouterOS: v4+
URL: https://help.mikrotik.com/docs/display/ROS/Traffic+Flow
Notes:
- Traffic-Flow supports the following NetFlow formats:
- version 1– the first version of NetFlow data format, do not use it
- version 5– in addition to version 1, version 5 has the possibility to include BGP AS and flow sequence number information. Currently RouterOS does not include BGP AS numbers.
- version 9– a newer format which can be extended with new fields and record types due to its template-style design
- Starting 6.0rc14 release setting interface will show RX and TX for the interface. Previously traffic-flow reported only RX ftraffic for the interface and to see bi-directional data it was required to set up more interfaces
- Packet sampling available since RouterOS 1rc5.
Configuration steps
- Enable Netflow reporting and set the active timeout to 1m. All remaining defaults are acceptable.
Sub-menu: /ip traffic-flow
| Property | Description |
| interfaces (string | all; Default: all) | Names of those interfaces which will be used to gather statistics for traffic-flow. To specify more than one interface, separate them with a comma. |
| cache-entries (128k | 16k | 1k | 256k | 2k | … ; Default: 4k) | Number of flows which can be in router’s memory simultaneously. |
| active-flow-timeout (time; Default: 30m) | Maximum life-time of a flow. |
| inactive-flow-timeout (time; Default: 15s) | How long to keep the flow active, if it is idle. If connection does not see any packet within this timeout, then traffic-flow will send packet out as new flow. If this timeout is too small it can create significant amount of flows and overflow the buffer. |
| packet-sampling (no | yes; Default: no) | The number of packets that are consecutively sampled. |
| sampling-interval (integer; Default: 0) | The number of packets that are consecutively sampled. |
| sampling-space (integer; Default: 0) | The number of packets that are consecutively omitted. |
[admin@MikroTik] ip traffic-flow> set active-flow-timeout=1m enabled=yes
- Define the netflow collector, version and template timeouts to use.
Sub-menu: /ip traffic-flow target
| Property | Description |
| dst-address (IP:port; Default: ) | IP address and port (UDP) of the host which receives Traffic-Flow statistic packets from the router. |
| v9-template-refresh (integer; Default: 20) | Number of packets after which the template is sent to the receiving host (only for NetFlow version 9) |
| v9-template-timeout (time; Default: ) | After how long to send the template, if it has not been sent. |
| version (1 | 5 | 9; Default: ) | Which version format of NetFlow to use |
[admin@MikroTik] ip traffic-flow target> add dst-address=<Scrutinizer IP> port=2055 version=9 [admin@MikroTik] ip traffic-flow target> set v9-template-refresh=20 set v9-template-timeout=1m
Verifying your configuration
[admin@MikroTik] ip traffic-flow> print
enabled: yes
interfaces: all
cache-entries: 4k
active-flow-timeout: 1m
inactive-flow-timeout: 15s
[admin@MikroTik] ip traffic-flow target> print
Flags: X - disabled
# SRC-ADDRESS DST-ADDRESS PORT VERSION
0 0.0.0.0 192.168.0.2 2055 9