IP Traffic Flow (NetFlow/IPFIX) in RouterOS: A Complete Guide
IP Traffic Flow (NetFlow/IPFIX) in RouterOS: A Complete Guide
Section titled βIP Traffic Flow (NetFlow/IPFIX) in RouterOS: A Complete GuideβRouterOS Version: 7.x+ Difficulty: Intermediate Estimated Time: 25 minutes
Overview
Section titled βOverviewβTraffic Flow is RouterOSβs implementation of NetFlow/IPFIX for exporting network traffic statistics to external collectors. It tracks flows passing through the router and exports detailed metadata including source/destination addresses, ports, protocols, byte/packet counts, and timestamps.
Supported export formats:
- NetFlow v1 - Basic IP packet information
- NetFlow v5 - Adds ToS, TCP flags, sequence numbers
- NetFlow v9 - Template-based, extensible, IPv4/IPv6
- IPFIX - IETF standard based on NetFlow v9
Common use cases:
- Network traffic analysis and bandwidth monitoring
- Security auditing and anomaly detection
- Billing and usage accounting
- Capacity planning
Key limitation: Traffic Flow only counts traffic processed by the CPU. Hardware-offloaded bridge traffic and fast-path traffic are not included in flow statistics.
How Traffic Flow Works
Section titled βHow Traffic Flow Worksβββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ MikroTik Router ββ ββ Network Traffic βββΆ CPU Processing βββΆ Traffic Flow Engine ββ (input/forward/ ββ output chains) ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β UDP (default port 2055) β NetFlow v1/v5/v9 or IPFIX βΌββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ Flow Collector ββ (ntopng, Elastiflow, PRTG, nfdump, etc.) ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββTraffic Flow monitors packets at the end of input, forward, and output chains. Only traffic reaching these chains is countedβhardware-switched bridge traffic bypasses the CPU entirely.
Menu Reference
Section titled βMenu Referenceβ| Menu | Purpose |
|---|---|
/ip traffic-flow | Main configuration |
/ip traffic-flow target | Collector destinations |
/ip traffic-flow ipfix | IPFIX-specific field selection |
Configuration Properties
Section titled βConfiguration PropertiesβMain Settings (/ip traffic-flow)
Section titled βMain Settings (/ip traffic-flow)β| Property | Type | Default | Description |
|---|---|---|---|
enabled | yes/no | no | Enable/disable traffic flow |
interfaces | list/all | all | Interfaces to monitor |
cache-entries | enum | 4k | Flow cache size (1k-256k) |
active-flow-timeout | time | 30m | Max time before exporting active flow |
inactive-flow-timeout | time | 15s | Time before exporting idle flow |
packet-sampling | yes/no | no | Enable sampling (v7+) |
sampling-interval | integer | 0 | Sample N consecutive packets |
sampling-space | integer | 0 | Skip N packets between samples |
Target Settings (/ip traffic-flow target)
Section titled βTarget Settings (/ip traffic-flow target)β| Property | Type | Default | Description |
|---|---|---|---|
src-address | IP | 0.0.0.0 | Source IP for flow packets |
dst-address | IP | - | Collector IP (required) |
port | integer | 2055 | Collector UDP port |
version | enum | 9 | Export format (1, 5, 9, ipfix) |
v9-template-refresh | integer | 20 | Packets between template resends |
v9-template-timeout | time | 0s | Time between template resends |
IPFIX Field Selection (/ip traffic-flow ipfix)
Section titled βIPFIX Field Selection (/ip traffic-flow ipfix)β| Property | Default | Description |
|---|---|---|
bytes | yes | Include byte counts |
packets | yes | Include packet counts |
src-address | yes | Include source IP |
dst-address | yes | Include destination IP |
src-port | yes | Include source port |
dst-port | yes | Include destination port |
ip-protocol | yes | Include protocol number |
tcp-flags | yes | Include TCP flags |
nat-events | no | Include NAT translations |
NetFlow Version Comparison
Section titled βNetFlow Version Comparisonβ| Version | Features | Best For |
|---|---|---|
| v1 | Basic IP info (src/dst, protocol, bytes) | Legacy collectors |
| v5 | ToS, TCP flags, sequence numbers | Older systems |
| v9 | Template-based, IPv4/IPv6, extensible | Modern collectors |
| IPFIX | IETF standard, multicast, NAT events | Enterprise deployments |
Recommendation: Use NetFlow v9 or IPFIX for modern deployments. They support IPv6 and provide more detailed flow data.
Configuration Examples
Section titled βConfiguration ExamplesβExample 1: Basic NetFlow v9 Export
Section titled βExample 1: Basic NetFlow v9 Exportβ# Enable traffic flow/ip traffic-flow set enabled=yes
# Add collector/ip traffic-flow target add dst-address=192.168.1.100 port=2055 version=9
# Verify/ip traffic-flow print/ip traffic-flow target printExample 2: IPFIX with Source Address (Recommended)
Section titled βExample 2: IPFIX with Source Address (Recommended)βAlways set src-address to prevent 0.0.0.0 source issues:
/ip traffic-flow set enabled=yes active-flow-timeout=1m
/ip traffic-flow target add dst-address=192.168.1.100 port=2055 \ version=ipfix src-address=192.168.1.1
# Configure IPFIX fields/ip traffic-flow ipfix set bytes=yes packets=yes src-address=yes \ dst-address=yes tcp-flags=yesExample 3: Monitor Specific Interfaces
Section titled βExample 3: Monitor Specific InterfacesβReduce CPU load by monitoring only WAN interfaces:
/ip traffic-flow set enabled=yes interfaces=ether1-wan,ether2-wan/ip traffic-flow target add dst-address=10.0.0.50 port=9995 version=9Example 4: High-Traffic with Sampling (v7+)
Section titled βExample 4: High-Traffic with Sampling (v7+)βFor busy networks, enable sampling to reduce CPU usage:
# Sample 1 packet, skip 1000 (approximately 0.1% sampling)/ip traffic-flow set enabled=yes packet-sampling=yes \ sampling-interval=1 sampling-space=1000
# Larger cache for more concurrent flows/ip traffic-flow set cache-entries=64k
/ip traffic-flow target add dst-address=192.168.1.100 port=2055 \ version=9 src-address=192.168.1.1Example 5: Multiple Collectors
Section titled βExample 5: Multiple CollectorsβSend flows to primary and backup collectors:
/ip traffic-flow target add dst-address=192.168.1.100 port=2055 \ version=9 comment="Primary collector"/ip traffic-flow target add dst-address=192.168.1.101 port=2055 \ version=ipfix comment="Backup collector"Example 6: NAT Event Logging with IPFIX
Section titled βExample 6: NAT Event Logging with IPFIXβTrack NAT translations:
/ip traffic-flow set enabled=yes/ip traffic-flow target add dst-address=192.168.1.100 port=4739 \ version=ipfix src-address=192.168.1.1/ip traffic-flow ipfix set nat-events=yesExample 7: Faster Template Updates
Section titled βExample 7: Faster Template UpdatesβFor collectors that need frequent template refreshes:
/ip traffic-flow target set [find] v9-template-refresh=10 v9-template-timeout=1mCommon Problems and Solutions
Section titled βCommon Problems and SolutionsβProblem 1: Collector Shows No Data
Section titled βProblem 1: Collector Shows No DataβCauses:
src-addressset to 0.0.0.0 (Linux drops martian packets)- Firewall blocking UDP to collector
- Wrong collector port
Solution:
# Always set src-address/ip traffic-flow target set [find] src-address=192.168.1.1
# Verify connectivity/ping 192.168.1.100
# Check firewall allows outbound UDP/ip firewall filter print where chain=outputProblem 2: All Counters Show Zero
Section titled βProblem 2: All Counters Show ZeroβCauses:
- Traffic flow enabled but no traffic reaching CPU
- Interfaces setting excludes monitored interfaces
Solution:
# Check interfaces setting/ip traffic-flow print# Ensure interfaces includes your monitored interfaces
# Verify traffic flow status/ip traffic-flow print# Look at sent-flows, sent-packets countersProblem 3: Hardware-Offloaded Traffic Not Counted
Section titled βProblem 3: Hardware-Offloaded Traffic Not CountedβCause: Bridge traffic switched in hardware bypasses CPU.
Solution:
# Disable hardware offload (impacts performance!)/interface bridge set [find] hw=noNote: This significantly impacts performance on high-traffic bridges. Consider if you truly need to monitor bridged traffic.
Problem 4: Missing Flows During DDoS/High Load
Section titled βProblem 4: Missing Flows During DDoS/High LoadβCause: UDP flow packets dropped under load; cache overflow.
Solutions:
# Enable sampling to reduce CPU load/ip traffic-flow set packet-sampling=yes sampling-interval=1 sampling-space=100
# Increase cache size/ip traffic-flow set cache-entries=128kProblem 5: Collector Shows Unknown Fields (v9/IPFIX)
Section titled βProblem 5: Collector Shows Unknown Fields (v9/IPFIX)βCause: Collector missed template packet.
Solution:
# More frequent template updates/ip traffic-flow target set [find] v9-template-refresh=10 v9-template-timeout=30sProblem 6: Incorrect Bandwidth Readings
Section titled βProblem 6: Incorrect Bandwidth ReadingsβCause: Flow aggregation timing or collector interpretation.
Solution:
# More frequent exports/ip traffic-flow set active-flow-timeout=1m inactive-flow-timeout=10sFlow Cache Sizing
Section titled βFlow Cache Sizingβ| Cache Size | Concurrent Flows | Memory Usage |
|---|---|---|
| 1k | 1,024 | Low |
| 4k | 4,096 | Low (default) |
| 16k | 16,384 | Medium |
| 64k | 65,536 | Medium |
| 256k | 262,144 | High |
Guideline: Size cache based on expected concurrent flows. A busy router might have thousands of concurrent flows; a small office might have hundreds.
Verification Commands
Section titled βVerification Commandsβ# Check traffic flow status/ip traffic-flow print# Look at: enabled, interfaces, sent-flows, sent-packets
# Check target configuration/ip traffic-flow target print# Verify: dst-address, port, version, src-address
# Check IPFIX settings/ip traffic-flow ipfix print
# Monitor flow statistics in real-time/ip traffic-flow print interval=5# Watch for incrementing sent-flows countPopular Collectors
Section titled βPopular Collectorsβ| Collector | Type | Notes |
|---|---|---|
| ntopng | Open source | Real-time visualization (use with netflow2ng collector) |
| Elastiflow | Elasticsearch-based | Scalable, powerful queries |
| Akvorado | Open source | User-friendly, modern interface |
| pmacct | Open source | Flexible, MySQL/PostgreSQL storage |
| PRTG | Commercial | Easy setup, Windows |
| nfdump/nfsen | Open source | CLI tools, historical analysis |
| Scrutinizer | Commercial | Enterprise features |
| SolarWinds NTA | Commercial | Enterprise network analysis |
Related Features
Section titled βRelated Featuresβ- Torch (
/tool torch) - Real-time traffic analysis per interface - Graphing (
/tool graphing) - Built-in traffic graphs - Packet Sniffer (
/tool sniffer) - Captures actual packets - Accounting (
/ip accounting) - IP traffic accounting - Connection Tracking (
/ip firewall connection) - Active connections
Limitations
Section titled βLimitationsβ- CPU-processed traffic only - Hardware-offloaded traffic not counted
- No BGP AS in v5 - Unlike Cisco, RouterOS doesnβt include AS info in v5
- UDP transport only - No TCP option; packets may be lost
- No inline filtering - Cannot filter which flows to export
- Memory bound - Cache size limits concurrent flow tracking
Summary
Section titled βSummaryβTraffic Flow exports network statistics to external collectors:
- Enable with
/ip traffic-flow set enabled=yes - Add target with collector IP, port, and version
- Set src-address to avoid 0.0.0.0 source issues
- Monitor with
/ip traffic-flow print
Key points:
- Always set
src-addresson targets - Use NetFlow v9 or IPFIX for modern deployments
- Only CPU-processed traffic is counted
- Enable sampling for high-traffic environments
- Template refresh may be needed for v9/IPFIX collectors
Related Topics
Section titled βRelated TopicsβTraffic Analysis
Section titled βTraffic Analysisβ- Torch - real-time traffic analysis per interface
- Graphing - built-in traffic graphs
- Traffic Monitor - threshold-based alerts
Related Features
Section titled βRelated Featuresβ- Firewall Basics - connection tracking
- NAT - NAT event tracking
- Queues - bandwidth management