Interface Statistics and Traffic Monitoring
Interface Statistics and Traffic Monitoring
Section titled “Interface Statistics and Traffic Monitoring”Summary
Section titled “Summary”RouterOS provides several complementary tools for observing traffic volume and active sessions:
| Tool | What it shows | Scope |
|---|---|---|
monitor-traffic | Live bits/packets per second | Per interface |
print stats | Cumulative byte/packet/error counters | Per interface |
/ip/traffic-flow | NetFlow/IPFIX export for per-host and per-flow reporting in an external collector | Per router |
/ip/firewall/connection | Active connection table | Per router |
| Graphing and SNMP | Historical interface counters and polling-friendly metrics | Per router or external NMS |
Interface Monitor Traffic
Section titled “Interface Monitor Traffic”/interface monitor-traffic displays real-time throughput rates, refreshed every second.
Basic Usage
Section titled “Basic Usage”/interface monitor-traffic ether1Monitor a specific interface:
/interface monitor-traffic ether1Note:
/interface monitor-trafficaccepts a single interface name. To monitor multiple interfaces, run the command separately for each one.
Press Ctrl+C to stop.
Output Columns
Section titled “Output Columns”| Column | Description |
|---|---|
rx-bits-per-second | Incoming data rate (bits/s) |
tx-bits-per-second | Outgoing data rate (bits/s) |
rx-packets-per-second | Incoming packet rate |
tx-packets-per-second | Outgoing packet rate |
Example output:
name rx-bits-per-second tx-bits-per-second rx-packets-per-second tx-packets-per-second ether1 92.4Mbps 45.1Mbps 8213 4107Interface Print Stats
Section titled “Interface Print Stats”/interface print stats returns accumulated counters since the router started (or since the last counter reset). Unlike monitor-traffic, this command shows totals rather than rates.
/interface print statsScope to specific interfaces:
/interface print stats where name=ether1For Ethernet-specific counters:
/interface ethernet print statsCounter Columns
Section titled “Counter Columns”| Counter | Description |
|---|---|
rx-byte | Total bytes received |
tx-byte | Total bytes transmitted |
rx-packet | Total packets received |
tx-packet | Total packets transmitted |
rx-error | Receive errors (CRC, frame, etc.) |
tx-error | Transmit errors |
rx-drop | Received packets dropped (buffer full) |
tx-drop | Transmit packets dropped |
Resetting Counters
Section titled “Resetting Counters”Reset a specific interface’s counters to zero:
/interface reset-counters ether1Host-Level Accounting in RouterOS 7
Section titled “Host-Level Accounting in RouterOS 7”RouterOS 7 does not include the old /ip/accounting menu from RouterOS 6. If you need per-host or per-flow accounting in RouterOS 7, export flow records with /ip/traffic-flow and analyze them in an external collector.
Recommended Replacement: Traffic Flow
Section titled “Recommended Replacement: Traffic Flow”Configure flow export on the interfaces you want to observe:
/ip/traffic-flow set enabled=yes interfaces=all \ active-flow-timeout=30m inactive-flow-timeout=15s \ cache-entries=4kAdd a collector target:
/ip/traffic-flow/target add dst-address=192.0.2.10 port=2055 version=9The collector, not the router CLI, performs the aggregation and reporting. This is the normal RouterOS 7 workflow for identifying top talkers, long-lived flows, and historical traffic patterns.
What to Use Instead of /ip/accounting
Section titled “What to Use Instead of /ip/accounting”| Need | RouterOS 7 tool |
|---|---|
| Live interface rates | /interface monitor-traffic |
| Interface byte and packet totals | /interface print stats |
| Active session visibility | /ip/firewall/connection print |
| Per-host or per-flow historical analysis | /ip/traffic-flow with an external collector |
Connection Tracking
Section titled “Connection Tracking”The connection tracking table records all active sessions passing through the router. It is used by the firewall for stateful filtering and provides visibility into live connections.
Viewing Active Connections
Section titled “Viewing Active Connections”/ip/firewall/connection printFilter by destination address:
/ip/firewall/connection print where dst-address~"10.0.0.1"Connection Table Fields
Section titled “Connection Table Fields”| Field | Description |
|---|---|
protocol | Transport protocol (tcp, udp, icmp) |
src-address | Source IP and port |
dst-address | Destination IP and port |
connection-state | Current state (established, time-wait, close-wait, etc.) |
timeout | Time remaining before the entry expires |
orig-packets | Packets in the original direction |
repl-packets | Packets in the reply direction |
Connection States
Section titled “Connection States”| State | Meaning |
|---|---|
new | Session just started; not yet replied |
established | Bidirectional traffic seen |
related | Related to an existing connection (e.g. FTP data) |
invalid | Packet does not match any known session |
untracked | Bypassed tracking (FastTrack or raw table rule) |
FastTrack and hardware offloading bypass connection tracking for matched flows. Traffic accelerated by FastTrack or hardware switching will not appear in the connection table, and firewall rules that match on connection state will not apply to it.
Removing a Connection Entry
Section titled “Removing a Connection Entry”Force a connection to be re-established (useful after policy changes):
/ip/firewall/connection remove [find dst-address~"10.0.0.1"]Traffic Flow Export (NetFlow/IPFIX)
Section titled “Traffic Flow Export (NetFlow/IPFIX)”For long-term flow analysis and external reporting, RouterOS can export flow records to a NetFlow/IPFIX collector such as ntopng, Grafana/Loki, or PRTG.
Basic Configuration
Section titled “Basic Configuration”/ip/traffic-flow set enabled=yes interfaces=all \ active-flow-timeout=30m inactive-flow-timeout=15s \ cache-entries=4kAdd a collector target:
/ip/traffic-flow/target add dst-address=192.0.2.10 port=2055 version=9Key Properties
Section titled “Key Properties”| Property | Description |
|---|---|
enabled | Enable flow export |
interfaces | Interfaces to capture (all or comma-separated list) |
active-flow-timeout | Export active flows after this interval |
inactive-flow-timeout | Export idle flows after this interval |
cache-entries | Flow cache size (larger = more memory, fewer premature exports) |
version | Export format: 1, 5, 9 (NetFlow), or 10 (IPFIX) |
Practical Examples
Section titled “Practical Examples”Check Which Interface Is Saturated
Section titled “Check Which Interface Is Saturated”/interface monitor-traffic ether1,ether2,ether3Monitors multiple interfaces simultaneously; identify which is hitting its capacity limit.
Identify High-Volume Hosts
Section titled “Identify High-Volume Hosts”/ip/traffic-flow set enabled=yes interfaces=all \ active-flow-timeout=30m inactive-flow-timeout=15s \ cache-entries=4k/ip/traffic-flow/target add dst-address=192.0.2.10 port=2055 version=9Use your NetFlow/IPFIX collector to sort flows by source, destination, bytes, or packets and identify the top talkers.
Count Errors on a Flapping Link
Section titled “Count Errors on a Flapping Link”/interface print stats where name=ether1Rapidly increasing rx-error or rx-drop values indicate a physical layer problem (bad cable, duplex mismatch, SFP issue).
Verify a Connection Cleared After Firewall Change
Section titled “Verify a Connection Cleared After Firewall Change”After modifying firewall rules, confirm old sessions are gone:
/ip/firewall/connection print where dst-address~"10.0.0.5"If entries remain, remove them to force re-evaluation under the new rules.
Related Resources
Section titled “Related Resources”- Torch - Real-time per-flow traffic inspection
- Bandwidth Test - Throughput measurement between MikroTik devices
- Traffic Flow - NetFlow/IPFIX export configuration
- Firewall - Stateful packet filtering using connection tracking
- Graphing - Built-in interface traffic graphs