Torch

Summary

MikroTik Torch is a real-time traffic monitoring tool that displays live traffic flow through a specified interface. It provides immediate visibility into protocols, source and destination addresses, ports, and data rates without capturing packet contents. Torch operates at a point in the packet processing pipeline before firewall filtering, allowing you to see traffic that may be dropped by your firewall rules.

Watch our video about this feature.

Basic Usage

Command Access

Access Torch from the /tool/torch menu:

[admin@MikroTik] > /tool/torch

Without parameters, Torch will prompt you to select an interface to monitor. Specify an interface directly:

[admin@MikroTik] > /tool/torch interface=ether1

Stopping Torch

Press Ctrl+C to stop Torch monitoring at any time.

Traffic Classification

Torch can display traffic categorized by multiple criteria. Use the appropriate parameter to focus on specific traffic types:

Parameter	Description
`src-address`	Source IP address (IPv4 or IPv6)
`dst-address`	Destination IP address (IPv4 or IPv6)
`port`	TCP/UDP port number
`mac-protocol`	MAC layer protocol (ARP, EAPOL, etc.)
`vlan-id`	VLAN identifier
`dscp`	Differentiated Services Code Point value

Torch displays a PROTOCOL column in its output, but it does not support a CLI protocol= filter parameter.

Filter by Port

Focus on traffic to or from a specific port:

[admin@MikroTik] > /tool/torch interface=ether1 port=80

Filter by Address

Monitor traffic from a specific source or destination:

[admin@MikroTik] > /tool/torch interface=ether1 src-address=192.168.1.100
[admin@MikroTik] > /tool/torch interface=ether1 dst-address=10.0.0.1

Output Interpretation

Torch displays traffic grouped by your selected classification, showing:

Protocol: The protocol identifier or classification criteria
TX Rate: Transmit data rate in bits per second
RX Rate: Receive data rate in bits per second

Example output showing HTTPS traffic by port:

[admin@MikroTik] /tool/torch> interface=ether1 port=443
Flags: X - disabled
       TX         RX        PORT  PROTOCOL  SRC-ADDRESS  DST-ADDRESS
   45.8kbps   12.3kbps     443       tcp    192.168.1.50  10.0.0.100
   23.1kbps    8.7kbps     443       tcp    192.168.1.75  10.0.0.100

Real-Time Monitoring

Torch provides continuous real-time updates. The display refreshes automatically, showing current traffic rates. This is useful for:

Identifying active connections during troubleshooting
Detecting unexpected traffic patterns
Monitoring bandwidth utilization per traffic type
Spotting traffic anomalies as they occur

Identifying Top Talkers

Top talkers are hosts or flows consuming the most bandwidth. Use Torch on your uplink or LAN interface and watch the TX/RX rate columns — entries with the highest rates are your top consumers.

Find Top Talkers by Source Address

Group traffic by source address to see which hosts are generating the most traffic:

[admin@MikroTik] > /tool/torch interface=ether1 src-address=0.0.0.0/0

The display refreshes in real time. Rows with the largest TX/RX values are the top bandwidth consumers.

Find Top Talkers by Traffic Type

Identify which traffic types are consuming the most bandwidth:

[admin@MikroTik] > /tool/torch interface=ether1

Watch the protocol column in the output. If TCP traffic dominates, filter further by port to identify the application.

Narrowing Down a Top Talker

Once you identify a high-rate source address, drill into its traffic:

[admin@MikroTik] > /tool/torch interface=ether1 src-address=192.168.1.50

Correlate the identified address with your DHCP leases or ARP table:

[admin@MikroTik] > /ip/dhcp-server/lease/print where address=192.168.1.50
[admin@MikroTik] > /ip/arp/print where address=192.168.1.50

Troubleshooting Unexpected Traffic

Torch is well-suited for quickly diagnosing unexpected traffic on an interface without setting up full packet capture.

Workflow: Unknown Traffic on WAN

Start Torch on the WAN interface without filters to see all active flows:

[admin@MikroTik] > /tool/torch interface=ether1

Identify unfamiliar source or destination addresses in the output.
Filter by the suspect address to confirm it is active:

[admin@MikroTik] > /tool/torch interface=ether1 src-address=203.0.113.5

If the traffic is from an internal host, correlate with DHCP leases to identify the device:

[admin@MikroTik] > /ip/dhcp-server/lease/print where address=203.0.113.5

If the traffic type or port remains unclear, pivot to the Packet Sniffer for full payload inspection.

Workflow: Suspected Broadcast Storm or Multicast Flood

Monitor non-unicast traffic using the mac-protocol filter:

[admin@MikroTik] > /tool/torch interface=bridge1 mac-protocol=arp

High ARP rates can indicate an ARP storm. High broadcast rates may indicate a layer 2 loop or misconfigured device.

Workflow: Confirming Traffic Reaches the Router

Because Torch runs before firewall processing, use it to verify whether traffic is arriving even if a firewall rule drops it:

[admin@MikroTik] > /tool/torch interface=ether1 src-address=10.0.0.5 port=22

If you see traffic in Torch but a connection fails, the issue is a firewall rule or routing problem — not the upstream link.

Limitations and Visibility Constraints

Firewall Pre-Processing

Traffic visible in Torch appears before firewall filtering. This means you will see packets that your firewall rules may subsequently drop. Use this to:

Confirm traffic is reaching the router before firewall processing
Identify blocked traffic types for firewall rule adjustment
Debug firewall rule interactions

Wireless Client Traffic

Unicast traffic between wireless clients with client-to-client forwarding enabled will not appear in Torch. This traffic is handled directly by the wireless interface without being visible to monitoring tools.

Hardware Offloading

Packets processed through hardware-offloaded bridges are not visible to Torch. This includes:

Bridge forwarding through switch chips
Hardware-accelerated traffic forwarding

The following traffic types remain visible even with hardware offloading:

Unknown unicast traffic
Broadcast traffic
Some multicast traffic

Practical Examples

Monitor All Traffic on WAN Interface

[admin@MikroTik] > /tool/torch interface=ether1

Identify HTTP Traffic Sources

[admin@MikroTik] > /tool/torch interface=ether1 port=80

Monitor IPv6 Traffic

[admin@MikroTik] > /tool/torch interface=ether1 src-address=2001:db8::1

Detect VLAN Traffic

[admin@MikroTik] > /tool/torch interface=ether1 vlan-id=10

Monitor DSCP Tagged Traffic

[admin@MikroTik] > /tool/torch interface=ether1 dscp=46

Comparison with Other Tools

Tool	Purpose	Packet Content
Torch	Real-time traffic rates by protocol/address	Not captured
Packet Sniffer	Capture packet contents for analysis	Full packets
Monitor Traffic	Aggregate interface statistics	Counts only
Log	Record firewall-matched traffic	Firewall decisions

Use Torch when you need quick visibility into traffic patterns without the overhead of full packet capture. Use Packet Sniffer when you need to examine actual packet contents.

Packet Sniffer - Full packet capture and analysis
Monitor Traffic - Aggregate interface statistics
Firewall - Packet filtering configuration
Interface Stats - Interface counter monitoring

Torch

Torch

Summary

Basic Usage

Command Access

Stopping Torch

Traffic Classification

Filter by Port

Filter by Address

Output Interpretation

Real-Time Monitoring

Identifying Top Talkers

Find Top Talkers by Source Address

Find Top Talkers by Traffic Type

Narrowing Down a Top Talker

Troubleshooting Unexpected Traffic

Workflow: Unknown Traffic on WAN

Workflow: Suspected Broadcast Storm or Multicast Flood

Workflow: Confirming Traffic Reaches the Router

Limitations and Visibility Constraints

Firewall Pre-Processing

Wireless Client Traffic

Hardware Offloading

Practical Examples

Monitor All Traffic on WAN Interface

Identify HTTP Traffic Sources

Monitor IPv6 Traffic

Detect VLAN Traffic

Monitor DSCP Tagged Traffic

Comparison with Other Tools

Related Resources