IP Traffic Flow (NetFlow/IPFIX) in RouterOS: A Complete Guide
IP Traffic Flow (NetFlow/IPFIX) in RouterOS: A Complete Guide
Section titled “IP Traffic Flow (NetFlow/IPFIX) in RouterOS: A Complete Guide”RouterOS Version: 7.x+ Difficulty: Intermediate Estimated Time: 25 minutes
Overview
Section titled “Overview”Traffic Flow is RouterOS’s implementation of NetFlow/IPFIX for exporting network traffic statistics to external collectors. It tracks flows passing through the router and exports detailed metadata including source/destination addresses, ports, protocols, byte/packet counts, and timestamps.
Supported export formats:
- NetFlow v1 - Basic IP packet information
- NetFlow v5 - Adds ToS, TCP flags, sequence numbers
- NetFlow v9 - Template-based, extensible, IPv4/IPv6
- IPFIX - IETF standard based on NetFlow v9
Common use cases:
- Network traffic analysis and bandwidth monitoring
- Security auditing and anomaly detection
- Billing and usage accounting
- Capacity planning
Key limitation: Traffic Flow only counts traffic processed by the CPU. Hardware-offloaded bridge traffic and fast-path traffic are not included in flow statistics.
How Traffic Flow Works
Section titled “How Traffic Flow Works”
Traffic Flow monitors packets at the end of input, forward, and output chains. Only traffic reaching these chains is counted—hardware-switched bridge traffic bypasses the CPU entirely.
Menu Reference
Section titled “Menu Reference”| Menu | Purpose |
|---|---|
/ip traffic-flow | Main configuration |
/ip traffic-flow target | Collector destinations |
/ip traffic-flow ipfix | IPFIX-specific field selection |
Configuration Properties
Section titled “Configuration Properties”Main Settings (/ip traffic-flow)
Section titled “Main Settings (/ip traffic-flow)”| Property | Type | Default | Description |
|---|---|---|---|
enabled | yes/no | no | Enable/disable traffic flow |
interfaces | list/all | all | Interfaces to monitor |
cache-entries | enum | 4k | Flow cache size (1k-256k) |
active-flow-timeout | time | 30m | Max time before exporting active flow |
inactive-flow-timeout | time | 15s | Time before exporting idle flow |
packet-sampling | yes/no | no | Enable sampling (v7+) |
sampling-interval | integer | 0 | Sample N consecutive packets |
sampling-space | integer | 0 | Skip N packets between samples |
Target Settings (/ip traffic-flow target)
Section titled “Target Settings (/ip traffic-flow target)”| Property | Type | Default | Description |
|---|---|---|---|
src-address | IP | 0.0.0.0 | Source IP for flow packets |
dst-address | IP | - | Collector IP (required) |
port | integer | 2055 | Collector UDP port |
version | enum | 9 | Export format (1, 5, 9, ipfix) |
v9-template-refresh | integer | 20 | Packets between template resends |
v9-template-timeout | time | 0s | Time between template resends |
IPFIX Field Selection (/ip traffic-flow ipfix)
Section titled “IPFIX Field Selection (/ip traffic-flow ipfix)”| Property | Default | Description |
|---|---|---|
bytes | yes | Include byte counts |
packets | yes | Include packet counts |
src-address | yes | Include source IP |
dst-address | yes | Include destination IP |
src-port | yes | Include source port |
dst-port | yes | Include destination port |
ip-protocol | yes | Include protocol number |
tcp-flags | yes | Include TCP flags |
nat-events | no | Include NAT translations |
NetFlow Version Comparison
Section titled “NetFlow Version Comparison”
| Version | Features | Best For |
|---|---|---|
| v1 | Basic IP info (src/dst, protocol, bytes) | Legacy collectors |
| v5 | ToS, TCP flags, sequence numbers | Older systems |
| v9 | Template-based, IPv4/IPv6, extensible | Modern collectors |
| IPFIX | IETF standard, multicast, NAT events | Enterprise deployments |
Recommendation: Use NetFlow v9 or IPFIX for modern deployments. They support IPv6 and provide more detailed flow data.
Configuration Examples
Section titled “Configuration Examples”Example 1: Basic NetFlow v9 Export
Section titled “Example 1: Basic NetFlow v9 Export”# Enable traffic flow/ip traffic-flow set enabled=yes
# Add collector/ip traffic-flow target add dst-address=192.168.1.100 port=2055 version=9
# Verify/ip traffic-flow print/ip traffic-flow target printExample 2: IPFIX with Source Address (Recommended)
Section titled “Example 2: IPFIX with Source Address (Recommended)”Always set src-address to prevent 0.0.0.0 source issues:
/ip traffic-flow set enabled=yes active-flow-timeout=1m
/ip traffic-flow target add dst-address=192.168.1.100 port=2055 \ version=ipfix src-address=192.168.1.1
# Configure IPFIX fields/ip traffic-flow ipfix set bytes=yes packets=yes src-address=yes \ dst-address=yes tcp-flags=yesExample 3: Monitor Specific Interfaces
Section titled “Example 3: Monitor Specific Interfaces”Reduce CPU load by monitoring only WAN interfaces:
/ip traffic-flow set enabled=yes interfaces=ether1-wan,ether2-wan/ip traffic-flow target add dst-address=10.0.0.50 port=9995 version=9Example 4: High-Traffic with Sampling (v7+)
Section titled “Example 4: High-Traffic with Sampling (v7+)”
For busy networks, enable sampling to reduce CPU usage:
# Sample 1 packet, skip 1000 (approximately 0.1% sampling)/ip traffic-flow set enabled=yes packet-sampling=yes \ sampling-interval=1 sampling-space=1000
# Larger cache for more concurrent flows/ip traffic-flow set cache-entries=64k
/ip traffic-flow target add dst-address=192.168.1.100 port=2055 \ version=9 src-address=192.168.1.1Example 5: Multiple Collectors
Section titled “Example 5: Multiple Collectors”Send flows to primary and backup collectors:
/ip traffic-flow target add dst-address=192.168.1.100 port=2055 \ version=9 comment="Primary collector"/ip traffic-flow target add dst-address=192.168.1.101 port=2055 \ version=ipfix comment="Backup collector"Example 6: NAT Event Logging with IPFIX
Section titled “Example 6: NAT Event Logging with IPFIX”Track NAT translations:
/ip traffic-flow set enabled=yes/ip traffic-flow target add dst-address=192.168.1.100 port=4739 \ version=ipfix src-address=192.168.1.1/ip traffic-flow ipfix set nat-events=yesExample 7: Faster Template Updates
Section titled “Example 7: Faster Template Updates”For collectors that need frequent template refreshes:
/ip traffic-flow target set [find] v9-template-refresh=10 v9-template-timeout=1mCommon Problems and Solutions
Section titled “Common Problems and Solutions”Problem 1: Collector Shows No Data
Section titled “Problem 1: Collector Shows No Data”Causes:
src-addressset to 0.0.0.0 (Linux drops martian packets)- Firewall blocking UDP to collector
- Wrong collector port
Solution:
# Always set src-address/ip traffic-flow target set [find] src-address=192.168.1.1
# Verify connectivity/ping 192.168.1.100
# Check firewall allows outbound UDP/ip firewall filter print where chain=outputProblem 2: All Counters Show Zero
Section titled “Problem 2: All Counters Show Zero”Causes:
- Traffic flow enabled but no traffic reaching CPU
- Interfaces setting excludes monitored interfaces
Solution:
# Check interfaces setting/ip traffic-flow print# Ensure interfaces includes your monitored interfaces
# Verify traffic flow status/ip traffic-flow print# Look at sent-flows, sent-packets countersProblem 3: Hardware-Offloaded Traffic Not Counted
Section titled “Problem 3: Hardware-Offloaded Traffic Not Counted”Cause: Bridge traffic switched in hardware bypasses CPU.
Solution:
# Disable hardware offload (impacts performance!)/interface bridge set [find] hw=noNote: This significantly impacts performance on high-traffic bridges. Consider if you truly need to monitor bridged traffic.
Problem 4: Missing Flows During DDoS/High Load
Section titled “Problem 4: Missing Flows During DDoS/High Load”Cause: UDP flow packets dropped under load; cache overflow.
Solutions:
# Enable sampling to reduce CPU load/ip traffic-flow set packet-sampling=yes sampling-interval=1 sampling-space=100
# Increase cache size/ip traffic-flow set cache-entries=128kProblem 5: Collector Shows Unknown Fields (v9/IPFIX)
Section titled “Problem 5: Collector Shows Unknown Fields (v9/IPFIX)”Cause: Collector missed template packet.
Solution:
# More frequent template updates/ip traffic-flow target set [find] v9-template-refresh=10 v9-template-timeout=30sProblem 6: Incorrect Bandwidth Readings
Section titled “Problem 6: Incorrect Bandwidth Readings”Cause: Flow aggregation timing or collector interpretation.
Solution:
# More frequent exports/ip traffic-flow set active-flow-timeout=1m inactive-flow-timeout=10sFlow Cache Sizing
Section titled “Flow Cache Sizing”| Cache Size | Concurrent Flows | Memory Usage |
|---|---|---|
| 1k | 1,024 | Low |
| 4k | 4,096 | Low (default) |
| 16k | 16,384 | Medium |
| 64k | 65,536 | Medium |
| 256k | 262,144 | High |
Guideline: Size cache based on expected concurrent flows. A busy router might have thousands of concurrent flows; a small office might have hundreds.
Verification Commands
Section titled “Verification Commands”# Check traffic flow status/ip traffic-flow print# Look at: enabled, interfaces, sent-flows, sent-packets
# Check target configuration/ip traffic-flow target print# Verify: dst-address, port, version, src-address
# Check IPFIX settings/ip traffic-flow ipfix print
# Monitor flow statistics in real-time/ip traffic-flow print interval=5# Watch for incrementing sent-flows countPopular Collectors
Section titled “Popular Collectors”| Collector | Type | Notes |
|---|---|---|
| ntopng | Open source | Real-time visualization (use with netflow2ng collector) |
| Elastiflow | Elasticsearch-based | Scalable, powerful queries |
| Akvorado | Open source | User-friendly, modern interface |
| pmacct | Open source | Flexible, MySQL/PostgreSQL storage |
| PRTG | Commercial | Easy setup, Windows |
| nfdump/nfsen | Open source | CLI tools, historical analysis |
| Scrutinizer | Commercial | Enterprise features |
| SolarWinds NTA | Commercial | Enterprise network analysis |
Related Features
Section titled “Related Features”- Torch (
/tool torch) - Real-time traffic analysis per interface - Graphing (
/tool graphing) - Built-in traffic graphs - Packet Sniffer (
/tool sniffer) - Captures actual packets - Accounting (
/ip accounting) - IP traffic accounting - Connection Tracking (
/ip firewall connection) - Active connections
Limitations
Section titled “Limitations”- CPU-processed traffic only - Hardware-offloaded traffic not counted
- No BGP AS in v5 - Unlike Cisco, RouterOS doesn’t include AS info in v5
- UDP transport only - No TCP option; packets may be lost
- No inline filtering - Cannot filter which flows to export
- Memory bound - Cache size limits concurrent flow tracking
Summary
Section titled “Summary”Traffic Flow exports network statistics to external collectors:
- Enable with
/ip traffic-flow set enabled=yes - Add target with collector IP, port, and version
- Set src-address to avoid 0.0.0.0 source issues
- Monitor with
/ip traffic-flow print
Key points:
- Always set
src-addresson targets - Use NetFlow v9 or IPFIX for modern deployments
- Only CPU-processed traffic is counted
- Enable sampling for high-traffic environments
- Template refresh may be needed for v9/IPFIX collectors
Related Topics
Section titled “Related Topics”Traffic Analysis
Section titled “Traffic Analysis”- Torch - real-time traffic analysis per interface
- Graphing - built-in traffic graphs
- Traffic Monitor - threshold-based alerts
Related Features
Section titled “Related Features”- Firewall Basics - connection tracking
- NAT - NAT event tracking
- Queues - bandwidth management