Interface Statistics and Traffic Monitoring
Interface Statistics and Traffic Monitoring
Section titled “Interface Statistics and Traffic Monitoring”Summary
Section titled “Summary”RouterOS provides several complementary tools for observing traffic volume and active sessions:
| Tool | What it shows | Scope |
|---|---|---|
monitor-traffic | Live bits/packets per second | Per interface |
print stats | Cumulative byte/packet/error counters | Per interface |
/ip/accounting | Byte and packet totals per source/destination IP pair | Per router |
/ip/firewall/connection | Active connection table | Per router |
/ip/traffic-flow | NetFlow/IPFIX export to external collectors | Per router |
Interface Monitor Traffic
Section titled “Interface Monitor Traffic”/interface monitor-traffic displays real-time throughput rates, refreshed every second.
Basic Usage
Section titled “Basic Usage”/interface monitor-traffic ether1Monitor multiple interfaces simultaneously:
/interface monitor-traffic ether1,ether2,sfp-sfpplus1Press Ctrl+C to stop.
Output Columns
Section titled “Output Columns”| Column | Description |
|---|---|
rx-bits-per-second | Incoming data rate (bits/s) |
tx-bits-per-second | Outgoing data rate (bits/s) |
rx-packets-per-second | Incoming packet rate |
tx-packets-per-second | Outgoing packet rate |
Example output:
name rx-bits-per-second tx-bits-per-second rx-packets-per-second tx-packets-per-second ether1 92.4Mbps 45.1Mbps 8213 4107Interface Print Stats
Section titled “Interface Print Stats”/interface print stats returns accumulated counters since the router started (or since the last counter reset). Unlike monitor-traffic, this command shows totals rather than rates.
/interface print statsScope to specific interfaces:
/interface print stats where name=ether1For Ethernet-specific counters:
/interface ethernet print statsCounter Columns
Section titled “Counter Columns”| Counter | Description |
|---|---|
rx-byte | Total bytes received |
tx-byte | Total bytes transmitted |
rx-packet | Total packets received |
tx-packet | Total packets transmitted |
rx-error | Receive errors (CRC, frame, etc.) |
tx-error | Transmit errors |
rx-drop | Received packets dropped (buffer full) |
tx-drop | Transmit packets dropped |
Resetting Counters
Section titled “Resetting Counters”Reset all interface counters to zero:
/interface reset-countersReset a single interface:
/interface reset-counters ether1IP Accounting
Section titled “IP Accounting”IP accounting tracks byte and packet totals grouped by source/destination IP pair. It provides per-host visibility into who is sending or receiving the most traffic.
Enabling Accounting
Section titled “Enabling Accounting”/ip/accounting set enabled=yesTo also count traffic originating from or destined to the router itself:
/ip/accounting set enabled=yes account-local-traffic=yesLimit the number of tracked IP pairs (affects memory use):
/ip/accounting set enabled=yes threshold=2560Viewing Accounting Data
Section titled “Viewing Accounting Data”/ip/accounting printExample output:
SRC-ADDRESS DST-ADDRESS PACKETS BYTES 192.168.88.10 1.1.1.1 4217 5324288 192.168.88.20 8.8.8.8 822 105216Snapshots
Section titled “Snapshots”The accounting table accumulates continuously. Take a snapshot to freeze a point-in-time view for processing:
/ip/accounting snapshot save/ip/accounting snapshot printWeb Access
Section titled “Web Access”Expose accounting data over HTTP for polling by external systems:
/ip/accounting web-access set accessible-via-web=yes address=10.0.0.0/24Access the data at http://<router-ip>/accounting/ip.cgi.
Connection Tracking
Section titled “Connection Tracking”The connection tracking table records all active sessions passing through the router. It is used by the firewall for stateful filtering and provides visibility into live connections.
Viewing Active Connections
Section titled “Viewing Active Connections”/ip/firewall/connection printFilter by destination address:
/ip/firewall/connection print where dst-address~"10.0.0.1"Connection Table Fields
Section titled “Connection Table Fields”| Field | Description |
|---|---|
protocol | Transport protocol (tcp, udp, icmp) |
src-address | Source IP and port |
dst-address | Destination IP and port |
connection-state | Current state (established, time-wait, close-wait, etc.) |
timeout | Time remaining before the entry expires |
orig-packets | Packets in the original direction |
repl-packets | Packets in the reply direction |
Connection States
Section titled “Connection States”| State | Meaning |
|---|---|
new | Session just started; not yet replied |
established | Bidirectional traffic seen |
related | Related to an existing connection (e.g. FTP data) |
invalid | Packet does not match any known session |
untracked | Bypassed tracking (FastTrack or raw table rule) |
FastTrack and hardware offloading bypass connection tracking for matched flows. Traffic accelerated by FastTrack or hardware switching will not appear in the connection table, and firewall rules that match on connection state will not apply to it.
Removing a Connection Entry
Section titled “Removing a Connection Entry”Force a connection to be re-established (useful after policy changes):
/ip/firewall/connection remove [find dst-address~"10.0.0.1"]Traffic Flow Export (NetFlow/IPFIX)
Section titled “Traffic Flow Export (NetFlow/IPFIX)”For long-term flow analysis and external reporting, RouterOS can export flow records to a NetFlow/IPFIX collector such as ntopng, Grafana/Loki, or PRTG.
Basic Configuration
Section titled “Basic Configuration”/ip/traffic-flow set enabled=yes interfaces=all \ active-flow-timeout=30m inactive-flow-timeout=15s \ cache-entries=4kAdd a collector target:
/ip/traffic-flow/target add dst-address=192.0.2.10 port=2055 version=9Key Properties
Section titled “Key Properties”| Property | Description |
|---|---|
enabled | Enable flow export |
interfaces | Interfaces to capture (all or comma-separated list) |
active-flow-timeout | Export active flows after this interval |
inactive-flow-timeout | Export idle flows after this interval |
cache-entries | Flow cache size (larger = more memory, fewer premature exports) |
version | Export format: 1, 5, 9 (NetFlow), or 10 (IPFIX) |
Practical Examples
Section titled “Practical Examples”Check Which Interface Is Saturated
Section titled “Check Which Interface Is Saturated”/interface monitor-traffic [interface find]Monitors all interfaces at once; identify which is hitting its capacity limit.
Identify High-Volume Hosts
Section titled “Identify High-Volume Hosts”/ip/accounting set enabled=yes# ... wait for traffic to accumulate .../ip/accounting snapshot save/ip/accounting snapshot printSort output to find the top talkers.
Count Errors on a Flapping Link
Section titled “Count Errors on a Flapping Link”/interface print stats where name=ether1Rapidly increasing rx-error or rx-drop values indicate a physical layer problem (bad cable, duplex mismatch, SFP issue).
Verify a Connection Cleared After Firewall Change
Section titled “Verify a Connection Cleared After Firewall Change”After modifying firewall rules, confirm old sessions are gone:
/ip/firewall/connection print where dst-address~"10.0.0.5"If entries remain, remove them to force re-evaluation under the new rules.
Related Resources
Section titled “Related Resources”- Torch - Real-time per-flow traffic inspection
- Bandwidth Test - Throughput measurement between MikroTik devices
- Traffic Flow - NetFlow/IPFIX export configuration
- Firewall - Stateful packet filtering using connection tracking
- Graphing - Built-in interface traffic graphs