Traffic Flow (NetFlow / IPFIX)

Summary

RouterOS Traffic Flow is a statistical monitoring system that exports information about IP packets passing through the router to external collector software. It is compatible with Cisco NetFlow, enabling use with any NetFlow-capable analysis tool.

Traffic Flow captures per-flow records containing source/destination addresses, ports, protocols, byte/packet counts, and timestamps. These records are exported over UDP to one or more collector hosts.

Supported Export Formats

Version	Description
v1	Original NetFlow format. Basic IP flow records only, no ToS or BGP AS support.
v5	Adds ToS, TCP flags, and BGP AS fields. RouterOS does not populate BGP AS numbers.
v9	Template-based export. Supports IPv4, IPv6, and extensible record types.
IPFIX	IETF standard based on NetFlow v9. Adds multicast support and custom field selection.

NetFlow v9 and IPFIX use templates to describe the structure of flow records. The router sends a template packet before (and periodically alongside) data records so that the collector knows how to decode them.

Command Paths

Menu	Purpose
`/ip traffic-flow`	Global enable/disable and flow cache settings
`/ip traffic-flow target`	Define collector hosts to receive flow records
`/ip traffic-flow ipfix`	Select which fields to include in IPFIX records

General Configuration

Sub-menu: /ip traffic-flow

Property	Type / Values	Default	Description
`enabled`	yes \| no	no	Enable or disable Traffic Flow globally.
`interfaces`	string \| all	all	Interfaces to monitor. Separate multiple names with commas.
`cache-entries`	1k \| 2k \| 4k \| 8k \| 16k \| 32k \| 64k \| 128k \| 256k	4k	Maximum number of simultaneous flows held in memory.
`active-flow-timeout`	time	30m	Maximum lifetime of a flow before it is exported, regardless of activity.
`inactive-flow-timeout`	time	15s	How long an idle flow is retained. When this expires the flow is exported and removed. Setting this too low creates excessive flow records.
`packet-sampling`	yes \| no	no	Enable packet sampling (ROS v7+).
`sampling-interval`	integer	0	Number of consecutive packets to sample before skipping.
`sampling-space`	integer	0	Number of consecutive packets to skip after sampling `sampling-interval` packets.

Enabling Traffic Flow

/ip traffic-flow set enabled=yes

To limit monitoring to specific interfaces:

/ip traffic-flow set enabled=yes interfaces=ether1,ether2

To verify the current settings:

/ip traffic-flow print

Example output:

              enabled: yes
           interfaces: all
        cache-entries: 4k
  active-flow-timeout: 30m
inactive-flow-timeout: 15s
      packet-sampling: no

Collector Targets

Sub-menu: /ip traffic-flow target

Each target entry defines one collector that receives flow records. Multiple targets can be configured simultaneously; the router sends records to all of them.

Property	Type / Values	Default	Description
`dst-address`	IP address	(required)	IP address of the collector host.
`port`	integer	2055	UDP port on the collector host.
`src-address`	IP address	0.0.0.0	Source IP address used when sending flow packets. `0.0.0.0` uses the outgoing interface address.
`version`	1 \| 5 \| 9 \| IPFIX	9	NetFlow export format.
`v9-template-refresh`	integer	20	Send a template packet every N data packets (v9 and IPFIX only).
`v9-template-timeout`	time	30m	Send a template packet if one has not been sent within this interval (v9 and IPFIX only).

Adding a Collector

/ip traffic-flow target add dst-address=192.168.1.100 port=2055 version=9

To add an IPFIX collector on a non-standard port:

/ip traffic-flow target add dst-address=10.0.0.50 port=4739 version=IPFIX

To list configured targets:

/ip traffic-flow target print

Example output:

Flags: X - disabled
 #   SRC-ADDRESS     DST-ADDRESS      PORT   VERSION
 0   0.0.0.0         192.168.1.100    2055   9

Multiple Collectors

You can send flow data to several collectors simultaneously, for example a primary analysis system and a long-term archive:

/ip traffic-flow target add dst-address=192.168.1.100 port=2055 version=9
/ip traffic-flow target add dst-address=10.10.0.5 port=9995 version=IPFIX

IPFIX Field Selection

Sub-menu: /ip traffic-flow ipfix

When using IPFIX format, you can control exactly which fields are exported. Enabling only the fields your collector needs reduces bandwidth and processing overhead.

Field	Description
`bytes`	Total bytes in the flow.
`packets`	Total packets in the flow.
`src-address`	Source IP address.
`dst-address`	Destination IP address.
`src-port`	Source transport-layer port.
`dst-port`	Destination transport-layer port.
`protocol`	IP protocol number (TCP=6, UDP=17, ICMP=1, etc.).
`tos`	IP Type of Service / DSCP byte.
`ttl`	IP Time To Live.
`tcp-flags`	TCP control flags (SYN, ACK, FIN, RST, etc.).
`tcp-seq-num`	TCP sequence number.
`tcp-ack-num`	TCP acknowledgment number.
`tcp-window-size`	TCP receive window size.
`icmp-type`	ICMP message type.
`icmp-code`	ICMP message code.
`igmp-type`	IGMP message type.
`in-interface`	Ingress interface index.
`out-interface`	Egress interface index.
`src-mac-address`	Source MAC address.
`dst-mac-address`	Destination MAC address.
`src-address-mask`	Source IP prefix length.
`dst-address-mask`	Destination IP prefix length.
`ip-header-length`	IP header length in bytes.
`ip-total-length`	Total IP packet length in bytes.
`ipv6-flow-label`	IPv6 flow label field.
`is-multicast`	Whether the flow is multicast.
`first-forwarded`	Timestamp of the first packet in the flow.
`last-forwarded`	Timestamp of the most recent packet in the flow.
`sys-init-time`	Router system initialization time (used for relative timestamp calculation).
`gateway`	IP address of the next-hop gateway.
`nat-src-address`	Post-NAT source IP address.
`nat-dst-address`	Post-NAT destination IP address.
`nat-src-port`	Post-NAT source port.
`nat-dst-port`	Post-NAT destination port.
`nat-events`	NAT event type (session create/delete).
`udp-length`	UDP datagram length.

Packet Sampling (ROS v7+)

Packet sampling exports flow records for a statistical sample of packets rather than all traffic. This reduces router CPU load and export bandwidth on high-throughput interfaces while still providing useful traffic insights.

The sampling model is: sample sampling-interval packets, then skip sampling-space packets, then repeat.

Example — sample every other 2222 packets (skip 1111):

/ip traffic-flow set \
  packet-sampling=yes \
  sampling-interval=2222 \
  sampling-space=1111

When sampling is active, flow byte/packet counts reflect only the sampled packets. Scale results appropriately when estimating total traffic volumes.

Complete Configuration Example

This example enables Traffic Flow on all interfaces and exports v9 records to a local collector:

# Enable Traffic Flow
/ip traffic-flow set \
  enabled=yes \
  interfaces=all \
  cache-entries=4k \
  active-flow-timeout=30m \
  inactive-flow-timeout=15s

# Add collector target
/ip traffic-flow target add \
  dst-address=192.168.1.100 \
  port=2055 \
  version=9

# Verify
/ip traffic-flow print
/ip traffic-flow target print

Monitoring Specific Interfaces Only

Use an interface list to restrict flow export to WAN-facing interfaces:

/interface list add name=WAN-interfaces
/interface list member add interface=ether1 list=WAN-interfaces
/interface list member add interface=ether2 list=WAN-interfaces

/ip traffic-flow set enabled=yes interfaces=WAN-interfaces

Collector Software

RouterOS Traffic Flow is compatible with any software that speaks Cisco NetFlow v1, v5, v9, or IPFIX. Common options:

Collector	Notes
ntopng	Requires nProbe as an intermediate NetFlow collector (nProbe is commercial software). ntopng itself listens on nProbe’s output.
nfdump / nfcapd	Open-source command-line tools. `nfcapd` collects flows to disk; `nfdump` queries them. Lightweight and scriptable.
Elasticsearch + Kibana	Use the Elastic Agent with the NetFlow Records integration. Supports dashboards, alerting, and long-term retention. See the NetFlow with Elasticsearch guide below.
Zabbix	Supports NetFlow ingestion via the Zabbix NetFlow module or third-party scripts. Can generate alerts based on flow thresholds.
Grafana + Loki/InfluxDB	Requires an intermediary collector (e.g., `pmacct`, `nfdump`) to forward flow data to the time-series backend.
ManageEngine / PRTG / SolarWinds	Commercial NMS platforms with built-in NetFlow analysis modules.

NetFlow with Elasticsearch

Elasticsearch combined with Kibana provides rich dashboards and long-term storage for NetFlow data.

Architecture

RouterOS ──(UDP 2055)──► Elastic Agent   ──► Fleet Server ──► Elasticsearch ──► Kibana
         (NetFlow v9/IPFIX)  (NetFlow integration)

All components can run on the same host for lab use; separate hosts are recommended for production.

RouterOS Configuration

# Optional: restrict to specific interfaces
/interface list add name=NetFlow-interfaces
/interface list member add interface=ether1 list=NetFlow-interfaces

# Enable Traffic Flow
/ip traffic-flow set enabled=yes interfaces=NetFlow-interfaces

# Point to the Elastic Agent host
/ip traffic-flow target add \
  dst-address=10.0.0.2 \
  port=2055 \
  version=9

Elastic Agent Setup

In Kibana, navigate to Fleet → Agent policies → Create agent policy.
Open the new policy and click Add integration.
Search for NetFlow Records and configure:
- UDP listen address: IP of the Elastic Agent host (e.g., 10.0.0.2)
- Port: 2055
Install the Elastic Agent on the collector host following the on-screen instructions.
Ensure UDP port 2055 is reachable from the router.

Useful Kibana Fields

Field	Description
`source.ip`	Flow source IP
`source.port`	Flow source port
`destination.ip`	Flow destination IP
`destination.port`	Flow destination port
`network.transport`	Protocol (tcp, udp, icmp)
`data_stream.dataset`	Should be `netflow.log`

Troubleshooting

No flows received at collector

Confirm Traffic Flow is enabled: /ip traffic-flow print → enabled: yes
Confirm the target is configured and not disabled: /ip traffic-flow target print
Check that the router can reach the collector: /ping 192.168.1.100
Verify UDP port 2055 is open on the collector host firewall.
Check for a firewall rule on the router that may be dropping outbound UDP to the collector.
Confirm the collector is actually listening (ss -unl | grep 2055 on Linux).

Flows appear but data is incomplete (v9 / IPFIX)

Ensure the collector receives the template packet before data packets arrive. The router sends a template every v9-template-refresh packets (default: 20) and after every v9-template-timeout interval (default: 30m).
Reducing v9-template-refresh causes more frequent template transmission, which helps collectors that restart frequently:
```
/ip traffic-flow target set 0 v9-template-refresh=5
```
If the collector was restarted, it may be missing the template. Disabling and re-enabling the target forces an immediate template retransmit.

High CPU usage on router

Reduce cache-entries to limit memory and processing overhead.
Reduce the monitored interface set: /ip traffic-flow set interfaces=ether1
Enable packet sampling to process only a fraction of packets:
```
/ip traffic-flow set packet-sampling=yes sampling-interval=100 sampling-space=900
```
This samples 1 in 10 packets (100 sampled, 900 skipped).
Increase inactive-flow-timeout to reduce the frequency of flow exports.

No hardware-offloaded traffic visible

Traffic Flow cannot see traffic that is forwarded entirely in hardware (switch chip or bridge fast-path). To capture such traffic, disable hardware offloading on the relevant bridge or use a dedicated monitoring port with port mirroring.

Notes

Traffic Flow records are generated at the end of the input, forward, and output chains. Only traffic that reaches one of these chains is counted. Dropped packets (e.g., by a firewall drop rule earlier in the chain) are still counted because the drop occurs within the chain.
The router sends flow records to all configured targets. Targets can use different NetFlow versions simultaneously.
The default UDP port for NetFlow is 2055. IPFIX collectors traditionally also use 4739.
Flows are identified by the 5-tuple: source IP, destination IP, source port, destination port, protocol. A new flow is created when a packet arrives with a new 5-tuple combination.