Traffic-flow

From MikroTik Wiki
Jump to: navigation, search

If you have demand to monitor traffic flow of routerboards interfaces or individual clients you probably already have some web server with database where you want to store and present collected informations to users. You can either let routerboard store statistical informations to it's memory and process data later or you can let you server periodically check routerboard status and collect and present traffic flow online.

Firewall filter rules

Monitoring traffic flow can be achieved by use list of firewall filter rules. For every row of the list system collect total handled bytes and packet count. But these columns is visible in WinBox but not accessible by command /ip firewall filter print where it get only limited informations. Even print terse don't print desired columns. There is another command get $i bytes which is capable to access bytes column. So we can get nearly all columns data from this table using get except column rate which can be calculated periodically from bytes entry.

To avoid conflicts between usual firewall rules and traffic measure rules we have to place measure rules before or others and set action for rules to passthrough. RouterOS manual clarify it's meaning: "passthrough - ignores this rule and goes on to the next one". So it could be used to monitoring purpose.

Here is example of some rules for monitoring host addresses, network interfaces and whole transfer.

[admin@router] /ip firewall filter> print terse 
 0   chain=forward action=passthrough src-address=192.168.1.44 
 1   chain=forward action=passthrough dst-address=192.168.1.44 
 2   chain=forward action=passthrough src-address=192.168.1.40 
 3   chain=forward action=passthrough dst-address=192.168.1.40 
 4   chain=forward action=passthrough in-interface=wds1 
 5   chain=forward action=passthrough out-interface=wds1 
 6   chain=forward action=passthrough 
 7   chain=forward action=passthrough in-interface=ether2 
 8   chain=forward action=passthrough out-interface=ether2 
[admin@rt-hajda] /ip firewall filter> print stats
Flags: X - disabled, I - invalid, D - dynamic 
 #   CHAIN              ACTION                  BYTES           PACKETS        
 0   forward            passthrough             6605335067      5958062        
 1   forward            passthrough             1332911936      4385621        
 2   forward            passthrough             8458646         106952         
 3   forward            passthrough             9727017306      11917874       
 4   forward            passthrough             1456340499      1905917        
 5   forward            passthrough             1608695014      1950044        
 6   forward            passthrough             3169496735      4035085        
 7   forward            passthrough             521424026       751904         
 8   forward            passthrough             599551958       781589 

But how to combine data from print terse and print stats?

Here is script for print per host traffic list in print terse fashion usable for next computer processing. You can decide which columns you want to view and to which name data will be associated in generated output.

[admin@router] /ip firewall filter> /ip firewall filter {:foreach i in=[find] do={:put ("src-address=".
[get $i src-address]." dst-address=".[get $i dst-address]." bytes=".[get $i bytes]);}}
src-address=192.168.1.44 dst-address= bytes=6605335067
src-address= dst-address=192.168.1.44 bytes=1332912434
src-address=192.168.1.40 dst-address= bytes=8577812
src-address= dst-address=192.168.1.40 bytes=9727501016
src-address= dst-address= bytes=1504575140
src-address= dst-address= bytes=1677568829
src-address= dst-address= bytes=3293582889
src-address= dst-address= bytes=596215986
src-address= dst-address= bytes=648857978

Two entry is needed for each host because we need measure transferred data in both directions.

For monitoring hosts you should add rules with dst-address or src-address. For monitoring interfaces add rules with in-interface or out-interface.