Traffic-flow
If you have demand to monitor traffic flow of routerboards interfaces or individual clients you probably already have some web server with database where you want to store and present collected informations to users. You can either let routerboard store statistical informations to it's memory and process data later or you can let you server periodically check routerboard status and collect and present traffic flow online.
Firewall filter rules
Monitoring traffic flow can be achieved by use list of firewall filter rules. For every row of the list system collect total handled bytes and packet count. But these columns is visible in WinBox but not accessible by command /ip firewall filter print where it get only limited informations. Even print terse don't print desired columns. There is another command get $i bytes which is capable to access bytes column. So we can get nearly all columns data from this table using get except column rate which can be calculated periodically from bytes entry.
To avoid conflicts between usual firewall rules and traffic measure rules we have to place measure rules before or others and set action for rules to passthrough. RouterOS manual clarify it's meaning: "passthrough - ignores this rule and goes on to the next one". So it could be used to monitoring purpose.
Here is example of some rules for monitoring host addresses, network interfaces and whole transfer.
[admin@router] /ip firewall filter> print terse 0 chain=forward action=passthrough src-address=192.168.1.44 1 chain=forward action=passthrough dst-address=192.168.1.44 2 chain=forward action=passthrough src-address=192.168.1.40 3 chain=forward action=passthrough dst-address=192.168.1.40 4 chain=forward action=passthrough in-interface=wds1 5 chain=forward action=passthrough out-interface=wds1 6 chain=forward action=passthrough 7 chain=forward action=passthrough in-interface=ether2 8 chain=forward action=passthrough out-interface=ether2
[admin@rt-hajda] /ip firewall filter> print stats Flags: X - disabled, I - invalid, D - dynamic # CHAIN ACTION BYTES PACKETS 0 forward passthrough 6605335067 5958062 1 forward passthrough 1332911936 4385621 2 forward passthrough 8458646 106952 3 forward passthrough 9727017306 11917874 4 forward passthrough 1456340499 1905917 5 forward passthrough 1608695014 1950044 6 forward passthrough 3169496735 4035085 7 forward passthrough 521424026 751904 8 forward passthrough 599551958 781589
But how to combine data from print terse and print stats?
Here is script for print per host traffic list in print terse fashion usable for next computer processing. You can decide which columns you want to view and to which name data will be associated in generated output.
[admin@router] /ip firewall filter> /ip firewall filter {:foreach i in=[find] do={:put ("src-address=".
[get $i src-address]." dst-address=".[get $i dst-address]." bytes=".[get $i bytes]);}}
src-address=192.168.1.44 dst-address= bytes=6605335067
src-address= dst-address=192.168.1.44 bytes=1332912434
src-address=192.168.1.40 dst-address= bytes=8577812
src-address= dst-address=192.168.1.40 bytes=9727501016
src-address= dst-address= bytes=1504575140
src-address= dst-address= bytes=1677568829
src-address= dst-address= bytes=3293582889
src-address= dst-address= bytes=596215986
src-address= dst-address= bytes=648857978
Two entry is needed for each host because we need measure transferred data in both directions.
For monitoring hosts you should add rules with dst-address or src-address. For monitoring interfaces add rules with in-interface or out-interface.
