The IP Traffic Accounting feature enables administrators to keep an accurate record of traffic passed through the router (even through the bridged interfaces) between IP level hosts. ISPs or network administrators can use this for traffic based billing or detailed monitoring of network activity. This feature generates simple traffic data. Additional utilities are required for useful analysis and calculation of the traffic data. Information on utilities and examples of scripts for collecting data are provided in this manual.
The MikroTik RouterOS supports:
Topics covered in this manual:
The Traffic Accounting feature is included in the 'system' package. No installation is needed for this feature.
The maximum number [threshold] of IP pairs stored may require additional RAM installation. Each IP pair uses approximately 100 bytes. The system uses a current table which accounts for current data. The system also keeps the snapshot table for retrieval. Therefore, the memory usage for the IP pairs can be calculated with number of IP pairs x 100 bytes x 2 (for the two tables). The default threshold of IP pairs is set to 256 (50KB). When using the default threshold setting of 256, no additional memory is suggested. For threshold settings higher than 6500 (1MB), memory usage estimates should be made, system resources should be monitored, and RAM should be increased accordingly. The maximum setting is 8192 IP pairs.
[admin@MikroTik] ip accounting> set enabled yes
[admin@MikroTik] ip accounting> print
threshold: 256
enabled: yes
Description of arguments:
enabled - Traffic accounting is disabled by default
threshold - The threshold setting sets the maximum number of IP pairs for the traffic accounting table – see Threshold settings for more information on the optimal settings. The default setting is for 256 IP pairs.
Only IP traffic is accounted. As each packet passes through the router, the packet source and destination is matched to an IP pair in the accounting table and the traffic for that pair is increased. User data for PPP, PPTP, PPPoE and ISDN connections are accounted too. If no matching IP or user pair exists, a new entry to the table will be created. Both the number of packets and number of bytes are accounted. Only packets that enter and leave the router are counted. Packets that are dropped in the router are not counted. Packets that are sent from the router itself are not counted – such as packets used for administration connections (i.e. web and telnet connections to the router). Packets that are masqueraded with the router will be accounted for with the actual IP addresses on each side. Packets that are going through bridged interfaces (i.e. inside the bridge interface) are also accounted correctly.
See Traffic Display and collection for a printout of a snapshot.
For example, a TCP connection between two computers with traffic going through the router will cause two IP pairs to be added to the traffic accounting table. One IP pair will have computer A as the source and computer B as the destination. Another IP pair will have computer B as the source and computer A as the destination.
The threshold setting limits the maximum number of IP pairs in the accounting table. When the limit is reached, no new IP pairs will be added to the accounting table. Each packet that is not accounted for in the accounting table will then be added to the uncounted counter. To see if the limit on pairs has been reached, check the uncounted counter:
[MikroTik] ip accounting uncounted> print
packets: 0
bytes: 0
When a snapshot is made for data collection, the accounting table is cleared and new IP pairs and traffic data are added. The more frequently traffic data is collected, the less likelihood that the IP pairs threshold limit will be reached. It is suggested that traffic data be collected every 15 minutes.
Traffic data display and collection
The traffic data can be viewed by both the telnet/terminal console and WinBox. The traffic data can be collected manually or by using standard Unix/Linux utilities and MikroTik’s shareware MT_Syslog Daemon and Traffic Counter . This manual section will cover:
The traffic accounting system consists of a current accounting table and a snapshot image. When the snapshot image is made of the current accounting table, the current accounting table is cleared and starts accounting data anew. The snapshot image can be made in two ways.
An image of traffic data can be made manually by issuing the /ip accounting snapshot take command from the terminal/console or WinBox. The snapshot can then be viewed with the /ip accounting snapshot print command. The traffic data from the telnet/terminal console will appear:
[admin@MikroTik] ip accounting snapshot> print # SRC-ADDRESS DST-ADDRESS PACKETS BYTES SRC-USER DST-USER 0 10.0.0.4 159.148.147.198 6589 517850 1 10.7.2.250 10.0.0.161 307403 19673792 2 10.0.0.161 10.7.2.250 307403 19673792 3 159.148.147.198 10.0.0.4 6589 680894 4 10.0.0.99 159.148.147.194 213 12700
The web page report makes it possible to use the standard Unix/Linux tool wget to collect the traffic data and save it to a file. If the web report is enabled and the web page is viewed, the snapshot will be made when the wget (or standard browser) connection is initiated to the web page. The snapshot will then be displayed on the web page. TCP protocol used by http connections with the wget tool guarantees that none of the traffic data will be lost. The snapshot image will be made when the connection from wget is initiated. Web browsers or wget should connect to URL http://routerIP/accounting/ip.cgi
Note that ip.cgi has different value order: src-address, dst-address, bytes, packets, src-user, dst-user
[admin@MikroTik] ip accounting web-access> print
accessible-via-web: yes
address: 0.0.0.0/0
[admin@MikroTik] >
For security purposes, an IP address or IP subnet can be limited to the collection of the web report. The above example of address: 0.0.0.0/0 allows all IP hosts to access the web reports. With the settings address: 10.1.0.3/32, only IP host 10.1.0.3 is allowed to access the web reports.
A simple script can be run with crond and wget to periodically collect traffic data. Timestamps can be added to the traffic data file as well as other features.
MikroTik Download Utilities Page
There are many tools and systems to analyze traffic data. Useful common tools are:
Links for documentation:
http://www.gnu.org/manual/wget/
http://www.gnu.org/manual/grep-2.4/