Home > Money  > Mikrotik traffic analysis. Installing NetFlow Analyzer

Mikrotik traffic analysis. Installing NetFlow Analyzer

NetFlow Analyzer This is a program written in Java. It allows you to quickly create “comprehensive panels” to monitor critical network segments. In my case, I needed to count traffic from each port on Mikrotik with the ability to detail it for a certain period of time (day/week/month). Dashboard is customized for the tasks of a specific user and can consist of numerous widgets responsible for receiving information from different devices. Because NetFlow Analyzer is so easy to use, you can quickly assess your current situation, gain insight into the current load on critical areas of your network, and examine performance metrics without wasting time searching and viewing disparate reports. The NetFlow Analyzer package includes more than fifty “widgets”.

There should be no difficulties installing this product. For the test, Windows 7 x64 was taken and a JRE of the same bit size was installed. After successful installation, go to: http://localhost:8080/netflow/jspui/dashBoard.do
By default these ports are used:
web: 8080
NetFlow: 9996

SNMP Community: public
SNMP: 161

Now let's move on to setting up Mikrotik:
Go to IP -> TrafficFlow and set the settings as in the example, changing the destination address to the required one.

Check the box to enable Traffic flow
Interfaces— The names of the interfaces that will be used to collect traffic statistics. You can specify several
cache-entries(128k | 16k | 1k | 256k | 2k | ... ; default: 4k) — The number of threads that can simultaneously reside in the router’s memory.
active-flow-timeout(default: 30 min.) — Maximum lifetime of a thread.
inactive-flow-timeout(default: 15 sec) — How long to keep the thread going if it is inactive. If the connection does not see the packet within this timeout, it will be marked as new. If the timeout is too short, a significant number of threads may be created and the buffer may overflow.

In the Targets window:
address(IP: port) - IP address and port (UDP) of the host that receives statistical flow packets from the router.
v9-template-refresh(default: 20) — Number of packets after which the template is sent to the receiving host (NetFlow version 9 only)
v9-template-timeout(default: 1800) - How long to send a template if it has not been sent.
version(default: 9) — Which version of NetFlow to use.

To configure from a terminal, you need to run the following commands:

# Enable traffic-flow /ip traffic-flow set enabled=yes # Check /ip traffic-flow print enabled: yes interfaces: all cache-entries: 4k active-flow-timeout: 1m inactive-flow-timeout: 15s # Specify IP -host address and port that will receive flow traffic packets /ip traffic-flow target add dst-address=10.10.1.3 port=9996 version=9

# Enable traffic-flow

/ip traffic -flow set enabled = yes

# Check

/ip traffic -flow print

enabled : yes

interfaces: all

cache-entries: 4k

active -flow -timeout : 1m

inactive -flow -timeout : 15s

# Specify the IP address and port of the host that will receive stream traffic packets

/ ip traffic -flow target add dst -address = 10. 10. 1. 3port = 9996version = 9

Enable SNMP:
IP -> SNMP

After re-entering the NetFlow Analyzer menu you should see something like this:

If the ports on Mikrotik are not displayed correctly or correctly, go to Devices -> Set SNMP
In the window that opens, select the required device, check that the SNMP Community and port are specified correctly. Next we set the Interface Name ifName and check the also retrieve the router name checkbox. After the update everything should display correctly.

If nothing starts at all, then you need to check the ports that are installed on mikrotik and which the collector is listening to.
Admin -> Server settings

NetFlow/sFlow Listener Port— port to which streams from devices are received.
WebServer Port— web interface port.
Count Of Top Records to Store— the maximum number of rows displayed in data tables.

If NetFlow Analyzer does not see ethernet ports connected in a bridge, enter:

/interface bridge settings set use-ip-firewall yes

/interface bridge settings set use -ip -firewall yes

That's all. I hope this material helped you in setting up. If you have any questions, write in the comments.

MiktoTik - Past articles part 1 - MikroTik - What kind of animal is this? part 2 - MikroTik - Installation part 3 - MikroTik - Initial setup part 4 - MikroTik - Lists and groups of addresses part 5 - MiktoTik - Two providers - load balancing part 6 - MiktoTik - Two providers - channel distribution part 7 - MikroTik - Winbox & Console part 8 - MikroTik - Bandwidth / Simple limitation part 9 - Mikrotik - Bandwidth - Individual rules

With my mini review I want to tell you about one thing software product, which is very helpful in traffic analysis. Yes, the product is commercial, but in my opinion it is worth it.


Using NetFlow Analyzer, it is possible to independently construct functional “dashboards” suitable for monitoring the most important sections of the network infrastructure. Each such panel is created taking into account the specific role of an individual administrator and can consist of numerous elements (widgets) responsible for retrieving information from various sources.

With NetFlow Analyzer's visual dashboards, you can assess your current situation at a glance, gain insight into the current load on different parts of your network, and examine performance metrics without wasting time searching and reviewing disparate reports. NetFlow Analyzer comes with over fifty “widgets” included.

Something like this :)

Let's start from the very beginning, i.e. installation and initial setup.

Installing NetFlow Analyzer.

Let's launch.


All components are placed in one folder, so you can choose any one if you wish.


Also during installation, the ports on which the services will operate are requested. Web interface port and the port to which NetFlow packets will be received.


We indicate what would be launched as a service.

Specify registration information


Upon completion of installation, the browser is launched, which takes you to the authorization page, by default the user is admin, the password is admin.

Setting up Mikrotik.

Well, or everything is the same, only from the console:

/ip traffic-flow set enabled=yes

/ip traffic-flow target add address=192.168.1.78:9996 version=9

With the first command we activate the service, with the second we specify the receiving point, port and protocol version.

Initial setup of NetFlow Analyzer.

Now let's go into NetFlow Analyzer and see what we got.

The first thing we get to is the list of interfaces that are being monitored, in this example, interfaces named IfIndex* are incoming connections via vpn, comgate* and vcraft* interfaces are providers, local is a local network interface.


If something doesn’t work out, then it makes sense to check the correspondence between the ports on which the analyzer listens and the port specified in Mikrotik.

Let's go to the Admin Operations, Product Settings section.


Server Settings - Server settings.

NetFlow/sFlow Listener Port - port to which streams from devices are received.

WebServer Port - web interface port.

Count Of Top Records to Store - the maximum number of rows displayed in data tables.

DNS Settings - Settings for determining DNS names.

Resolve only when "Resolve DNS" link is clicked - By default, Resolve names by clicking on "Resolve DNS" is selected.

Resolve DNS names automatically by default - Resolve names automatically (slows down)

Resolved DNS count in cache - DNS cache size.

User defined DNS names - Here you can set static DNS records.

Probably the second place you should look in the settings is the settings for sending mail.

Click on Test Mail.

DashBoard.

As mentioned at the very beginning, an interesting feature is DashBoard, which exists in some initial state.

But the administrator can create a panel with widgets “for himself”. For example, do something like this (no need to delve too deeply into the meaning :-) I just pulled out the maximum possible widgets)

Here and there, or who goes where and what they download.

Let's return to the interfaces tab and look at the statistics for one specific one.

The Application tab displays information by traffic type.

Click on a specific line and we get detailed information. For example, information on http traffic.

You can reduce the output results to (for example) 10 and convert ip to names (this does not always help).

You can also request a detailed schedule of each connection.

In the Source tab we get a report on traffic sources, and by selecting a specific element we get details on it.

 We will analyze utilities for troubleshooting in MikroTik networks, such as torch, ip scan, romon, bandwidth test and others.

In this article we will talk about what to use for network troubleshooting on MikroTik equipment. We will talk about the following tools:

  • Torch
  • IP scan
  • Sniffir
  • Cable test
  • RoMON
  • Bandwidth Test
  • Traffic Monitor

Surely you have already used many of them, but I will try to tell you interesting things that may help you in your work. In any case, in our IT outsourcing practice, we use them regularly

Torch

This tool is used to monitor traffic in real time, both all traffic and through a specific interface.

Available in winbox, cli, webfug. Located at /tool ​​torch.

Also, in addition to the standard location, torch can be opened through Simple Queue and in the interface settings.

I would like to note that torch sees the DSCP and VLAN ID tags.

Through the CLI torch has some additional features, for example, run it for a certain time with the duration command and set the data update interval with the freeze-frame-interval command.

IP SCAN

The next very useful tool that I always use in my work is ip scan.

It is located at /tool ​​ip scan. Using it, you can quickly scan the network and roughly understand what is in it. Also, using it, you can immediately determine if we have duplicate IP addresses somewhere.

If Mikrotik has specified DNS servers, names will be filled in in the corresponding field. The delay is also conveniently displayed in the Time(ms) column. It is also available in the CLI.

Sniffer

Sniffer is a tool that can capture and analyze packets that leave or pass through a router. It is located in /tool ​​sniffer and is also available in the CLI. It is possible to save a dump to a file or send it to a remote server (for example in wireshark), as well as view it in real time.

On the General tab

  • Memory Limit – sets how much RAM will be available to the sniffer for work
  • File Name – dump file name
  • File Limit maximum size dump file.
  • Only Headers checkboxes – collect only headers.
  • memory-scroll - whether to overwrite stale data when the memory limit is reached.

On the Streaming tab we turn it on and indicate the server to which it will be sent.

On the Filter tab we set filtering parameters. After the start, you can click on the “Packets” button and see the results.

Cable test

Another useful tool in Mikrotik is called cable test. It is available in the interface settings; it helps determine the distance to a break (including the length of the cable)

In my example, I bit off one pair at a distance of approximately 50 cm. It does not measure perfectly + - a couple of meters.

RoMON

RoMON is a utility for accessing devices via MikroTik located in the same l2 segment with an edge device to which we have direct access. Located in /tool ​​RoMON, it helps with remote administration.

This tool is convenient to use when, for some reason, we don’t want to use CLI (Mac Telnet) to configure new devices behind the router, but want to do everything through winbox.

To use this function, we need to activate it both on the router to which we have access and on those (via Mac Telnet) that are behind our device. It turns on /tool ​​RoMON.

BandwidthTest

  • A tool that allows you to evaluate the connection speed with a remote server
  • Available in winbox, cli, webfig
  • There is a client and a server
  • Possibly used in various scripts

There is a separate utility for Windows. There are public servers that you can use. https://forum.mikrotik.com/viewtopic.php?t=104266

It is very convenient to measure speed with this tool. It is also worth warning that if you high speed connections and a not very powerful device (smips), then when running the test you can load the CPU to 100% and temporarily lose access to the device.

TrafficMonitor

And the last tool we will talk about is Traffic Monitor. It is used to execute console scripts when interface traffic crosses a given threshold. It is located at /tool ​​traffic-monitor.

It can be compared to the “Netwatch” utility, which performs certain actions based on the availability or unavailability of a certain host. An example of one application: you can set up a notification to be sent by email if the channel is loaded at 95% within 5 minutes, there are many options and examples on the Internet too.

That's all for today.

Very often, company managers ask to provide statistics on website visits by their employees. This issue can be easily resolved if you have a developed IT infrastructure, by installing an additional proxy server and organizing statistics collection on it. But what should companies do that do not have or are not ready to inflate their infrastructure with “another unit” of equipment? In this article we will show an example of using the power of only one mikrotik router to solve the problem of collecting visit statistics. We suggest generating reports using a small utility for Windows - WebProxy-Log.

Next steps:
- Open your Mikrotik via Winbox.
- Go to IP => Web Proxy.
- General tab.
- Check the box next to Enabled.
- Specify port 8080.
- Cache Administrator parameter: on webmaster.
- Parameter Max. Cache Size: unlimited.
- Max Cache Object Size parameter: 2048.
- Check the box next to Cache On Disk.
- Parameter Max. Client Connections: at 600.
- Parameter Max. Server Connections: at 600.
- Max Fresh Time parameter: leave 3d 00:00:00.
- Cache Hit DSCP (TOS) parameter: leave 4.
- Cache Path parameter: on primary-master.

Click OK.
- Next, go to System => Logging.
- Action tab.
- Click on +.
- Name: change to WebProxyLog.
- Type: change to remote.
- Remote Address: write the address of the computer on which the WebProxy-Log program is installed.
- Remote Port: leave 514 (udp port).
- Click OK.



After which our setting will be reflected in the Action tab.


Go to the Rules tab

Click on +.
- Topics: select web-proxy.
- Prefix: write Proxy.
- Action: select WebProxyLog.
- Click OK.


Since mikrotik, when generating logs, makes a lot of entries that we do not need, we will add exceptions. Let's add a rule with a value similar to web-proxy! debug (the ! sign defines an exception).
After which our settings will be reflected in the Rules tab.


Now open New Terminal and write a rule for NAT:
- /ip firewall nat
add action=redirect chain=dstnat comment="Redirect port 80 request to Web Proxy" disabled=no dst-port =80 protocol=tcp to-ports =8080
- Open UDP port number 514.
- chain=dstnat protocol=udp dst-port =514 action= dst-nat to-addresses = 192.168.0.200 to-ports =514

Mikrotik setup is complete.
- Download the WebProxy-Log program.
https://code.google.com/p/webproxy-log/
- Install and launch the program.
- In the General settings window, specify the IP address: 192.168.0.200 (computer address).
- UDP Port: specify 514.
- Buffer: specify 400.
- Write log to: Specify the path to the directory where the log file will be located.
- Import from: Specify the path to the directory from which the log file will be imported.
- My paths:
D:\Documents and Settings\god\Desktop\
D:\Documents and Settings\god\Desktop\New Folder
- DB location: we leave this path by default.
- Check the box for Use insecure import.
- Check the box for Optimize database after log import.
- Click Apply.



Select the IP address in Select user:
- Select the date from which to which in the Select date range:
- Click the Generate button.

We get statistics as shown below:

MiktoTik - Past articles part 1 - MikroTik - What kind of animal is this? part 2 - MikroTik - Installation part 3 - MikroTik - Initial setup part 4 - MikroTik - Lists and groups of addresses part 5 - MiktoTik - Two providers - load balancing part 6 - MiktoTik - Two providers - channel distribution part 7 - MikroTik - Winbox & Console part 8 - MikroTik - Bandwidth / Simple limitation part 9 - Mikrotik - Bandwidth - Individual rules

With my mini review I want to tell you about one software product that is very helpful in analyzing traffic. Yes, the product is commercial, but in my opinion it is worth it.


Using NetFlow Analyzer, it is possible to independently construct functional “dashboards” suitable for monitoring the most important sections of the network infrastructure. Each such panel is created taking into account the specific role of an individual administrator and can consist of numerous elements (widgets) responsible for retrieving information from various sources.

With NetFlow Analyzer's visual dashboards, you can assess your current situation at a glance, gain insight into the current load on different parts of your network, and examine performance metrics without wasting time searching and reviewing disparate reports. NetFlow Analyzer comes with over fifty “widgets” included.

Something like this :)

Let's start from the very beginning, i.e. installation and initial setup.

Installing NetFlow Analyzer.

Let's launch.


All components are placed in one folder, so you can choose any one if you wish.


Also during installation, the ports on which the services will operate are requested. Web interface port and the port to which NetFlow packets will be received.


We indicate what would be launched as a service.

Specify registration information


Upon completion of installation, the browser is launched, which takes you to the authorization page, by default the user is admin, the password is admin.

Setting up Mikrotik.

Well, or everything is the same, only from the console:

/ip traffic-flow set enabled=yes

/ip traffic-flow target add address=192.168.1.78:9996 version=9

With the first command we activate the service, with the second we specify the receiving point, port and protocol version.

Initial setup of NetFlow Analyzer.

Now let's go into NetFlow Analyzer and see what we got.

The first thing we get to is the list of interfaces that are being monitored, in this example, interfaces named IfIndex* are incoming connections via vpn, comgate* and vcraft* interfaces are providers, local is a local network interface.


If something doesn’t work out, then it makes sense to check the correspondence between the ports on which the analyzer listens and the port specified in Mikrotik.

Let's go to the Admin Operations, Product Settings section.


Server Settings - Server settings.

NetFlow/sFlow Listener Port - port to which streams from devices are received.

WebServer Port - web interface port.

Count Of Top Records to Store - the maximum number of rows displayed in data tables.

DNS Settings - Settings for determining DNS names.

Resolve only when "Resolve DNS" link is clicked - By default, Resolve names by clicking on "Resolve DNS" is selected.

Resolve DNS names automatically by default - Resolve names automatically (slows down)

Resolved DNS count in cache - DNS cache size.

User defined DNS names - Here you can set static DNS records.

Probably the second place you should look in the settings is the settings for sending mail.

Click on Test Mail.

DashBoard.

As mentioned at the very beginning, an interesting feature is DashBoard, which exists in some initial state.

But the administrator can create a panel with widgets “for himself”. For example, do something like this (no need to delve too deeply into the meaning :-) I just pulled out the maximum possible widgets)

Here and there, or who goes where and what they download.

Let's return to the interfaces tab and look at the statistics for one specific one.

The Application tab displays information by traffic type.

Click on a specific line and we get detailed information. For example, information on http traffic.

You can reduce the output results to (for example) 10 and convert ip to names (this does not always help).

You can also request a detailed schedule of each connection.

In the Source tab we get a report on traffic sources, and by selecting a specific element we get details on it.

Related articles

Review of the free version of AdwCleaner AdwCleaner: what is it

Review of the free version of AdwCleaner AdwCleaner: what is it

How to turn your Android device into a wireless gamepad

How to turn your Android device into a wireless gamepad

Wireless router Asus RT-N11P How to connect a new router asus rt n11p

Wireless router Asus RT-N11P How to connect a new router asus rt n11p

×
Close