Hello
I am looking at IP accounting as a way to collect data.
I made a VB app that can insert into database, this is working well.
My questions are
Is IP accouting Accurate?
Why is max threshold in Manual (3.0) 8192? (I get this in less than 5 minutes)
I set max threshold to 99999 and it still seems to work
I got 27,000 rows in 10 mins
Router goes 100% CPU for 30 seconds during query but does not seem to affect traffic flow.
Thanks for any comments
Probably you can go with more advanced Traffic-Flow ?
http://www.mikrotik.com/testdocs/ros/2.9/ip/traffic-flow.php
I thought about that but IP accounting seemed to do the trick & I have the program for it already written
Is it accurate?
Thanks
I had a look at netflow again.
I really think I would rather use ip accounting (unless is problem)
With IP accounting I just grab the webpage and extract what I want when I want into sql.
With netflow its sending all the time to file on server, to much information.
Has anyone got ip accounting on a large network?
Any gotcha’s I need to know about?
Bump
I recently started using IP Traffic Accounting on ROS 4.6 myself. Every 5 minutes an application will get the snapshot from the RB and store it into a database. The Traffic Accounting Threshold is set to 262144 (25MB at 100 bytes per pair). It never gets close to the 262144 limit and is usually around 1000 pairs for every 5 minutes.
However I’m beginning to doubt whether all traffic is correctly accounted for.
I downloaded a large file on one of our servers yesterday from the Internet, yet when I look at the database there is hardly any data allocated to that server. It seems to have missed it completely.
Our setup is as follows:
RB1000 dials 3-4 PPPOE connections, and is connected to the company LAN via ethernet. The RB1000 is also running a transparent web proxy. The machines on the network have the RB as their default gateway and default dns, and the RB decides which PPPOE connection to use with mangling.
According to http://www.mikrotik.com/testdocs/ros/3.0/aaa/accounting.php:
Only the packets that enter and leave the router are accounted. Packets that are dropped in the router are not counted. Packets that are NATted on the router will be accounted for with the actual IP addresses on each side. Packets that are going through bridged interfaces (i.e. inside the bridge interface) are also counted correctly.
I have not been able to find anything with regards to IP accounting for v4 on the Wiki. Can somebody please post a link?
If this is true then I don’t see why the download above would have been missed.
Thanks in advance!
I tested my theory that not all data is being correctly accounted while downloading a large file. The file download was completely missed by IP Accounting. I would have been convinced that IP accounting only tracks http traffic, but I have seen that our email server is also scoring high on bandwidth usage. I can only come to the conclusion that only certain ports are monitored… Can I get a list of which ports? And what would I have to do monitor all ports?
Bump
Can anybody help me with the IP accounting questions above?
IP accounting is exactly what it says, it accounts the IP traffic. It is not effected by ports or protocols. It simply tells you how much traffic was done from this IP to that IP(bytes and packets)
Nutcracker I am not entirely sure what your intention was with your answer. I am stating that certain traffic is missed by the IP accounting function (IP to IP traffic) of the Mikrotik.
From IP accounting documentation,
all IP traffic passing the router is accounted; local traffic acocunting is an option.
Maybe there is something specific in your configuration.
Do you have any bridge in your setup?
Hi Sergejs,
My setup is detailed in the first post. I do not have a bridge enabled. The RB is dialing 3 or 4 PPPOE connections, its firewall, NAT and Mangle settings are used to determine which PPPOE connection should be used. It is also running a web proxy.
My original request was just for more information, or for possible reasons why the RB could be ‘missing’ data.
Essentially all internet traffic comes into the routerboard on ether1, through the web proxy, then it goes out either via ether4 to an ADSL router, or ether5 to a different ADSL router, or ether1 to a third and final ADSL router. Finally it comes back from wherever and out ether1.
I have Accounting enabled on CCR1009. Threshold 2048, snapshot downloaded by web every 15 secs. So huge margin, but anyway Uncounted is being monitored manually from time to time and always equals zero.
I cannot disagree: generally it counts something, but it is far from calling it accurate.
Tested on downloading large files (>500MB, including 2,5GB) and they are just missing. I checked raw data, recalculated in Excel and this traffic is just not counted. Interface/Firewall counters are including this traffic, but Accounting not.
What am I doing wrong?
edit: I can see this traffic in Dude server working on the same router too!
You could add a filter rule to accept connection from specific IP (src or dst) and make a api call to router to get information on bytes transferred. Just a thought.
Please Can u give me a detailed example about this ?
Thx.
From a very simple test I did, I saw IP Accounting is NOT accurate.
I took a router and setup 1 static IP for my laptop. It was the only device on the network. I turned on accounting and then downloaded a 10MB file. After accumulating and studying several snapshots, The accounted traffic to my laptop never even got close to 10MB.
This failed test does not agree with the description on the Wiki of every packet being recorded. Is this a known bug of RouterOS, or am I misunderstanding something?
Unfortunately this was proved many times before. Easier you can reset FW counters and you will see that those counters do not overlap accounting data.
On this test setup, did you use fasttrack? It bypasses accounting, and will result in inaccurate reporting of the last.
https://wiki.mikrotik.com/wiki/Manual:IP/Fasttrack#Description