Monitoring vis Traffic Flow... discern between IPs?

bcsteeve · October 1, 2016, 2:20am

So I think I’ve got this up and running. I enabled SNMP and Traffic flow and set up a Traffic Flow Target and configured PRTG to interpret the data… and it seems to be working, but anytime I do a download to test, what I see is kind of… well, kind of useless.

I see a valid source IP from the Internet (let’s say Netflix) and I see Destination IP as my network’s WAN public IP address… regardless of which device on the network is receiving that traffic.

Then (way) further down the list, I see the reverse connection with the proper LAN device showing but now we’re logging a tiny bit of data.

I’m not saying it isn’t correct. It makes sense. The LAN computer sends a bit of data to Netflix to say “I want that” and then Netflix blasts a bunch of data to the public IP.

But for auditing purposes, what the hell good is that? I can see what outside services are being used, but I can’t tell who is using them!

If I’m using the wrong tool here then please enlighten me. Someone on my network is killing me on my data cap and I need to figure out what device(s) are responsible and what they are doing.

zespri · October 1, 2016, 11:48pm

I was just typing up a message similar to yours. I’m using nfsen/nfdump and I also tried ntopng/nprobe. I’m observing the same as you, there is no way to tell which local ip address is getting all this traffic. I’m looking forward for someone to comment if this could be configured at all.

Similar (unanswered) post: http://forum.mikrotik.com/t/ip-traffic-flow-on-lan/101068/1

zespri · October 5, 2016, 6:24pm

This is the reply I got from milrotik support:

Sergejs [MikroTik Support]
Hello,

Yes, the issue is caused by fasttrack.
We will release fix for for fast-track in 6.37.2, and the issue with the statistic will be fixed there.

bcsteeve · October 5, 2016, 6:56pm

Interesting. Thanks.