I have purchased a CCR1036 specifically for connecting to an upstream provider and need to capture netflow data in order to be able to account for customer data usage. Now I am testing and find that netflow is broken.
Hardware is a CCR1036-12G-4S. When first installed I had version 6.12 of the firmware, now I have also tested with version 6.13. Under test conditions the router is passing less than 10 Mbit/sec and there is no problem with system load.
I am finding that netflow output is both intermittent (i.e. sometimes reports nothing at all) and results in values maybe one tenth of the expected throughput when it is running. At this level of operation I can't use it.
My existing netflow collectors are based on fprobe running on Linux sending to pmacct, which works for me so far.
The ip traffic-flow setup is so simple I can't see where it can be done wrong. Here is the setup:
Curiously captures of the UDP port 2100 packets show data gets sent in chunks at between 4 and 5 minute intervals (when they get sent at all) while my fprobe collector sends netflow data nearly continuously.
I have 6 CCR1036-8G-2S+
I was running them all on 6.12 and had netflow to nefsen on a linux box. when i went to 6.13 I saw a massive reduction on what was being captured.
Im using version9
seems like it captures the big streams not the small ones, when I monitor it looks like it is capturing them just not sending them.
Hi, could you post the fprobe configuration necessary to collect netflow from Mikrotik? I wish to use it to send to nmapng without having to pay for nprobe.
First off, I need to say that RouterOS traffic-flow was fixed after I raised the issue. Last time I checked, netflow data was coming through well enough to be useful.
I need to correct my sentence above, where I said I used fprobe as a collector, which is not correct if you use the netflow jargon strictly. Fprobe is a netflow probe only. The only configuration of fprobe is command line switches. Fprobe is only useful to you if you are running a Linux OS (Redhat, Debian etc.) router. RouterOS has its own netflow probe (which earlier wasn’t working, hence my complaint) and there is no way to use fprobe on a device running RouterOS.
I use pmacct in netflow mode as the collector. There is no always-correct way of using pmacct as it can save data in several ways, including saving direct to databases. I happen to use it with the Memory buffer and dump the total every five minutes for use with graphing etc. like this:
aggregate[kcin]: dst_host
aggregate[kcout]: src_host
aggregate_filter[kcin]: dst net 10.14.10.0/24 or dst net 10.27.21.0/24
aggregate_filter[kcout]: src net 10.14.10.0/24 or src net 10.27.21.0/24
imt_path[kcin]: /var/run/pmacct/kcin.pipe
imt_path[kcout]: /var/run/pmacct/kcout.pipe
etc. for various customer addresses.
I don’t know what nmapng is and how it integrates with netflow.