I have a MikroTik router with a computer behind it.
As a test, I use the computer to upload a 6 MB file.
The Mikrotik router is configured with Traffic Flow in v9 mode, to send flows to our server.
Running on RouterOS 6.46.4, this is the flow info for the upload (non-mac-address fields excluded):
iana:destinationMacAddress: 64:D1:54:18:13:CD (Mikrotik Router’s MAC)
iana:sourceMacAddress: 00:0C:29:EF:AF:4D (Computer’s MAC)
iana:postSourceMacAddress: 64:D1:54:18:13:CB (Mikrotik Router’s MAC)
If I want to figure out the MAC address of the computer that sent the data, I just look at the iana:sourceMacAddress field. Simple enough.
On RouterOS 6.48 however, the exact same test shows this:
iana:destinationMacAddress: 64:D1:54:18:13:CC (Mikrotik Router’s MAC Address)
iana:sourceMacAddress: 64:D1:54:18:13:CC (Mikrotik Router’s MAC Address)
iana:postDestinationMacAddress: 00:0C:29:EF:AF:4D (Computer’s MAC Address)
iana:postSourceMacAddress: 64:D1:54:18:13:CB (Mikrotik Router’s MAC Address)
If I want to figure out the MAC address of the computer that sent the data, I now have to look at the iana:postDestinationMacAddress field.
In the release notes for RouterOS 6.47, it says:
*) traffic-flow - added “postDestinationMacAddress” parameter support for IPFIX and NetFlow v9;
I would think that this means that a new field was added, but the original fields still behave exactly the same. This doesn’t appear to be the case.
Looking at the “iana:sourceMacAddress” field on the new RouterOS versions does not give the proper MAC address of the sender.
Is this a bug? Why did the original “iana:sourceMacAddress” change? It doesn’t make sense to me that the device uploading the data would now be in the postDestinationMacAddress field. What is it the destination of? It’s the source device.
We have an environment where we can have dozens, or even hundreds of Mikrotiks. They all run different RouterOS versions. There’s no way to upgrade them all to the same version.
Fortunately, I have access to the source code of the Netflow server, and can change it. I can, in theory, do something like:
if the postDestinationMacAddress field is present, that’s the MAC address of the source device, but if the field is not present, the iana:sourceMacAddress is the field containing the MAC address of the source device.
This should work, but if this is a bug that will get fixed in the next RouterOS version, my logic will break in the next RouterOS version.