I just recently started using tools like ntop to do traffic analysis of the traffic flowing through my core router. I had originally planned to use port mirroring, but by core router is a CCR1036 and I realized that without a switch chip, it is unable to perform port mirroring. I found the recommendation across the mikrotik forums and mikrotik documentation was to use the packet-sniffer's TZSP streaming feature as an alternative. (http://wiki.mikrotik.com/wiki/Manual:To ... er#Example)
This is working great: I am streaming all my ~150Mbps of traffic to my analysis server, and the performance load on the router is impressively low! However, I'm finding that the streaming periodically disables itself....something like every 1-2 days I find that the analysis server just stops receiving traffic. When i login to the CCR1036, I just find that packet-sniffer is "stopped". I restart it, and everything goes back to normal until it happens again.
I'm not finding anything in the logs, or any error messages that indicate why it's stopping....so I don't really know where to start trying to troubleshoot. Has anyone experienced this before and been able to resolve it? Any suggestions greatly appreciated!