Community discussions

MikroTik App
 
daviddem
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 62
Joined: Sun Sep 18, 2011 12:16 pm

Connection logging

Wed Dec 28, 2011 10:04 am

Hello,

I am trying to figure out how to do the following:

- categorize and mark connections in mangle (using predefined connection type and/or layer 7 rules)
- record (log) connections in a single report including the following information:
1) src/dst IP and port (bonus: corresponding hotspot user name)
2) traffic volume through the connection (up and down)
3) connection mark (category) obtained from the mark made in the mangle chain

So far I figure that the internal Mikrotik logging facility can do 1 (w/o the bonus) and 3, but not 2. And netflow analyzers can do 1 and 2 but not 3 (to be more specific: as far as I know netflow can only categorize traffic based on the port number, which is not good enough when dealing with port hopping applications).

Any idea?
 
daviddem
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 62
Joined: Sun Sep 18, 2011 12:16 pm

Re: Connection logging

Thu Dec 29, 2011 12:24 pm

Let me rephrase this: the facility of accounting for traffic through a particular tcp or udp connection exists in RouterOS. It is used in the firewall rules via "connection-bytes". It is also available for the connections made by the proxy server under /ip proxy connection.

Questions:
1) why are the TX and RX numbers not available for the normal connections under /ip firewall connection?
2) can connection logging be done internally in RouterOS (not using Netflow)?
2) is there any other way to obtain per connection traffic and use that in a script?
 
daviddem
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 62
Joined: Sun Sep 18, 2011 12:16 pm

Re: Connection logging

Sat Dec 31, 2011 8:22 am

Hello bump please, this is a simple question, is there any reason why the bytes in/out numbers are not available when viewing the connections under firewall, whereas they are when viewing connections made via the http proxy server?
 
daviddem
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 62
Joined: Sun Sep 18, 2011 12:16 pm

Re: Connection logging

Wed Jan 04, 2012 4:28 pm

bump again, seriously is there a reason this is not available?
 
User avatar
otgooneo
Trainer
Trainer
Posts: 581
Joined: Tue Dec 01, 2009 3:24 am
Location: Mongolia
Contact:

Re: Connection logging

Thu Jan 05, 2012 10:12 am

Let me rephrase this: the facility of accounting for traffic through a particular tcp or udp connection exists in RouterOS. It is used in the firewall rules via "connection-bytes". It is also available for the connections made by the proxy server under /ip proxy connection.

Questions:
1) why are the TX and RX numbers not available for the normal connections under /ip firewall connection?
2) can connection logging be done internally in RouterOS (not using Netflow)?
2) is there any other way to obtain per connection traffic and use that in a script?
1) Only available transmitted bytes and packets. I tried before to draw firewall traffic using 3rd-party application. I saved transmitted bytes number to the file, using log. My 3rd-party Java application gets that file every 30 minutes and it calculates bits per second. First need to calculate difference between bytes and convert it to bits. Then divide bits into 1800 seconds (30min). Unfortunately it was very bad idea. One weeks later router stopped it shows me error "no buffer to radius". My dummy logging action loaded whole buffer. After that I added Queue simple with this marked traffic. Queue simples are available through SNMP. But also you can do it using API.
[otgonkhuu@MOBINET] > ip firewall filter print stats
Flags: X - disabled, I - invalid, D - dynamic 
 #   CHAIN                                                                                                   ACTION                            BYTES         PACKETS
 0 X ;;; Log Invalid
     forward                                                                                                 log                                   0               0
 1   ;;; Drop Invalid
     forward                                                                                                 drop                        102 741 880       1 570 481
 2   ;;; Allow CCagent from SuperV
     forward                                                                                                 accept                       13 083 936         230 905
 3   ;;; Allow CallCenter App from SuperV
     forward                                                                                                 accept                          650 230           5 999
 4   ;;; Allow MNP75 from SuperV
     forward                                                                                                 accept                        1 834 645          18 534
2) Yes. It shows like following
15:54:09 firewall,info Dropping forward: in:Staff_Bridge out:INTERNET, src-mac 00:0c:42:44:a0:82, proto UDP, 172.10.9.137:123->202.131.224.136:123, len 76
But it is hard to analyze too many logs. Maybe it can be done using 3rd-party application and syslog server.
3) I don`t think so. This type of standard solution is NetFlow. But I never tried it before.

Who is online

Users browsing this forum: cloud45 and 80 guests