Community discussions

MikroTik App
 
rhaa01
just joined
Topic Author
Posts: 3
Joined: Tue May 27, 2014 6:58 am

Netflow with 6.13 on CCR is broken

Tue May 27, 2014 7:31 am

Hi.

I have purchased a CCR1036 specifically for connecting to an upstream provider and need to capture netflow data in order to be able to account for customer data usage. Now I am testing and find that netflow is broken.

Hardware is a CCR1036-12G-4S. When first installed I had version 6.12 of the firmware, now I have also tested with version 6.13. Under test conditions the router is passing less than 10 Mbit/sec and there is no problem with system load.

I am finding that netflow output is both intermittent (i.e. sometimes reports nothing at all) and results in values maybe one tenth of the expected throughput when it is running. At this level of operation I can't use it.

My existing netflow collectors are based on fprobe running on Linux sending to pmacct, which works for me so far.

The ip traffic-flow setup is so simple I can't see where it can be done wrong. Here is the setup:

[admin@router4] > ip traffic-flow export
# may/27/2014 16:21:52 by RouterOS 6.13
# software id = QPCZ-1PJJ
#
/ip traffic-flow
set enabled=yes interfaces=sfp1-662
/ip traffic-flow target
add address=202.x.y.z:2100 version=9

Interface sfp1-622 is VLAN 622 on sfp1. I have also tried Netflow version 5 and get similar results.
The flow numbers tick over when using:

[admin@router4] > ip traffic-flow mon
finished-flows: 1820790
active-flows: 767
unmanaged-packets: 0
unmanaged-bytes: 0

Curiously captures of the UDP port 2100 packets show data gets sent in chunks at between 4 and 5 minute intervals (when they get sent at all) while my fprobe collector sends netflow data nearly continuously.

Is there any benefit from trying older firmware? Are there any settings which aren't documented in http://wiki.mikrotik.com/wiki/Manual:To ... width_Test the manual?

Regards,
RH.
 
wwt
just joined
Posts: 2
Joined: Mon May 26, 2014 9:10 pm

Re: Netflow with 6.13 on CCR is broken

Wed May 28, 2014 12:05 am

Hi.

I have purchased a CCR1036 specifically for connecting to an upstream provider and need to capture netflow data in order to be able to account for customer data usage. Now I am testing and find that netflow is broken.

Hardware is a CCR1036-12G-4S. When first installed I had version 6.12 of the firmware, now I have also tested with version 6.13. Under test conditions the router is passing less than 10 Mbit/sec and there is no problem with system load.

I am finding that netflow output is both intermittent (i.e. sometimes reports nothing at all) and results in values maybe one tenth of the expected throughput when it is running. At this level of operation I can't use it.

My existing netflow collectors are based on fprobe running on Linux sending to pmacct, which works for me so far.

The ip traffic-flow setup is so simple I can't see where it can be done wrong. Here is the setup:

[admin@router4] > ip traffic-flow export
# may/27/2014 16:21:52 by RouterOS 6.13
# software id = QPCZ-1PJJ
#
/ip traffic-flow
set enabled=yes interfaces=sfp1-662
/ip traffic-flow target
add address=202.x.y.z:2100 version=9

Interface sfp1-622 is VLAN 622 on sfp1. I have also tried Netflow version 5 and get similar results.
The flow numbers tick over when using:

[admin@router4] > ip traffic-flow mon
finished-flows: 1820790
active-flows: 767
unmanaged-packets: 0
unmanaged-bytes: 0

Curiously captures of the UDP port 2100 packets show data gets sent in chunks at between 4 and 5 minute intervals (when they get sent at all) while my fprobe collector sends netflow data nearly continuously.

Is there any benefit from trying older firmware? Are there any settings which aren't documented in http://wiki.mikrotik.com/wiki/Manual:To ... width_Test the manual?

Regards,
RH.
Hello

I tested on CCR1036-12G-4S too.
It's was configured 2 bridge/vlan/IP with 5 port join per bridge and 1 port wan.

trafic flow was configured on wan port only with version 5.
simple static route and 2 route-map

collector flow-tools 0.68.5.1 was on freebsd 9.2

the symptom was that temporarily flow was not sending to collector
helps turn off traffic flow, change interface, turn on traffic flow.

it's realy bad symptom and I agree traffic flow is broken on CCR with 6.13 and should be repair

Best regards
Tomasz
 
AlexS
Member Candidate
Member Candidate
Posts: 266
Joined: Thu Oct 10, 2013 7:21 am

Re: Netflow with 6.13 on CCR is broken

Wed May 28, 2014 11:28 am

My 2c

I have 6 CCR1036-8G-2S+
I was running them all on 6.12 and had netflow to nefsen on a linux box. when i went to 6.13 I saw a massive reduction on what was being captured.

Im using version9

seems like it captures the big streams not the small ones, when I monitor it looks like it is capturing them just not sending them.
 
User avatar
parrini
Frequent Visitor
Frequent Visitor
Posts: 85
Joined: Thu Dec 13, 2007 5:11 am
Location: Bahia, Brazil

Re: Netflow with 6.13 on CCR is broken

Fri Aug 07, 2015 7:22 am

My existing netflow collectors are based on fprobe running on Linux sending to pmacct, which works for me so far.
Hi, could you post the fprobe configuration necessary to collect netflow from Mikrotik? I wish to use it to send to nmapng without having to pay for nprobe.

Thanks in advance!
 
rhaa01
just joined
Topic Author
Posts: 3
Joined: Tue May 27, 2014 6:58 am

Re: Netflow with 6.13 on CCR is broken

Fri Aug 07, 2015 8:34 am

First off, I need to say that RouterOS traffic-flow was fixed after I raised the issue. Last time I checked, netflow data was coming through well enough to be useful.

I need to correct my sentence above, where I said I used fprobe as a collector, which is not correct if you use the netflow jargon strictly. Fprobe is a netflow probe only. The only configuration of fprobe is command line switches. Fprobe is only useful to you if you are running a Linux OS (Redhat, Debian etc.) router. RouterOS has its own netflow probe (which earlier wasn't working, hence my complaint) and there is no way to use fprobe on a device running RouterOS.

I use pmacct in netflow mode as the collector. There is no always-correct way of using pmacct as it can save data in several ways, including saving direct to databases. I happen to use it with the Memory buffer and dump the total every five minutes for use with graphing etc. like this:

daemonize: true
plugins: memory[kcin], memory[kcout]

aggregate[kcin]: dst_host
aggregate[kcout]: src_host
aggregate_filter[kcin]: dst net 10.14.10.0/24 or dst net 10.27.21.0/24
aggregate_filter[kcout]: src net 10.14.10.0/24 or src net 10.27.21.0/24
imt_path[kcin]: /var/run/pmacct/kcin.pipe
imt_path[kcout]: /var/run/pmacct/kcout.pipe

etc. for various customer addresses.

I don't know what nmapng is and how it integrates with netflow.

Who is online

Users browsing this forum: Google [Bot] and 123 guests