MikroTik RouterOS IP Traffic Accounting

Document revision 19-Jun-2002
This document applies to the MikroTik RouterOS v2.4 and higher


The IP Traffic Accounting feature enables administrators to keep an accurate record of traffic passed through the router between IP level hosts. ISPs or network administrators can use this for traffic based billing or detailed monitoring of network activity. This feature generates simple traffic data. Additional utilities are required for useful analysis and calculation of the traffic data. Information on utilities and examples of scripts for collecting data are provided in this manual.

The MikroTik RouterOS supports:

Topics covered in this manual:

What's new in V2.5

The maximum number of records (threshold) has been increased to 16384. In case of using 16384 records, ~740kB of RAM are required. When setting the threshold value, the required amount of memory is allocated for the buffer whether it is used or not. The approximate amount of memory is 44bytes per buffer line.

In V2.6, the username is accounted as well, therefore the maximum number of records is limited to 8192, which requires ~1.5MB.


The Traffic Accounting feature is included in the "system" package. No installation is needed for this feature.

Hardware Resource Usage

The maximum number [threshold] of "IP pairs" stored may require additional RAM installation. Each IP pair uses approximately 40 bytes. The system uses a "current" table which accounts for current data. The system also keeps the "snapshot" table for retrieval. Therefore, the memory usage for the IP pairs can be calculated with "number of IP pairs" x "40 bytes" x 2 (for the two tables). The default threshold of IP pairs is set to 1000 (80KB). When using the default threshold setting of 1000, no additional memory is suggested. For threshold settings higher than 12,500(1MB), memory usage estimates should be made, system resources should be monitored, and RAM should be increased accordingly. The maximum setting is 100,000 IP pairs.

Traffic accounting setup

[MikroTik] ip accounting> set enabled yes
[mikrotik] ip accounting> print
    threshold: 256
      enabled: yes

Description of arguments:

enabled - Traffic accounting is disabled by default. Settings are 'enabled yes' and 'enabled no'
threshold - The threshold setting sets the maximum number of IP pairs for the traffic accounting table – see "Threshold settings" for more information on the optimal settings. The default setting is for 1000 IP pairs.

Traffic data description

Only IP traffic is accounted. As each packet passes through the router, the packet source and destination is matched to an IP pair in the accounting table and the traffic for that pair is increased. If no matching IP pair exists, a new entry to the table will be created. Both the number of packets and number of bytes are accounted. Only packets that enter and leave the router are counted. Packets that are dropped in the router are not counted. Packets that are sent from the router itself are not counted – such as packets used for administration connections (i.e. web and telnet connections to the router). Packets that are masqueraded with the router will be accounted for with the actual IP hosts addresses on each side.

See Traffic Display and collection for a printout of a snapshot.

For example, a TCP connection between two computers with traffic going through the router will cause two IP pairs to be added to the traffic accounting table. One IP pair will have computer A as the source and computer B as the destination. Another IP pair will have computer B as the source and computer A as the destination.

Threshold settings

The threshold setting limits the maximum number of IP pairs in the accounting table. When the limit is reached, no new IP pairs will be added to the accounting table. Each packet that is not accounted for in the accounting table will then be added to the "uncounted" counter. To see if the limit on pairs has been reached, check the "uncounted" counter:

[MikroTik] ip accounting uncounted> print
    packets: 0
      bytes: 0

When a snapshot is made for data collection, the accounting table is cleared and new IP pairs and traffic data are added. The more frequently traffic data is collected, the less likelihood that the IP pairs threshold limit will be reached. It is suggested that traffic data be collected every 15 minutes.

Traffic data display and collection

The traffic data can be viewed by both the telnet/terminal console and WinBox. The traffic data can be collected manually or by using standard Unix/Linux utilities and MikroTik’s shareware MT_Syslog Daemon. This manual section will cover:

The traffic accounting system consists of a "current" accounting table and a "snapshot" image. When the "snapshot" image is made of the "current" accounting table, the "current" accounting table is cleared and starts accounting data anew. The "snapshot" image can be made in two ways.

An image of traffic data can be made manually by issuing the "/ip accounting snapshot take" command from the terminal/console or WinBox. The "snapshot" can then be viewed with the "/ip accounting snapshot print" command. The traffic data from the telnet/terminal console will appear:

[mikrotik] ip accounting snapshot> print

0          408534             39822596
1         103944             12874447
2        15191              1243118
3   33239              2526124
4        33237              2526012

The web page report makes it possible to use the standard Unix/Linux tool wget to collect the traffic data and save it to a file. If the web report is enabled and the web page is "viewed", the snapshot will be made when the wget (or standard browser) connection is initiated to the web page. The "snapshot" will then be displayed on the web page. TCP protocol used by http connections with the wget tool guarantees that none of the traffic data will be lost. The "snapshot" image will be made when the connection from wget is initiated. Web browsers or wget should connect to URL http://routerIP/accounting/ip.cgi

[MikroTik] ip accounting web-access> print

    accessible-via-web: yes

For security purposes, an IP address or IP subnet can be limited to the collection of the web report. The above example of address: allows all IP hosts to access the web reports. With the settings address: - only IP host is allowed to access the web reports.

A simple script can be run with crond and wget to periodically collect traffic data. Timestamps can be added to the traffic data file as well as other features.

MikroTik Download Utilities Page

Traffic data analysis

There are many tools and systems to analyze traffic data. Useful common tools are:

Additional Resources

Links for documentation:


© Copyright 1999-2002, MikroTik