There are many ways to keep an eye on your users with RouterOS. Two ways to track user bandwidth hoggers:

  1. Use packet sniffer to collect a sample (about a few minutes when there is problem), then examine the data in Connections and Hosts tab.
    1. Pros
      1. Does not consume resources all the time
    2. Cons
      1. Not convenient, you have to do a few clicks and wait for some time to see the result.
      2. You cannot directly act upon the hogger.
  2. Use Firewall rules to match packets for each host and add rate column.
    1. Pros
      1. You can see bandwidth usage of each IP on your network in real time
      2. You can act upon any user and enforce bandwidth limits
    2. Cons
      1. I’ve added ~250 rules to match the traffic for each IP and it caused around ~15% CPU overhead on 300MHz CPU.
As for making all the rules for the firewall. Obviously, I won’t enter those rules by hand, thanks to Mikrotik’s shell it is very easy:
:for i from=2 to=254 do={/ip firewall filter add chain=forward dst-address="193.168.1.$i" action=passthrough}

Passthrough means “do nothing”. We just use the rule to match the packets to each IP then we make use of the rule statistics to get the information we want.