Community discussions

MikroTik App
 
User avatar
ploquets
Member Candidate
Member Candidate
Topic Author
Posts: 162
Joined: Tue Nov 17, 2015 12:49 pm
Location: Uruguaiana, RS, Brazil
Contact:

Traffic monitor with Telegram report

Tue Oct 24, 2017 10:47 pm

Hello.
Recently we needed a script to report if an interface was passing more than X traffic.
Everything was OK if using the traffic-monitor... but with just 1 second of traffic (traffic peak) I got notified.

So, I've created a script that is triggered by the traffic-monitor to start the analysis.
If its conditions get accomplished, will report to some Telegram account.

And I decided to share it. So, those who need something like this, would be able to use it easily.

Example will consider:
  • ether1-wan as interface
    WAN as the interface alias
    100Mbps as the traffic limit
    90 seconds as the limit for continuous traffic and report
    10 minutes between one report and another (if traffic continues)
    wan-monitor as trigger name (traffic-monitor)
    monitor-ether1 as script name
This script was made to check the download traffic (which means RX)

You will need to create a traffic-monitor like this:
This will act like a trigger to the script to run
/tool traffic-monitor
add interface=ether1-wan name=wan-monitor on-event=monitor-ether1 traffic=received threshold=100M 
And now, create a script inside /system script matching the name you have chosen


With this code inside it (replace variables as you need)
# ------------------- header -------------------------------------------
# Traffic analysis script and report by Telegram
# By Andre Almeida 
# Tested in RouterOS 6.40.3
# Created at 23/10/2017
# Please, keep this header if using this script. Thanks
# ------------------- end header ---------------------------------------


#-----------------------------------------------------------------------
#      D E F I N E   H E R E    Y O U R   V A R I A B L E S
#-----------------------------------------------------------------------

# Interface name to monitor
:local intmon "ether1-wan";
# A friendly name to the interface above
:local ifalias "WAN";
# The limit in Mbps for the traffic
:local limittraffic "100";
# The time limit in seconds to consider continuous traffic and report
:local limittime "90";
# Define the interval between reports in minutes
:local reportinterval "10";
# Trigger name created inside /tool traffic-monitor
:local triggers "wan-monitor";
# ChatID from telegram that is going to receive reports
:local chat "0123456789";
# API code from Telegram BOT
:local bot "01234567:AbcdEfGhijklmnOPQrstuvXWY-z";


#-----------------------------------------------------------------------
#         S T O P    E D I T I N G    H E R E     
#-----------------------------------------------------------------------

# Disabling the TRIGGER
/tool traffic-monitor set [find name="$triggers"] disabled=yes;
#-----------------------------------------------------------------------
#Traffic analysis script starts now
#-----------------------------------------------------------------------
#Reseting counter
:local counter 0;

:local recbits;
	
#Checking traffic
:set $recbits ([/interface monitor-traffic [find name="$intmon"] as-value once]->"rx-bits-per-second");

:while ($recbits > ($limittraffic * 1000000)) do={

	:while ($counter < $limittime) do={
		# Checking traffic
		:set $recbits ([/interface monitor-traffic [find name="$intmon"] as-value once]->"rx-bits-per-second");
		
		# Checking if traffic is high
		:if ($recbits > ($limittraffic * 1000000)) do={
			:set $counter ( $counter + 1);
			:delay 1s;} else={ 
				:set $counter ($limittime + 10);
			};
	}; #  <--- End of second while condition	
	
	# Rechecking traffic
	:set $recbits ([/interface monitor-traffic [find name="$intmon"] as-value once]->"rx-bits-per-second");
	# Checking counter
	:if ($counter < ($limittime + 10)) do={ 
		# Reseting counter
		:set $counter 0;
		# Send message to telegram if counter is acomplished
		# DO NOT REPLACE ANYTHING HERE
		# Defining message
		:local initel "https://api.telegram.org/bot";
		:local endtel "&text=";
		:local newline "%0D%0A";
		:local who "$[/system identity get name]";
		:local datetime "$[/system clock get date] $[/system clock get time]";
		:local message "Interface $ifalias surpassed $newline $limittraffic Mbps by $limittime \
		seconds$newline Actual traffic $($recbits / 1000000)Mbps";
		
		:local messagefinal " $who REPORT$newline $newline $message $newline $newline $datetime \
		$newline $newline If traffic persist a new report will be send within \
		$reportinterval minutes";
		
		/tool fetch url="$initel$bot/sendMessage\?chat_id=$chat$endtel$messagefinal" keep-result=no;
		
		:log warning "Interface $ifalias surpassed $limittraffic Mbps by $limittime seconds \
		-- Actual traffic is em $($recbits / 1000000)Mbps";
		
		:delay ((($reportinterval * 60) - $limittime) . s);
	}; # <--- End of checking counter

}; #  <--- End of first while condition

# ENABLING TRIGGER AGAIN
/tool traffic-monitor set [find name="$triggers"] disabled=no;

#-----------------------------------------------------------------------
#                      T H E     E N D    
#-----------------------------------------------------------------------
For each interface that you need to monitor, please, rename the trigger name to be unique. And replace inside the script.

Reports will reach you telegram account (defined in chat ID) like this:

Image
 
User avatar
ploquets
Member Candidate
Member Candidate
Topic Author
Posts: 162
Joined: Tue Nov 17, 2015 12:49 pm
Location: Uruguaiana, RS, Brazil
Contact:

Re: Traffic monitor with Telegram report

Thu Oct 26, 2017 3:28 am

Can the script be eligible to go to the wiki?
 
MiroAlex1987
just joined
Posts: 1
Joined: Tue Apr 17, 2018 12:39 pm

Re: Traffic monitor with Telegram report

Tue Apr 17, 2018 3:06 pm

Is it possible to use this script with a proxy?
In the light of recent events in the Russian Federation, access to the portal api.telegram.org is limited, so many important alerts stopped working.
In this regard, I would like to clarify whether it is possible to modify the script to work through a proxy.
For example:
/ tool fetch url = "https://api.telegram.org/bot***" via "socks5.proxy.server:1050"
 
User avatar
SirPrikol
newbie
Posts: 28
Joined: Wed Oct 11, 2017 12:36 pm

Re: Traffic monitor with Telegram report

Fri Aug 17, 2018 6:36 pm

There is one problem, in this configuration, the script does NOT include back triggers. It is necessary or in scheduller automatically to include triggers in 2-3 minutes or to add in a script a parameter about inclusion of the trigger on number
 
User avatar
ploquets
Member Candidate
Member Candidate
Topic Author
Posts: 162
Joined: Tue Nov 17, 2015 12:49 pm
Location: Uruguaiana, RS, Brazil
Contact:

Re: Traffic monitor with Telegram report

Fri Aug 17, 2018 8:06 pm

There is one problem, in this configuration, the script does NOT include back triggers. It is necessary or in scheduller automatically to include triggers in 2-3 minutes or to add in a script a parameter about inclusion of the trigger on number
Sorry, I did not understand.
Could you explain a little better what is missing?

Thank you
 
Trustful
just joined
Posts: 1
Joined: Sun Aug 19, 2018 3:57 pm

Re: Traffic monitor with Telegram report

Sun Aug 19, 2018 4:02 pm

Hi, is this script works on latest ros? I can’t run it and get no warnings
 
User avatar
ploquets
Member Candidate
Member Candidate
Topic Author
Posts: 162
Joined: Tue Nov 17, 2015 12:49 pm
Location: Uruguaiana, RS, Brazil
Contact:

Re: Traffic monitor with Telegram report

Sun Aug 19, 2018 11:09 pm

Hi, is this script works on latest ros? I can’t run it and get no warnings
Yes it works.
I have working on 6.40.8 bugfix
 
User avatar
faisalreza
just joined
Posts: 4
Joined: Mon Feb 10, 2014 8:32 am
Location: Sukabumi, Indonesia
Contact:

Re: Traffic monitor with Telegram report

Mon Jun 10, 2019 3:06 am

hi, nice script and thaks for sharing
btw can we modified the script to detect the pps and send alert?
for example let say there is 75kpps on the specified interface and then notification on telegram
it might be useful to detect possible ddos traffic

thanks and regards
Reza
 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 3279
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: Traffic monitor with Telegram report

Mon Jun 10, 2019 11:37 am

@ploquets

You can remove the ; at the end of all script lines.
Its not needed anymore. Only when having more than one command at the same line.
 
User avatar
ploquets
Member Candidate
Member Candidate
Topic Author
Posts: 162
Joined: Tue Nov 17, 2015 12:49 pm
Location: Uruguaiana, RS, Brazil
Contact:

Re: Traffic monitor with Telegram report

Mon Jun 10, 2019 3:42 pm

Is it possible to use this script with a proxy?
In the light of recent events in the Russian Federation, access to the portal api.telegram.org is limited, so many important alerts stopped working.
In this regard, I would like to clarify whether it is possible to modify the script to work through a proxy.
For example:
/ tool fetch url = "https://api.telegram.org/bot***" via "socks5.proxy.server:1050"
I guess you can do this with firewall rules, to match api.telegram.org and redirect thru a proxy server... not necessarily you will need to inform the proxy server directly from the CLI.
 
jonathanxpeers
just joined
Posts: 6
Joined: Thu Aug 25, 2011 11:14 am
Location: South Africa
Contact:

Re: Traffic monitor with Telegram report

Wed Mar 04, 2020 3:18 pm

Thank you for the script

can it be altered to use mail ? to ship it directory in a support desk
 
User avatar
ploquets
Member Candidate
Member Candidate
Topic Author
Posts: 162
Joined: Tue Nov 17, 2015 12:49 pm
Location: Uruguaiana, RS, Brazil
Contact:

Re: Traffic monitor with Telegram report

Wed Mar 04, 2020 3:57 pm

Thank you for the script

can it be altered to use mail ? to ship it directory in a support desk
I guess you can use this
# ------------------- header -------------------------------------------
# Traffic analysis script and report by E-mail
# By Andre Almeida 
# Tested in RouterOS 6.45.8
# Created at 04/03/2020
# Please, keep this header if using this script. Thanks
# ------------------- end header ---------------------------------------


#-----------------------------------------------------------------------
#      D E F I N E   H E R E    Y O U R   V A R I A B L E S
#-----------------------------------------------------------------------

# Interface name to monitor
:local intmon "ether1-wan";
# A friendly name to the interface above
:local ifalias "WAN";
# The limit in Mbps for the traffic
:local limittraffic "100";
# The time limit in seconds to consider continuous traffic and report
:local limittime "90";
# Define the interval between reports in minutes
:local reportinterval "10";
# Trigger name created inside /tool traffic-monitor
:local triggers "wan-monitor";
# E-mail where reports will be sent
# please configure correctly your /tool e-mail
# See https://wiki.mikrotik.com/wiki/Manual:Tools/email
:local emailtoreport "test@example.com";


#-----------------------------------------------------------------------
#         S T O P    E D I T I N G    H E R E     
#-----------------------------------------------------------------------

# Disabling the TRIGGER
/tool traffic-monitor set [find name="$triggers"] disabled=yes;
#-----------------------------------------------------------------------
#Traffic analysis script starts now
#-----------------------------------------------------------------------
#Reseting counter
:local counter 0;

:local recbits;
	
#Checking traffic
:set $recbits ([/interface monitor-traffic [find name="$intmon"] as-value once]->"rx-bits-per-second");

:while ($recbits > ($limittraffic * 1000000)) do={

	:while ($counter < $limittime) do={
		# Checking traffic
		:set $recbits ([/interface monitor-traffic [find name="$intmon"] as-value once]->"rx-bits-per-second");
		
		# Checking if traffic is high
		:if ($recbits > ($limittraffic * 1000000)) do={
			:set $counter ( $counter + 1);
			:delay 1s;} else={ 
				:set $counter ($limittime + 10);
			};
	}; #  <--- End of second while condition	
	
	# Rechecking traffic
	:set $recbits ([/interface monitor-traffic [find name="$intmon"] as-value once]->"rx-bits-per-second");
	# Checking counter
	:if ($counter < ($limittime + 10)) do={ 
		# Reseting counter
		:set $counter 0;
		# Send message to e-mail if counter is acomplished
		# DO NOT REPLACE ANYTHING HERE
		# Defining message
		:local who "$[/system identity get name]";
		:local datetime "$[/system clock get date] $[/system clock get time]";
				
		/tool e-mail send to=$emailtoreport subject="Traffic Report by $who" body="\
		******   $who REPORTS   ******\r\n\
		-------------------------------------------------------------------------
		Interface $ifalias surpassed \r\n\r\n\
		$limittraffic Mbps by $limittime seconds\r\n\r\n\
		Actual traffic $($recbits / 1000000)Mbps \r\n\
		--------------------------------------------------------------------------
		\r\n\r\n\
		Email sent at $datetime"
		
		:log warning "Interface $ifalias surpassed $limittraffic Mbps by $limittime seconds \
		-- Actual traffic is em $($recbits / 1000000)Mbps";
		
		:delay ((($reportinterval * 60) - $limittime) . s);
	}; # <--- End of checking counter

}; #  <--- End of first while condition

# ENABLING TRIGGER AGAIN
/tool traffic-monitor set [find name="$triggers"] disabled=no;

#-----------------------------------------------------------------------
#                      T H E     E N D    
#-----------------------------------------------------------------------

Who is online

Users browsing this forum: BrianTax, coreshock, johnson73 and 79 guests