Community discussions

MikroTik App
 
rzirzi
Member
Member
Topic Author
Posts: 393
Joined: Mon Oct 09, 2006 2:33 pm

Check PPS and send e-mail

Thu May 03, 2012 6:39 pm

I need script that is checking packets per secont at ether1. And if there is more than 3000 pps from one host, the MT will send e-mail with HOST IP address thet sending/receiving more than 3000 pps. All network is routing, so every IP address is reachable from that MT.
 
User avatar
skot
Long time Member
Long time Member
Posts: 584
Joined: Wed Nov 30, 2011 3:05 am

Re: Check PPS and send e-mail

Mon May 07, 2012 11:30 pm

Apparently the firewall filter dst-limit is still not fixed: http://forum.mikrotik.com/viewtopic.php?f=2&t=17831
Theoretically you should be able to use it to accept connections up to 3000pps, and then create a rule directly after that to add any src-addresses to an address list.

firewall filter rules
/ip firewall filter
add action=accept chain=forward disabled=no dst-limit=3000,0,src-address/1m
add action=add-src-to-address-list address-list=over-3000-pps address-list-timeout=60s chain=forward disabled=no
Create a script that checks the address list for that particular name. If found, send email with all IP addresses:
# address list name
:local alist "over-3000-pps";
# create an array of all address list items with the name above
:local alistArray [ :toarray [ /ip firewall address-list find list=$alist ] ] ;
# get length of the array
:local alistArrayLen [ :len $alistArray ];
# if any items were found, continue
if ( $alistArrayLen > 0 ) do={
	:local ipList "";
# loop through array of items	
	:for i from=0 to=( $alistArrayLen - 1 ) do={
# add the IP address of each item to the ipList variable, followed by new line (\n\r not tested)
		:set ipList ( $ipList . [ /ip firewall address-list get [ :pick $alistArray $i ] address ] . "\n\r" );
	}
# clear the address-list of all the over-3000-pps items		
	/ip firewall address-list remove numbers=[ find list=$alist ];
# send email with the list of IPs		
	/tool e-mail send to=email@domain.com subject="over 3000pps" body="$ipList"
}
Finally, schedule the script to run every X minutes. In the firewall rules above, the timeouts are at 1 minute, so you would want to change them to whatever you want.

But until dst-limit fixed... this won't work :(

Who is online

Users browsing this forum: No registered users and 23 guests