Community discussions

MikroTik App
 
cololine
Member Candidate
Member Candidate
Topic Author
Posts: 106
Joined: Wed May 27, 2009 1:11 am

Need script to start sniffer if CPU load exceeds threshold

Sun Mar 21, 2010 6:44 pm

Hi guys -

The subject says it in a nutshell - I'm looking for a script that will start the sniffer with it's the current settings that I've configured in Winbox if the system CPU load exceeds a certain value (which can be hard-coded in the script). I guess this script has to be run periodically from the scheduler, so I need that code too - I'd probably want to run it every 15 seconds.

I know nothing of ROS scripting, so I'd be much obliged to any scripting gurus out there who can help. Wishes for this script would include code to check to see if the sniffer is already running before attempting to start it (I'm assuming that not doing so results in a non-fatal error so it's a wish instead of a must-have), and also stopping the sniffer (after checking to see if it's running) if the CPU load is below the stipulated value.

Thanks!

Ed
 
fewi
Forum Guru
Forum Guru
Posts: 7717
Joined: Tue Aug 11, 2009 3:19 am

Re: Need script to start sniffer if CPU load exceeds thresho

Sun Mar 21, 2010 7:14 pm

I don't think that's a good idea. Adding more load (sniffing, streaming the sniffed data to disk etc.) when there's already a high load could have catastrophic effects.

I think that the better solution is to run traffic flow (corresponds to Cisco's NetFlow) at all times towards a collector near the router, and then to correlate the collected statistics to times when there was high CPU load. Collecting those statistics may also prove valuable in unrelated situations.
 
cololine
Member Candidate
Member Candidate
Topic Author
Posts: 106
Joined: Wed May 27, 2009 1:11 am

Re: Need script to start sniffer if CPU load exceeds thresho

Sun Mar 21, 2010 8:03 pm

I completely understand what you are saying, but I do need to capture and analyze some data during a few anomalous traffic instances that seem to be happening from time to time. Running the sniffer all the time generates loads of traffic to my streaming target and puts a lot of load on the CPU.

I'll look into Traffic Flow, but here's the question: I've found that running ROS's sniffer pushes my RB1000 cpu usage from it's current typical of 25% to upwards of 75%. The docs pages for both Sniffer and Traffic Flow state that their hardware usage impact is "not significant". I hardly think that a 3-fold increase in CPU loading is insignificant! If Traffic Flow burdens the RB1000 cpu like the sniffer does, than either way I'm screwed if the router gets otherwise busy while running *either* of these tools, right?
 
fewi
Forum Guru
Forum Guru
Posts: 7717
Joined: Tue Aug 11, 2009 3:19 am

Re: Need script to start sniffer if CPU load exceeds thresho

Sun Mar 21, 2010 8:19 pm

Traffic Flow is to traffic sniffing as a detailed phone bill is to a wire tap. It doesn't show the content of the packets, but it shows the IP endpoints, protocols and ports involved. It's much, much lighter than sniffing traffic.
 
rmichael
Forum Veteran
Forum Veteran
Posts: 718
Joined: Sun Mar 08, 2009 11:00 pm

Re: Need script to start sniffer if CPU load exceeds thresho

Sun Mar 21, 2010 9:12 pm

I suspect that bulk of CPU usage stems from writing to flash.
 
changeip
Forum Guru
Forum Guru
Posts: 3833
Joined: Fri May 28, 2004 5:22 pm

Re: Need script to start sniffer if CPU load exceeds thresho

Mon Mar 22, 2010 7:00 am

I suspect that bulk of CPU usage stems from writing to flash.
+1 - use the stream function and it wont tax it much. nand / flash is really SLOW.

Who is online

Users browsing this forum: No registered users and 10 guests