Traffic Monitor in RouterOS: A Complete Guide

Traffic Monitor in RouterOS: A Complete Guide

RouterOS Version: 7.x+ Difficulty: Intermediate Estimated Time: 20 minutes

Overview

Traffic Monitor executes scripts when interface traffic crosses defined thresholds. It monitors bandwidth in bits per second and triggers script execution when traffic goes above, below, or crosses in either direction.

Common use cases:

• Automatic failover - Enable backup interface when primary traffic drops
• Bandwidth alerting - Send notifications when traffic exceeds limits
• Dynamic QoS - Enable/disable queues based on traffic levels
• Load balancing triggers - Adjust routing based on utilization

Key limitation: Traffic Monitor has a minimum effective threshold around 1Mbps in some RouterOS versions. For monitoring lower bandwidth, use scheduler-based scripts with /interface monitor-traffic.

Menu Reference

Menu	Purpose
/tool traffic-monitor	Traffic monitor configuration

Configuration Properties

Property	Type	Default	Description
name	string	-	Unique identifier for this monitor
interface	interface	-	Interface to monitor (required)
traffic	received/transmitted	received	Direction to monitor
threshold	integer	-	Bandwidth threshold in bits per second
trigger	above/below/always	above	When to execute script
on-event	script name	-	Script from /system script to run
disabled	yes/no	no	Enable/disable monitor
comment	string	-	Descriptive comment

Trigger Types Explained

Trigger	Fires When	Use Case
above	Traffic exceeds threshold (transition up)	Alert on high bandwidth
below	Traffic drops under threshold (transition down)	Detect interface failure
always	Both transitions	Single script handles both states

Important: Triggers fire on state transition, not continuously. If traffic stays above threshold, the script runs once when it crosses, not repeatedly.

Configuration Examples

Example 1: Basic Bandwidth Alert

Send log message when interface exceeds 100Mbps:

# Create alert script
/system script add name=bandwidth-alert policy=read,write,test source={
    :log warning "High bandwidth detected on WAN interface"
}

# Create traffic monitor
/tool traffic-monitor add name=wan-high-traffic interface=ether1-wan \
    traffic=received threshold=100000000 trigger=above on-event=bandwidth-alert

# Verify
/tool traffic-monitor print

Example 2: Automatic Interface Failover

Enable backup when primary traffic drops (indicating failure):

# Script to enable backup
/system script add name=enable-backup policy=read,write source={
    /interface enable ether2-backup
    :log warning "Primary WAN down - enabled backup"
}

# Script to disable backup
/system script add name=disable-backup policy=read,write source={
    /interface disable ether2-backup
    :log info "Primary WAN up - disabled backup"
}

# Monitor for primary down (traffic below threshold)
/tool traffic-monitor add name=primary-down interface=ether1-wan \
    traffic=received threshold=10000 trigger=below on-event=enable-backup

# Monitor for primary up (traffic above threshold)
/tool traffic-monitor add name=primary-up interface=ether1-wan \
    traffic=received threshold=10000 trigger=above on-event=disable-backup

Example 3: Dynamic Queue Control

Enable QoS queues when traffic is high:

# Script to enable QoS
/system script add name=enable-qos policy=read,write source={
    /queue simple enable [find comment="QoS-managed"]
    :log info "High traffic - QoS enabled"
}

# Script to disable QoS
/system script add name=disable-qos policy=read,write source={
    /queue simple disable [find comment="QoS-managed"]
    :log info "Normal traffic - QoS disabled"
}

# Use different thresholds for hysteresis
/tool traffic-monitor add name=enable-throttle interface=ether1-wan \
    traffic=received threshold=80000000 trigger=above on-event=enable-qos

/tool traffic-monitor add name=disable-throttle interface=ether1-wan \
    traffic=received threshold=70000000 trigger=below on-event=disable-qos

Note: Using different thresholds (80M/70M) creates hysteresis to prevent rapid on/off cycling.

Example 4: Email Notification with Rate Limiting

Prevent alert spam with cooldown:

/system script add name=notify-high-traffic policy=read,write,test source={
    :global lastTrafficAlert
    :local currentTime [/system clock get time]
    :local cooldown 3600

    # Convert time to seconds for comparison
    :local currentSecs ([:pick $currentTime 0 2] * 3600 + [:pick $currentTime 3 5] * 60)

    :if (($lastTrafficAlert = nil) || (($currentSecs - $lastTrafficAlert) > $cooldown)) do={
        :log warning "Traffic threshold exceeded"
        /tool e-mail send to="[email protected]" subject="[ALERT] High bandwidth" \
            body="Traffic threshold exceeded on WAN interface"
        :set lastTrafficAlert $currentSecs
    }
}

/tool traffic-monitor add name=notify-bandwidth interface=ether1-wan \
    traffic=received threshold=90000000 trigger=above on-event=notify-high-traffic

Example 5: Monitor Both Directions

/tool traffic-monitor add name=rx-high interface=ether1 \
    traffic=received threshold=100000000 trigger=above on-event=rx-alert

/tool traffic-monitor add name=tx-high interface=ether1 \
    traffic=transmitted threshold=50000000 trigger=above on-event=tx-alert

Example 6: Using “always” Trigger

Handle both states in one script:

/system script add name=traffic-state-change policy=read,write source={
    # Script runs on both above and below transitions
    # Check current traffic to determine state
    :local stats [/interface monitor-traffic ether1 once as-value]
    :local rxBps ($stats->"rx-bits-per-second")

    :if ($rxBps > 50000000) do={
        :log info "Traffic is HIGH"
    } else={
        :log info "Traffic is NORMAL"
    }
}

/tool traffic-monitor add name=traffic-change interface=ether1 \
    traffic=received threshold=50000000 trigger=always on-event=traffic-state-change

Common Problems and Solutions

Problem 1: Script Not Executing

Causes:

• Script doesn’t exist in /system script
• Script name doesn’t match on-event

Solution:

# Verify script exists
/system script print where name=my-script

# Ensure on-event matches exactly
/tool traffic-monitor print

Problem 2: Minimum Threshold Limitation

Symptom: Monitor triggers at 1Mbps even when threshold set lower.

Cause: Some RouterOS versions have minimum threshold around 1Mbps.

Workaround: Use scheduler-based monitoring for low bandwidth:

/system scheduler add name=check-traffic interval=30s on-event={
    :local stats [/interface monitor-traffic ether1 once as-value]
    :local rxBps ($stats->"rx-bits-per-second")
    :if ($rxBps < 100000) do={
        :log warning "Traffic very low: $rxBps bps"
    }
}

Problem 3: Alert Flooding

Symptom: Thousands of alerts when traffic oscillates around threshold.

Causes:

• Traffic fluctuating near threshold
• No cooldown in script

Solutions:

1. Implement cooldown in script using global variables
2. Use hysteresis with different above/below thresholds
3. Require sustained condition - check again after delay

Problem 4: Traffic Peaks Causing False Alerts

Cause: Brief spikes cross threshold momentarily.

Solution: Script should verify sustained condition:

/system script add name=verify-high-traffic policy=read,write source={
    :delay 10s
    :local stats [/interface monitor-traffic ether1 once as-value]
    :local rxBps ($stats->"rx-bits-per-second")
    :if ($rxBps > 90000000) do={
        :log warning "Sustained high traffic confirmed"
    }
}

Problem 5: Monitor Not Working on x86/CHR

Cause: Possible platform-specific issue.

Solution: Use scheduler-based alternative:

/system scheduler add name=monitor-traffic interval=30s on-event={
    :local stats [/interface monitor-traffic ether1 once as-value]
    :local rxBps ($stats->"rx-bits-per-second")
    :if ($rxBps > 100000000) do={
        # Your action here
    }
}

Problem 6: Trigger Fires Only Once

Symptom: Script runs once when threshold crossed, not continuously.

Cause: This is correct behavior - triggers fire on state transition.

If you need continuous action: Use scheduler instead:

/system scheduler add name=continuous-check interval=1m on-event={
    :local stats [/interface monitor-traffic ether1 once as-value]
    :if (($stats->"rx-bits-per-second") > 100000000) do={
        # Action while traffic is high
    }
}

Hysteresis Pattern

Prevent rapid on/off cycling with different thresholds:

Traffic Level
     │
100% ─┼─────────────────────────────────
     │                    ┌──── Enable threshold (80%)
 80% ─┼────────────────────┼────────────
     │                    │
 70% ─┼────────────────────┼──── Disable threshold (70%)
     │                    │
     │    ┌───────────────┘
     │    │ Gap prevents oscillation
     └────┴─────────────────────────────▶ Time

# Enable at 80Mbps
/tool traffic-monitor add name=enable interface=ether1 \
    threshold=80000000 trigger=above on-event=enable-action

# Disable at 70Mbps (lower threshold)
/tool traffic-monitor add name=disable interface=ether1 \
    threshold=70000000 trigger=below on-event=disable-action

Alternative: Scheduler-Based Monitoring

For more flexibility, use scheduler with /interface monitor-traffic:

/system scheduler add name=bandwidth-monitor interval=30s on-event={
    :local stats [/interface monitor-traffic ether1 once as-value]
    :local rxBps ($stats->"rx-bits-per-second")
    :local txBps ($stats->"tx-bits-per-second")

    # Check receive
    :if ($rxBps > 100000000) do={
        :log warning "RX exceeds 100Mbps: $rxBps"
    }

    # Check transmit
    :if ($txBps > 50000000) do={
        :log warning "TX exceeds 50Mbps: $txBps"
    }
}

Advantages:

• Works at any threshold
• Can check multiple conditions
• Can implement averaging
• Platform independent

Verification Commands

# List all traffic monitors
/tool traffic-monitor print

# Check specific monitor
/tool traffic-monitor print where name=wan-high-traffic

# Verify script exists
/system script print where name=my-script

# Test script manually
/system script run my-script

# Check current interface traffic
/interface monitor-traffic ether1 once

# Check logs for script execution
/log print where topics~"script"

Related Features

• Netwatch (/tool netwatch) - Monitor host reachability
• Scheduler (/system scheduler) - Time-based script execution
• Graphing (/tool graphing) - Visual traffic monitoring
• Interface Monitor (/interface monitor-traffic) - Real-time stats
• Scripts (/system script) - Script storage

Summary

Traffic Monitor triggers scripts when interface bandwidth crosses thresholds:

1. Create script in /system script
2. Add traffic-monitor with interface, threshold, trigger, on-event
3. Use hysteresis with different above/below thresholds
4. Implement cooldown in scripts to prevent flooding

Key points:

• Triggers fire on state transition, not continuously
• Minimum threshold may be ~1Mbps in some versions
• Use different thresholds for above/below to prevent oscillation
• For low bandwidth or complex logic, use scheduler-based monitoring
• Always rate-limit notification scripts

Related Topics

Monitoring

• Netwatch - monitor host reachability
• Graphing - visual traffic monitoring
• Torch - real-time interface traffic analysis

Automation

• Scheduler - time-based script execution
• Scripts - script storage and management
• Email Tool - send traffic alerts

Bandwidth Management

• Simple Queues - bandwidth limiting
• Queue Tree - advanced QoS