How to monitor global internet traffic and its source? need help (2024)

Hi folks,

If it somehow possible in mikrotik router itself, or using some syslog server, how to get GEO IP Location information and traffic requested from various countries based on the ip address, and show this information?

We have connected several windows web servers to mikrotik router. This router has WAN interface which obviously connects to local as well as to global networks. In our case the global traffic is limited, and because of this our global clients experience connectivity issues. So we need to investigate the global link.

Any help is appreciated!!

Lev

No you cannot do this on Mikrotik itself. You need to look at something like a Netflow collector or Splunk setup.
Depending on your level of expertise this might be pretty simple to setup or very hard...

There is very nice Splunk-app developed by forum user complete with all install-instructions etc.

viewtopic.php?t=179960

Countries dont contol traffic. Illegal hacking bots do........ and they can be from anywhere, or more to the point, its logical to assume that bots are no colocated with the those hacking and even if state sponsered hacking, likely they dont attempt to draw attention to themselves.

Much better to setup Zerotrust cloudflare in an options package........ BUT only if that existed.

@zx128k, you might also use the CALEA package for data collection. There are plenty of analysis tools available for that. There's also a built-in packet sniffer that while somewhat limited compared to CALEA is still pretty useful.

https://wiki.mikrotik.com/wiki/CALEA

EDIT:
@Jotne's Splunk solution is great and can easily be extended with geographical locations based on ASN data.

We have connected several windows web servers to mikrotik router. This router has WAN interface which obviously connects to local as well as to global networks. In our case the global traffic is limited, and because of this our global clients experience connectivity issues. So we need to investigate the global link.

What do you mean ? It does not make sense this statement.
Why is "your global traffic limited" ? Who limits this traffic ?
And why do your global-clients experience connectivity issues ? This is something you need to take up with your ISP for sure.

You need to ask your customers for a TRACEROUTE towards the public IP/dns-name of your webserver in orde to make connectivity issues visible.
alternatively you can use some BGP-looking glasses around the world to check how "the world" perceives your IP-address/subnet

Why is "your global traffic limited" ? Who limits this traffic ?

This is not a concept we know here or in Belgium, but in some parts of the world an ISP limits the amount (or bandwidth) of traffic that is going outside the local area.
So you could e.g. have "unlimited" traffic to the own country and maybe some in the local area, and "max 10GB/month" or "max 1MBps" traffic to other countries.
When you have that, you might want to know which traffic is going outside your area to see if you will hit that limit.

Why is "your global traffic limited" ? Who limits this traffic ?

This is not a concept we know here or in Belgium, but in some parts of the world an ISP limits the amount (or bandwidth) of traffic that is going outside the local area.
So you could e.g. have "unlimited" traffic to the own country and maybe some in the local area, and "max 10GB/month" or "max 1MBps" traffic to other countries.
When you have that, you might want to know which traffic is going outside your area to see if you will hit that limit.

OK I see, yes we are taking our high quality, high speed Internet services here for granted
For the TS , if you are a bit into Linux it is not difficult to run the set of "pmacct" tools.
Also possible to have it on "Docker"

https://github.com/pmacct/pmacct

or the old website (will complain about the ssl-cert)

http://www.pmacct.net/

You can configure it to use the Maxmind GEO IP database to have some information on that.

There is also another resource, https://github.com/ipverse/rir-ip/tree/master . Depending on the number of IP prefixes assigned to your country, the files may or may not fit into the variable size limit, which is 64 kBytes for RouterOS. If they do, you can load those files e.g. daily, parse the loaded data and use them to update an address list with a 24h timeout. So rows that have dropped out from the file since the last download will drop out from the address list automatically as they time out. The prefixes are aggregated, so you would have to test what happens if the newly added prefix is a subset/superset of an existing one and eventually handle such conflicts. Addresses that are not on the address list are international.

If the file for your country exceeds the 64 kB limit, you can still use it to create an address list, but you'll need an external resource to download and process the file.