Network monitor - Track your network devices. IOT devices send large amount of data outside? Connect to servers in unexpected countries?

I have too many devices connected to my network and while most are in an isolated vlan I was still interested in detecting unexpected behavior. Now, there are many tools that analyze packets of data and can provide what I wanted. However, most are pretty complex to configure, require some other box for analysis, DB or whatever. Mostly they are not really designed for a home user.
I wanted something really simple. Just one package to install on my OpenWrt box that will track and notify me straight to my phone.
The closest service I could find that does something in that direction is nlbwmon by @jow. However it only monitors bandwidth and I wanted more data. So I slowly added the functionality I was missing on top of the nlbwmon code base. I'm not an OpenWrt dev and can't really spend much time on this but it works well enough for me and may interest others to try or further expand and improve on it.
So what does it do?

  • It uses api to get information about external IP addresses - country, ASN. While this may be a privacy issue for some, I have found the data to be pretty accurate and useful
  • It listens on ubus for DNS resolve responds from dnsmasq and ties domain information to IP addresses
  • It also listens on ubus for DHCP ack messages from dnsmasq to keep a list of devices
  • It serves a Telegram bot that communicates with a telegram client on a phone to send notifications and receive some commands
  • It can report IP addresses to if you choose to

Currently there are four types of notifications:

  1. A devices sends significant data amounts outbound.
  2. A device connects to an unexpected country (list of countries to notify should be stated in the configuration).
  3. An inbound connection has passed through the firewall. This can be to a service that runs on the router itself or to any client on your lan if your firewall redirected it there.
  4. A new device connected to the network.

Each notification is shown once as long it is connected to the same client, and goes to the same country and same ASN.

An example of an outbound notification:

Clicking on Mute allows to define a rule to avoid getting notifications, for example mute notifications about any connection from my Doorbell to Google (using the ASN).

The service does not require much CPU but does require around 5MB of ram and some more depending on your network size. So it should be able to run on most modern boxes.
I have only compiled and ran it on my x86_64 OpenWrt.

If you want to try it you need to add to the config file:

  • Create an token
  • Create a Telegram bot and add its token
  • If you want to report IPs, create an account and ask to be approved for reporting. Only then add the token to the config file.

Once you start the service, send a message to your bot and it should immediately response that it's ready. It will set a chat_id number in the config file which identifies your Telegram client. Keep it there.

PRIVACY - please note that the service will send all external addresses to to get information about them, so only use it if you are comfortable with that. Also, once a notification is sent, a preview from is shown which means that the IP address is sent to them as well (only IP addresses that you were notified about unexpected behavior). And finally it uses Telegram so all the notification information is sent through their network.

This is not just a bandwidth monitor and it takes a very different philosophy from @jow's nlbwmon so it should have a different name. But for now I just relied on nlbwmon's code, config file and package makefile, so it carries the same name. Sorry about that.

Note you can't run both nlbwmon and this service together. This service will use separate DB files so it should not overwrite anything. You can run the regular luci-nlbwmon with this service but none of the additional information will be shown there.

The package can be installed from here:

The actual code is here:


I've been looking for something like this. . . thank you for creating it. I wish I knew how to code.

anyway to get the data saved to a local file on the router instead of telegram?

The data is not saved in telegram. Built on the basis of nlbwmon all the data is stored on a local internal DB. You can set it to a USB path.
And using the nlbw command line you can extract all the data in a csv format and that will include the Country codes and ASN numbers.
You can find the different parameters in the config file.

It should also be easy to add an interactive world map showing all the clients and the locations of their connections.

1 Like

would it be possible to also track download?

I'd like to track all download / upload requests and how much data each request sent, and your project looks very promising <3

I think you're better off with using the original nlbwmon package. It tracks bandwidth usage for each client in your lan.

My code changes are for real time push notifications about unexpected behavior of clients along with gathering more data such as country and ASN.

Does your code also do downloads?
I guess my overall objective is to monitor upload and download traffic via the overall request made. So your app looks cool as it can count all the connection (in your example 15 conns used 78 mb) . I don't think I've seen an app for OpenWRT that can do this.

I was looking for a project that could do this for all connections up and down. :+1: