Tips on creating a traffic alert

Hi, im a (happy) user with owrt router for my home for a 10Mb cat5 lan/wan connection.

My ISP time to time starts flooding my wan link with L2 PPOED frames, 20K to 50K 64kb packets per second. They originate (i guess) from a faulty/miss configured ISP box. Its eating up my incoming bandwidth. I notice it manually due to response times just browsing the internet. And then i need to contact ISP support and wait, and it gets fixed and then it happens again after 2-3days. Annoying.. I cant change ISP unfortunately.

So far i have a scheduled task that creates a pcap file that a manually open and check, can it be improved? I run below once hour and just get the pcap file from sub folder in lucy default web, then open it in wireshark on my laptop.

tcpdump -G 5 -W 1 -Q in -i eth0 ether host ff:ff:ff:ff:ff:ff -w /www/data/wan_D%F_T%T_UTC+01:00.pcap

I need a alarm that sense this flooding and notifies me so i can contact ISP support asap. Any ideas?

try a scheduled ping, a curl download or iperf3 or similar via crontab every e.g. 5min and measure the total runtime of the command.

If the unsolicited ISP traffic eats your incoming bandwidth as said, this should be somehow visible as lag spike in the runtime of the scheduled command.
Measuring this time could easily be done on the router.

If time > threshold, trigger the alarm and maybe also grab the tcpdump, to save evidence to a file for later manual check.

Thx, i decided to do a proper logging instead of tcpdump and then automate from that.