On 2020-08-06, Alan McKay <[email protected]> wrote: > So I want to implement rate limiting, and to determine a reasonable > rate based on current traffic patterns I'd like to be able to figure > out which source IPs are generating the most connections and at what > rate. > > Is there a way to do that?
Lots of ways depending on what exactly you want - "statistics" menu in wireshark - ntopng is relatively simple to setup for a quick check though it is a bit unreliable for running long-term (some protocol parsers are not in great shape and liable to crash) - netflow - openbsd's built-in implementation pflow(4) works with PF - and a collector/UI such as nfdump+nfsen (in ports) or elastiflow (not in ports, haven't tried running it, looks nice though) - pmacct (in ports, slightly old version as newer ones need a less ancient libpcap) - darkstat (in ports) - probably more in ports
