Interesting thought... hum... First off, if you recognize a problem, you can use the Admin | Change Filter option to suppress traffic in real time.
What you're asking for is basically a flag on the host record that says "no more". This would need to be interrogated early in the processing of the packet and I think that's the difficulty. Your local host could be the source or the destination, meaning we have to couple the tests and do them before creating new host records. The best touch point is in processIpPkt() after the lookupHost() calls - say about line 996 in pbuf.c. The problem is that you have already allocated the new host. Would this work? Check both src and dst host. If either of them have the "no more" flag set, check the other host entry. If there's less than a small # (some threshold) in it's packet received counter, free it (call freeHostInfo() and stop processing the packet. You would spend some effort on the new host, only to throw it away, but it would keep ntop from creating 1000s of host records. Let's talk about this after 3.0 is out the door. -----Burton > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of > [EMAIL PROTECTED] > Sent: Friday, February 20, 2004 11:48 AM > To: [EMAIL PROTECTED] > Subject: [Ntop] 1 Nachi infected device overloads ntop 3.0pre1 > > > Would it be practicable for ntop to detect devices that qualify > as "scanning > vast numbers of destinations" to be tagged and throttled? What I am > picturing is being able to set a connection count thresh hold for > localnet > devices. Ntop should then be able to say: If a localnet device exceeds > thresh hold the device will no longer track connection > information, rather > the device will be visibly flagged and a short snapshot of past > connections would be displayed. I imagine some type of timer would need > to be set (an hour?) that allows ntop to open the flood gates for that > host again. > > My apologies if I am way of base. > > -- > "Given enough time, all legal battles in the tech industry will > invoke the > DMCA. This generally means that all constructive arguments have ended." > -NialScorva > > _______________________________________________ > Ntop mailing list > [EMAIL PROTECTED] > http://listgateway.unipi.it/mailman/listinfo/ntop > _______________________________________________ Ntop mailing list [EMAIL PROTECTED] http://listgateway.unipi.it/mailman/listinfo/ntop
