Hello,
I'm unsuccesfully trying to feed pmacct with
pcap_filter: ip[6:2] & 0x1fff = 0
pmacct daemon answers "Syntax error: not weighted brackets at line 3.
Exiting." and dies.
The same filter on tcpdump works nice.
As I understand from cfg.c lines 200-210, syntax checker does not like
":" or square brackets in value. I can be wrong, as my C knowledge is
worse than my English :(
On DNS DDOS attack there is huge amount of fragmented orphaned packets,
pmacct throws them to trash and >75% traffic is unaccounted. I try to
separate fragmented traffic with pcap_filter to another pmacct instance
without ip_proto,src_port,dst_port aggregation and account.
Is there any possibility to feed proto[expr:size] to pcap_filter or
maybe you suggest some alternative?
best regards,
Linas
_______________________________________________
pmacct-discussion mailing list
http://www.pmacct.net/#mailinglists
