Hi Paolo, It worked! Perfect! Now I have 2 times more of instances - half of them for unfragmented traffic with Layer4 details (protocols, ports, "pcap_filter[default]: ip[6:2] & 0x1fff = 0" ), another half for fragmented (pcap_filter[default]: ip[6:2] & 0x1fff != 0) with only Layer3 aggregation. Next step of aggregation is done in Mariadb. Thanks!
best regards, Linas 2015.05.14 01:59, Paolo Lucente rašė: > Hi Linas, > > As a workaround, can you try if the following works for you? > > pcap_filter[default]: ip[6:2] & 0x1fff = 0 > > I see it is swallowed fine (apart a minor log that tells you the filter > is globalized - which is no harm). Let me know. > > Cheers, > Paolo > > On Tue, May 12, 2015 at 03:58:03PM +0300, Linas Lesauskas wrote: >> Hello, >> >> I'm unsuccesfully trying to feed pmacct with >> pcap_filter: ip[6:2] & 0x1fff = 0 >> pmacct daemon answers "Syntax error: not weighted brackets at line 3. >> Exiting." and dies. >> The same filter on tcpdump works nice. >> >> As I understand from cfg.c lines 200-210, syntax checker does not like >> ":" or square brackets in value. I can be wrong, as my C knowledge is >> worse than my English :( >> >> On DNS DDOS attack there is huge amount of fragmented orphaned packets, >> pmacct throws them to trash and >75% traffic is unaccounted. I try to >> separate fragmented traffic with pcap_filter to another pmacct instance >> without ip_proto,src_port,dst_port aggregation and account. >> >> Is there any possibility to feed proto[expr:size] to pcap_filter or >> maybe you suggest some alternative? >> >> best regards, >> >> Linas >> >> _______________________________________________ >> pmacct-discussion mailing list >> http://www.pmacct.net/#mailinglists > _______________________________________________ > pmacct-discussion mailing list > http://www.pmacct.net/#mailinglists _______________________________________________ pmacct-discussion mailing list http://www.pmacct.net/#mailinglists
