Hi Vaggelis,

Which capturing method are you using, libpcap or NetFlow/IPFIX/sFlow?
And also are you looking for a dedicated solution for this or this is
going to be yet another activity for an existing pmacct deployment?

Taking the simplest scenario: you using libpcap, so pmacctd, and want
to build something dedicated for this. You can start pmacctd with a
pcap filter like 'tcp[tcpflags] == tcp-syn' (either commandline or via
the pcap_filter config key); this will filter in only TCP SYN packets
then you can simply aggregate things in the most suitable way for you
and count packets out as always. If the solution is to be shared with
existing activities, you can move the filter in a pre_tag_map (using
the 'filter' keyword) so to be able to tag TCP SYN packets; then with a
pre_tag_filter you can intercept such tag and route the specific packets
to a dedicted plugin for this TCP SYN measurement activity. The tag
solution would work similarly for NetFlow/IPFIX/sFlow.


On Wed, Oct 18, 2017 at 05:08:53PM +0300, Vaggelis Koutroumpas wrote:
> Hello,
> Is it possible to get a per IP total of SYN packets?
> I am trying to implement some policies to block SYN packets if they
> exceed a certain threshold (to mitigate SYN Floods), but before doing
> that I want to first log all TCP SYN traffic for some time so that I can
> get some useful stats out of it and choose the proper thresholds to
> avoid false positives.
> If anyone has some config snippet that would like to share I would be
> grateful :)
> Thank you :)

> _______________________________________________
> pmacct-discussion mailing list
> http://www.pmacct.net/#mailinglists

pmacct-discussion mailing list

Reply via email to