Hi Vaggelis, Which capturing method are you using, libpcap or NetFlow/IPFIX/sFlow? And also are you looking for a dedicated solution for this or this is going to be yet another activity for an existing pmacct deployment?
Taking the simplest scenario: you using libpcap, so pmacctd, and want to build something dedicated for this. You can start pmacctd with a pcap filter like 'tcp[tcpflags] == tcp-syn' (either commandline or via the pcap_filter config key); this will filter in only TCP SYN packets then you can simply aggregate things in the most suitable way for you and count packets out as always. If the solution is to be shared with existing activities, you can move the filter in a pre_tag_map (using the 'filter' keyword) so to be able to tag TCP SYN packets; then with a pre_tag_filter you can intercept such tag and route the specific packets to a dedicted plugin for this TCP SYN measurement activity. The tag solution would work similarly for NetFlow/IPFIX/sFlow. Paolo On Wed, Oct 18, 2017 at 05:08:53PM +0300, Vaggelis Koutroumpas wrote: > Hello, > > Is it possible to get a per IP total of SYN packets? > > I am trying to implement some policies to block SYN packets if they > exceed a certain threshold (to mitigate SYN Floods), but before doing > that I want to first log all TCP SYN traffic for some time so that I can > get some useful stats out of it and choose the proper thresholds to > avoid false positives. > > If anyone has some config snippet that would like to share I would be > grateful :) > > Thank you :) > _______________________________________________ > pmacct-discussion mailing list > http://www.pmacct.net/#mailinglists _______________________________________________ pmacct-discussion mailing list http://www.pmacct.net/#mailinglists
