Hello Paolo, Thanks for your reply.
I actually figured it out a little after I posted this! I used libpcap with pmacctd on a capture box already doing packet capture for FastNetMon among other things. It worked like a charm :) Thanks! On 22/10/2017 3:44 μμ, Paolo Lucente wrote: > Hi Vaggelis, > > Which capturing method are you using, libpcap or NetFlow/IPFIX/sFlow? > And also are you looking for a dedicated solution for this or this is > going to be yet another activity for an existing pmacct deployment? > > Taking the simplest scenario: you using libpcap, so pmacctd, and want > to build something dedicated for this. You can start pmacctd with a > pcap filter like 'tcp[tcpflags] == tcp-syn' (either commandline or via > the pcap_filter config key); this will filter in only TCP SYN packets > then you can simply aggregate things in the most suitable way for you > and count packets out as always. If the solution is to be shared with > existing activities, you can move the filter in a pre_tag_map (using > the 'filter' keyword) so to be able to tag TCP SYN packets; then with a > pre_tag_filter you can intercept such tag and route the specific packets > to a dedicted plugin for this TCP SYN measurement activity. The tag > solution would work similarly for NetFlow/IPFIX/sFlow. > > Paolo > > On Wed, Oct 18, 2017 at 05:08:53PM +0300, Vaggelis Koutroumpas wrote: >> Hello, >> >> Is it possible to get a per IP total of SYN packets? >> >> I am trying to implement some policies to block SYN packets if they >> exceed a certain threshold (to mitigate SYN Floods), but before doing >> that I want to first log all TCP SYN traffic for some time so that I can >> get some useful stats out of it and choose the proper thresholds to >> avoid false positives. >> >> If anyone has some config snippet that would like to share I would be >> grateful :) >> >> Thank you :) >> _______________________________________________ >> pmacct-discussion mailing list >> http://www.pmacct.net/#mailinglists _______________________________________________ pmacct-discussion mailing list http://www.pmacct.net/#mailinglists