Hello Paolo,
Thanks for your reply.
I actually figured it out a little after I posted this!
I used libpcap with pmacctd on a capture box already doing packet
capture for FastNetMon among other things.
It worked like a charm :)
Thanks!
On 22/10/2017 3:44 μμ, Paolo Lucente wrote:
> Hi Vaggelis,
>
> Which capturing method are you using, libpcap or NetFlow/IPFIX/sFlow?
> And also are you looking for a dedicated solution for this or this is
> going to be yet another activity for an existing pmacct deployment?
>
> Taking the simplest scenario: you using libpcap, so pmacctd, and want
> to build something dedicated for this. You can start pmacctd with a
> pcap filter like 'tcp[tcpflags] == tcp-syn' (either commandline or via
> the pcap_filter config key); this will filter in only TCP SYN packets
> then you can simply aggregate things in the most suitable way for you
> and count packets out as always. If the solution is to be shared with
> existing activities, you can move the filter in a pre_tag_map (using
> the 'filter' keyword) so to be able to tag TCP SYN packets; then with a
> pre_tag_filter you can intercept such tag and route the specific packets
> to a dedicted plugin for this TCP SYN measurement activity. The tag
> solution would work similarly for NetFlow/IPFIX/sFlow.
>
> Paolo
>
> On Wed, Oct 18, 2017 at 05:08:53PM +0300, Vaggelis Koutroumpas wrote:
>> Hello,
>>
>> Is it possible to get a per IP total of SYN packets?
>>
>> I am trying to implement some policies to block SYN packets if they
>> exceed a certain threshold (to mitigate SYN Floods), but before doing
>> that I want to first log all TCP SYN traffic for some time so that I can
>> get some useful stats out of it and choose the proper thresholds to
>> avoid false positives.
>>
>> If anyone has some config snippet that would like to share I would be
>> grateful :)
>>
>> Thank you :)
>> ___
>> pmacct-discussion mailing list
>> http://www.pmacct.net/#mailinglists
___
pmacct-discussion mailing list
http://www.pmacct.net/#mailinglists
