-
Notifications
You must be signed in to change notification settings - Fork 56
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Subscription for Syn or Rst attacks #13
Comments
You may specify the range of ports by passing they as a filter. epcap should not work with traffic data, it just must capture all(depends of pcap filter) traffic. |
See pcap-filter(7). For example:
It's also possible to limit the amount of the packet returned to the headers using the {snaplen, int()} option. |
Great!! Some kind of filter like this exactly what is needed to keep the Erlang traffic low.
Should Length be tested for being greater or equal to Payload length before decoding or is it better to crash the decoding of the whole packet? |
pkt:decapsulate/1 only works with whole packets. If I were using the snaplen option, I would probably roll my own function to decode each layer in a try/catch. Re: options/2, not sure, my feeling is it should crash. About snaplen: the maximum size of the IPv4 header is 60 bytes + 20 bytes TCP header. If you are testing for .e.g., TCP flags then that should be sufficient. |
Agree, a custom decoding function makes sense. Thus we can close this issue. |
Note: |
Currently it is only possible to subscribe all packages including payload packages. This causes high traffic. Therefore it might be useful to subscribe for just Syn and Ack packages for 1) or just for Rst packages for 2). Optionally it might be useful to restrict the subscription to certain port number / port number range or a certain IP-address / IP-subnet.
The text was updated successfully, but these errors were encountered: