Hi Everyone, I'm attempting to baseline my network's typical SYN Requests sourced from the internet. Our organization was recently DDoS'd with a SYN Flood and my goal here is to find out what typical SYN traffic looks like so I can create a threshold on our firewall to prevent another SYN Flood attack without this configuration being detrimental to legitimate traffic. My idea is to use TShark to do an ongoing capture starting a new file every 60 seconds the grabbing Time, Source IP, and Destination IP of ONLY SYN Requests sourced from the internet (anything NOT in RFC 1918 Subnets). Then, pump that data into a .csv so I can send it to my ELK Stack for analysis. I am pretty unfamiliar with TShark as I typicaly use Wireshark GUI. I found something similar to what I'm looking for here
but I'm not quite sure how to write out what I need. Can anyone offer some help? asked 07 Apr '17, 13:37 Exiar |
One Answer:
Using tshark in this manner you'll need to specify a few things, noting that if you want to create a new file every 60 seconds you'll have to output using a capture file format, e.g. pcapng and then subsequently post-process those using tshark to output in csv format, you can't just redirect tshark "fields" out and get multiple files, the link you reference is a one-shot run of 60 seconds:
Then post-process those files with something like answered 07 Apr '17, 16:32 grahamb ♦ edited 08 Apr '17, 11:16 |