Hi Linas, As a workaround, can you try if the following works for you?
pcap_filter[default]: ip[6:2] & 0x1fff = 0 I see it is swallowed fine (apart a minor log that tells you the filter is globalized - which is no harm). Let me know. Cheers, Paolo On Tue, May 12, 2015 at 03:58:03PM +0300, Linas Lesauskas wrote: > Hello, > > I'm unsuccesfully trying to feed pmacct with > pcap_filter: ip[6:2] & 0x1fff = 0 > pmacct daemon answers "Syntax error: not weighted brackets at line 3. > Exiting." and dies. > The same filter on tcpdump works nice. > > As I understand from cfg.c lines 200-210, syntax checker does not like > ":" or square brackets in value. I can be wrong, as my C knowledge is > worse than my English :( > > On DNS DDOS attack there is huge amount of fragmented orphaned packets, > pmacct throws them to trash and >75% traffic is unaccounted. I try to > separate fragmented traffic with pcap_filter to another pmacct instance > without ip_proto,src_port,dst_port aggregation and account. > > Is there any possibility to feed proto[expr:size] to pcap_filter or > maybe you suggest some alternative? > > best regards, > > Linas > > _______________________________________________ > pmacct-discussion mailing list > http://www.pmacct.net/#mailinglists _______________________________________________ pmacct-discussion mailing list http://www.pmacct.net/#mailinglists
