Skip to content

Instantly share code, notes, and snippets.

Last active Dec 17, 2015
What would you like to do?
DDoS Detection & Packet Capture Script
# DDoS Detection & Packet Capture Script
# Written by Robert 'xnite' Whitney
# Website:
# Email:
# Run script as root via crontab every 5 to 10 minutes
# Ensure all dependences are satisfied before running this script (ifstat, tcpdump, php)
# This script will only allow a single tcpdump process to run at once
# Configuration
'device' => 'eth0', //Usually eth0, if you are unsure, you can find the device name by running ifconfig.
'report_speed' => '15', //MBps that you want to start tracking at.
'packets2capture' => '1000', //Number of packets to capture in pcap dump.
'save_to' => '/var/log/ddos' //Path to save ddos pcap logs to without the trailing /.
# Do not edit below this line!
exec("/usr/bin/ifstat .5 1 | /bin/grep -o '[0-9]\{1,9\}\.[0-9]\{1,9\}'", $iospeed);
$report_speed = $CONFIG['report_speed']*1024;
$ts = date('U');
$folder = $CONFIG['save_to'];
$interface = $CONFIG['device'];
$packnum = $CONFIG['packets2capture'];
if($iospeed[0]+$iospeed[1] >= $CONFIG['report_speed']*1024) {
echo $iospeed[0]+$iospeed[1]." is equal to or greater than $report_speed.\n";
echo "Capturing tcpdump.\nPackets: $packnum\nInterface: $interface\n Saving to: $folder/$ts.ddos.pcap\n";
exec("/usr/bin/pkill -9 tcpdump");
exec("/usr/sbin/tcpdump -nn -i $interface -s 0 -c $packnum -w $folder/$ts.ddos.pcap");
} else {
echo $iospeed[0]+$iospeed[1]." is less than $report_speed.\n";
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment