Probe: bum_rate#
Monitors for Broadcasts Unknown-unicasts and Multicast packet rates of individual source mac addresses. Triggers if a configured threshold is reached.
When listening for packets, there is no way to distinguish between known und unknown unicast packets. The interface used for packet capture should only be used to monitor the broadcast domain, so no regular unicast traffic is expected.
Inspected Packets#
This probe looks for packets with the following characteristics:
- EtherType: any
Configuration#
probes:
bum_rate:
# enable this probe
enable: true
# observation time window
window: 15s
# absolute packet thresholds by type
# within `window`
thresholds:
broadcast: 500
multicast: 500
unicast: 500
See also:
window#
Specifies the time frame where packets for the threshold categories are counted. Each event can only be triggered once during the window.
thresholds#
The following thresholds can be configured:
broadcast- for broadcast packetsmulticast- for multicast packetsunicast- for (unknown) unicast packets
If more packets than the specified threshold are detected during the time window, at the end of the time window events are triggered.
Events#
| Name | Description |
|---|---|
BUM_RATE_BROADCAST_EXCEEDED | the number of broadcast packets have exceeded the threshold |
BUM_RATE_MULTICAST_EXCEEDED | the number of multicast packets have exceeded the threshold |
BUM_RATE_UNICAST_EXCEEDED | the number of (unknown) unicast packets have exceeded the threshold |