pfck - Browse Files at SourceForge.net

The interactive file manager requires Javascript. Please enable it or use sftp or scp.
You may still browse the files here.

Name	Modified	Size
pfck.pl	2016-01-21	4.4 kB
pfck-readme.txt	2016-01-18	1.4 kB
Totals: 2 Items		5.8 kB

pfck.pl - pf check by Dan Farrell 2016

pfck.pl is a command line perl script designed to read state information from pf and report back specific 
flow information based on a user-specified port number. The use case for pfck.pl is in identifying ddos 
attack hosts and their victims. It is primarily used in routers or security devices with mirrored traffic.

pfck can (for a specific port service) report the incoming hosts and the number of flows counted for each 
of them, as well can optionally report the destination host addresses for each flow counted.

pfck relies on pf to work- properly configured, pf will see traffic and organize it into sessions of 
packets, otherwise know as conversations or flows. pfck asks pf for all of the flows of a particular port 
number, and reports back that information.

EXAMPLE:
pfck.pl long 22 1
specify destination host information per-flow (long), for ssh traffic (22), with inbound hosts that have 
at 
least 1 flow active (1). If you are ssh'd into the host you are testing this on, you should at least see 
your ssh session represented in the output.


pfck.pl short 3389 80
specify only a list of sources, not destination hosts (short) for rdp (3389) source hosts with at least 80 
initiated flows (80)


pfck.pl was written and tested on OpenBSD 5.2 through 5.8, but should run on any system running pf and 
perl.

Source: pfck-readme.txt, updated 2016-01-18

pfck Files

pfck - pf check - organizes flow information by host