MapTRW Element Documentation


MapTRW -- Click element; This is a packet processor for approximate TRW


MapTRW(PREFIX, ETH, keywords)

Ports: 2 inputs, 4 outputs
Processing: push
Package: security


This module implements approximate TRW scan detection. It is designed to be a push-only module. It takes two input streams and has four output streams. The first two output streams correspond to the two inputs for normal passing of packets. The second two output streams are for "dropped" packets, which allows some other module to possibly process and reinject (such as for notification of dropping) Keyword arguments include the IP table size and the connection table size. Unlike the usenix description, fields will contain a timestamp with updates performed based on that timestamp. This is because the usenix experience was that a lot of the range was unused, so rather than housekeeping the table eagerly, more memory will be used to enable lazy housekeeping. The IP address is used to determine this instance's IP if active mapping (currently not implemneted) is desired and the local subnet. The MASK specifies the subnet mask; combined with the IP Address, this is used to determine whether an IP is local to this LAN or remote (no ARPing needed). ETH is a mac to use for active mapping (not implemented)


