Traffic Visibility

This section shows the options for having visibility of the traffic under mitigation.


The application provides global and per-victim statistics.

Global statistics are available through the logs:

tail -f  /var/tmp/nscrub.log

or through the REST API:

curl -u <user>:<password> "http://<host>:<port>/stats"

Per-victim stats are available through the REST API:

curl -u <user>:<password> "http://<host>:<port>/targets?action=stats&target_id=<target id>"

Historical statistics from RRDs, both global and per-victim, are also available using a browser connecting to http://<host>:<port>/monitor.html


nScrub listens on localhost by default, please configure a different address (-G option) to connect using a browser on a remote machine.


Traffic Monitoring

The software has the ability to export some traffic to software queues for attaching external applications, for traffic analysis or recording:

In order to enable auxiliary software queues for traffic monitoring, the –aux-queues|-O option has to be added to the nScrub configuration file, specifying the number of queues to allocate, which matches the maximum number of concurrent application that will monitor the traffic (queues are single consumer).

--aux-queues 1

Please note that in order to avoid locking mechanisms, a queue per thread is created (we call it “queue set”), for each consumer application.

Once auxiliary queues have been enabled, it is possible to configure them for exporting sampled (or all) traffic (good, discarded, or all) to external applications through the API:

curl -u <user>:<password> "http://<host>:<port>/mirror/<queue set id>/type[?action=update&value={forwarded, discarded, all}]"
curl -u <user>:<password> "http://<host>:<port>/mirror/<queue set id>/sampling[?action=update&value=<sampling rate (0 for no traffic)>]"


curl -u <user>:<password> "http://<host>:<port>/mirror/0/type?action=update&value=all"
curl -u <user>:<password> "http://<host>:<port>/mirror/0/sampling?action=update&value=100"

Traffic Analysis with tcpdump

It is possible for instance to use tcpdump for monitoring the traffic running one instance per processing thread, specifying the cluster ID and thread/queue ID in the interface name:

tcpdump -Q in -ni zc:99@0
tcpdump -Q in -ni zc:99@1
tcpdump -Q in -ni zc:99@2
tcpdump -Q in -ni zc:99@3

Alternatively, it is possible to aggregate all traffic to a single queue and run a single tcpdump instance:

zbalance_ipc -i zc:99@0,zc:99@1,zc:99@2,zc:99@3 -c 100 -n 1
tcpdump -Q in -ni zc:100@0

Traffic Analysis with ntopng

In the same way it is possible to analyse the traffic using ntopng:

ntopng -i zc:99@0 -i zc:99@1 -i zc:99@2 -i zc:99@3

This creates 4 interfaces in ntopng, however it is possible to aggregate all of them in a single view to be able to analyse aggregated traffic from all of them:

ntopng -i zc:99@0 -i zc:99@1 -i zc:99@2 -i zc:99@3 -i view:zc:99@0,zc:99@1,zc:99@2,zc:99@3


nScrub can export events as soon as an abnormal behaviour is detected, for instance a threshold has been crossed or one of the automatic detection algorithms engate a protection mechanism. Events can be exported (logged, or sent by mail or other endpoints) by means of scripts. nScrub already includes sample scripts under /usr/share/nscrub/scripts/callbacks/events, they can be customized and enabled by making them executable (chmod +x <script>). Additional custom scripts can be created and enabled by placing them in the same folder and making them executable. A JSON string representing the event is provided to the script in the standard input. The event format is described in the table below.

Name Type Description
uniqid int64 Unique event ID
id int Event number since startup
target_id int Target ID
status string new, continuation or terminated
type int Event type
reason int Event reason
epoch int Epoch
time string Time (human readable)
duration int Event duration
thread string Internal thread that detected the event

Example for enabling the “logger” script which logs events under /var/tmp/nscrub/events.log

chmod +x /usr/share/nscrub/scripts/callbacks/events/