Back to Blog

Why Tool Choice Matters

When a DDoS attack hits, the tools you have deployed determine how quickly you can detect it, understand it, and respond. The wrong tool for the job can leave you blind during the critical first minutes of an attack. A packet capture tool without automated alerting requires someone to be watching a screen. A flow-based analyzer without packet-level detail cannot tell you which amplification vector is being used. Understanding the strengths and limitations of each tool category helps you build a monitoring stack that covers all your detection needs.

Command-Line Packet Tools

tcpdump

The foundational packet capture tool available on virtually every Unix system. tcpdump captures packets from network interfaces and displays them in real time or saves them to PCAP files for later analysis. For DDoS investigation, tcpdump is invaluable for examining attack traffic at the packet level.

# Capture 1000 packets of suspected amplification traffic
tcpdump -nn -c 1000 'udp src port 53' -w /tmp/dns-flood.pcap

# Show top source IPs in a UDP flood
tcpdump -nn 'udp' -c 10000 | awk '{print $3}' | cut -d. -f1-4 | sort | uniq -c | sort -rn | head -20

# Watch packet sizes (large = possible amplification)
tcpdump -nn -e 'udp' | awk '{print $NF}'

Strengths: Available everywhere, no installation needed, BPF filter syntax is powerful, produces standard PCAP files.

Limitations: No automated alerting, requires manual analysis, high-rate captures can drop packets on busy interfaces, no built-in traffic statistics.

tshark

The command-line version of Wireshark. tshark provides all of Wireshark's protocol dissection capabilities in a scriptable command-line interface. It can decode application-layer protocols that tcpdump cannot, making it useful for identifying specific attack payloads.

# Decode DNS amplification payloads
tshark -r capture.pcap -Y "dns.qr==1 && udp.srcport==53" \
  -T fields -e ip.src -e dns.qry.name -e frame.len

# Extract memcached response statistics
tshark -r capture.pcap -Y "udp.srcport==11211" \
  -T fields -e ip.src -e frame.len | sort -t$'\t' -k2 -rn | head

Strengths: Deep protocol dissection, scriptable output, can read existing PCAP files, statistics modes for traffic summaries.

Limitations: Same as tcpdump for live capture; more resource-intensive due to protocol decoding.

Flow-Based Analysis

ntopng

ntopng is a web-based network traffic analysis tool that provides real-time flow monitoring with a modern interface. It processes NetFlow/sFlow/IPFIX data from network devices or can capture traffic directly from interfaces. For DDoS detection, ntopng provides traffic volume trends, protocol breakdowns, and top talkers.

Strengths: Web interface, supports NetFlow/sFlow for network-device monitoring, host and flow classification, historical data retention.

Limitations: Resource-intensive, complex setup, alerting capabilities are limited in the community edition, does not provide packet-level evidence for attack classification.

nfdump / nfsen

nfdump processes and analyzes NetFlow data collected by nfcapd. nfsen adds a web-based frontend with graphing. This combination is widely used for network traffic accounting and can detect volumetric attacks by monitoring flow rates and volumes.

# Show top source IPs in the last 5 minutes
nfdump -R /var/nfcapd/latest -s srcip/bps -n 20

# Filter for UDP amplification sources
nfdump -R /var/nfcapd/latest 'proto udp and src port 53' -s srcip/bps

Strengths: Handles very large flow datasets, flexible filtering, well-suited for ISP and datacenter-scale monitoring.

Limitations: Requires NetFlow-capable network devices, no packet-level detail, nfsen interface is dated, limited real-time capabilities.

Network Security Monitoring

Zeek (formerly Bro)

Zeek is a network analysis framework that goes beyond simple packet capture. It processes network traffic and generates structured logs for connections, DNS queries, HTTP requests, SSL/TLS sessions, and more. For DDoS analysis, Zeek's connection logs can reveal attack patterns that packet-level tools miss.

Strengths: Deep protocol analysis, structured log output, scriptable detection policies, integrates with SIEM platforms.

Limitations: Significant CPU and memory requirements, complex scripting language, setup complexity, not designed specifically for real-time DDoS alerting.

Suricata

Suricata is an IDS/IPS engine that can inspect network traffic against rulesets. It can detect known DDoS attack signatures and generate alerts. With appropriate rules, Suricata can identify specific amplification vectors and attack patterns.

Strengths: Active community maintaining detection rules, can operate as IPS (inline blocking), multi-threaded for high throughput.

Limitations: Rule-based detection has blind spots for novel attacks, requires tuning to avoid false positives, significant resource requirements at high traffic rates.

Purpose-Built DDoS Detection

Flowtriq

Flowtriq is purpose-built for DDoS detection and alerting. Unlike general-purpose network analysis tools, every feature is designed around the specific requirements of detecting, classifying, and responding to DDoS attacks.

  • Per-second sampling: Checks /proc/net/dev counters every second rather than relying on 60-second SNMP polling or flow export intervals.
  • Dynamic baselines: Learns your traffic patterns automatically and adjusts detection thresholds continuously. No manual threshold tuning.
  • Attack classification: Automatically identifies 8 attack types with confidence scores within seconds of detection.
  • Automated PCAP: Captures packets during attacks with a pre-attack buffer, providing forensic evidence without requiring manual capture.
  • Multi-channel alerts: Delivers classified alerts to Slack, Discord, PagerDuty, email, SMS, and webhooks simultaneously.
  • Lightweight agent: Runs as a small agent on each monitored server with minimal resource overhead.

The key difference between general-purpose network analysis and dedicated DDoS detection is response time. tcpdump, Zeek, and ntopng are powerful analysis tools, but they require a human to be watching. Flowtriq monitors continuously and alerts automatically, reducing detection time from minutes to seconds.

Complementary, not competing: Flowtriq works alongside other tools rather than replacing them. Use Flowtriq for real-time detection and alerting. Use tcpdump and Wireshark for deep-dive forensic analysis of the PCAP files Flowtriq captures. Use Zeek or ntopng for broad network visibility and compliance logging.

Building Your Monitoring Stack

For most organizations, the optimal DDoS monitoring stack combines:

  1. Flowtriq ($9.99/mo per node) - Continuous per-second detection, automatic classification, instant alerts. Your first line of defense.
  2. tcpdump/tshark (free) - Already installed, use for ad-hoc investigation and deep packet analysis of Flowtriq's captured PCAPs.
  3. Wireshark (free) - Desktop GUI for detailed PCAP analysis when you need visual protocol dissection.
  4. Optional: ntopng or Zeek (free) - If you need broader network visibility beyond DDoS detection for compliance or capacity planning.

Start with Flowtriq for detection and alerting, then add analysis tools as needed for forensics. Start your free 7-day trial to see per-second DDoS detection in action.

Back to Blog

Related Articles

Forensics

What your PCAP can tell your ISP

How to read Flowtriq's packet captures and present evidence for upstream mitigation.
Fundamentals

How to detect a DDoS attack

Early warning signs, monitoring tools, and step-by-step response procedures.
Engineering

Why static thresholds fail

The math behind dynamic baselines and why they matter for accurate DDoS detection.