Monitoring flood conditions at IP addresses

The probe supports trap flood monitoring functionality which allows the probe to identify potential event flooding conditions at individual IP addresses.

If enabled, the following flood monitoring processing occurs:

  1. When the probe starts, it collects the trap count, drop count, and size of the trap queue for each IP address.
  2. The probe uses these trap statistics to prevent trap floods filling up the queue, (which could otherwise cause traps from all IPs to be dropped).
  3. When an IP sends an excessive number of traps to the queue, the probe detects that the IP's trap flow exceeds the pre-configured threshold value, and adds the IP address to its drop list. Traps from this IP will then be blocked from being added to the probe's internal queue, or will be discarded after retrieval from the queue.
  4. When an IP address has been blocked, the probe periodically checks the number of traps that it is receiving. If the number of traps received has not slowed, the probe continues to block the IP address. If the number of traps received has slowed, the probe unblocks the IP address.

To enable the probe to use trap flood monitoring functionality, you must set the TrapStat property to 1.