GitHub - Flowtriq/ftagent-lite: Lightweight open-source DDoS traffic monitor. Stdout output, no account required · GitHub

/" data-turbo-transient="true" />

Skip to content

Search or jump to...

Search code, repositories, users, issues, pull requests...

-->

Search

Clear

Search syntax tips

Provide feedback

--><br>We read every piece of feedback, and take your input very seriously.

Include my email address so I can be contacted

Cancel

Submit feedback

Saved searches

Use saved searches to filter your results more quickly

-->

Name

Query

To see all available qualifiers, see our documentation.

Cancel

Create saved search

Sign in

/;ref_cta:Sign up;ref_loc:header logged out"}"<br>Sign up

Appearance settings

Resetting focus

You signed in with another tab or window. Reload to refresh your session.<br>You signed out in another tab or window. Reload to refresh your session.<br>You switched accounts on another tab or window. Reload to refresh your session.

Dismiss alert

{{ message }}

Flowtriq

ftagent-lite

Public

Notifications<br>You must be signed in to change notification settings

Fork

Star<br>21

main

BranchesTags

Go to file

CodeOpen more actions menu

Folders and files<br>NameNameLast commit message<br>Last commit date<br>Latest commit

History<br>9 Commits<br>9 Commits

.gitignore

.gitignore

LICENSE

LICENSE

README.md

README.md

ftagent_lite.py

ftagent_lite.py

pyproject.toml

pyproject.toml

requirements.txt

requirements.txt

View all files

Repository files navigation

ftagent-lite

Open-source, zero-config DDoS traffic monitor. Outputs to stdout.

ftagent-lite is a lightweight network traffic monitor that detects DDoS attack patterns in real-time and prints structured stats to stdout. No API key. No account. No cloud.

It's the open-source sibling of the Flowtriq detection agent. It's great for quick diagnostics, CI pipelines, or building your own tooling on top.

Install

pip install scapy psutil

Then run with sudo (packet capture requires root):

sudo python3 ftagent_lite.py

Usage

sudo python3 ftagent_lite.py [options]

Options:<br>-i, --interface IFACE Network interface (default: any)<br>-t, --interval SECS Reporting interval in seconds (default: 2)<br>-T, --threshold PPS PPS alert threshold (default: 5000)<br>-j, --json Machine-readable JSON output (one object per line)<br>-w, --watch Live updating terminal display<br>--no-color Disable ANSI colors<br>-V, --version Show version

Examples

> /var/log/traffic.jsonl"># Monitor all interfaces, 2-second intervals<br>sudo python3 ftagent_lite.py

# Monitor eth0 with 5-second intervals<br>sudo python3 ftagent_lite.py --interface eth0 --interval 5

# Alert threshold at 50k pps<br>sudo python3 ftagent_lite.py --threshold 50000

# Pipe JSON to jq<br>sudo python3 ftagent_lite.py --json | jq '{pps: .pps, srcs: .src_ip_count}'

# Live dashboard view<br>sudo python3 ftagent_lite.py --watch

# Log to file<br>sudo python3 ftagent_lite.py --json >> /var/log/traffic.jsonl

Output

Human-readable (default)

2026-03-11 18:04:21 [HIGH]<br>Traffic : 47.8K pps 1.7 Gbps<br>Proto : TCP 3.2% UDP 94.1% ICMP 0.4%<br>Sources : 8,421 unique IPs | Avg pkt: 38 bytes<br>Top dst : :11211(31042) :53(12831) :80(3201)<br>Top src : 203.0.113.5 198.51.100.8 192.0.2.99 ...

! Attack pattern detected. Try Flowtriq for full alerting + auto-mitigation: https://flowtriq.com

JSON (--json)

"timestamp": "2026-03-11T18:04:21+00:00",<br>"pps": 47821,<br>"bps": 215000,<br>"tcp": 1530,<br>"udp": 45100,<br>"icmp": 191,<br>"other": 0,<br>"tcp_pct": 3.2,<br>"udp_pct": 94.1,<br>"icmp_pct": 0.4,<br>"src_ip_count": 8421,<br>"top_src_ips": ["203.0.113.5", "198.51.100.8", "192.0.2.99"],<br>"top_dst_ports": [[11211, 31042], [53, 12831], [80, 3201]],<br>"avg_pkt_size": 38

Attack detection

ftagent-lite classifies traffic severity based on your --threshold:

PPS vs threshold<br>Severity

normal

≥ threshold<br>MEDIUM

≥ 2× threshold<br>HIGH

≥ 5× threshold<br>CRITICAL

For production DDoS detection with automatic alerting (Discord, Slack, PagerDuty, Teams, Telegram, DataDog, Prometheus, and more), PCAP capture, AI classification, escalation policies, and auto-mitigation (Cloudflare WAF, iptables, DigitalOcean, Vultr). See Flowtriq .

Requirements

Python 3.7+

scapy — packet capture and protocol parsing

psutil — fallback if scapy unavailable (no protocol breakdown)

Root/sudo — required for raw socket capture

Limitations vs Flowtriq Pro

Feature<br>ftagent-lite<br>Flowtriq

Real-time PPS/BPS

Protocol breakdown

Source IP tracking

JSON output

Attack alerts (Discord, Slack, etc.)

PCAP capture

AI attack classification

Auto-mitigation (iptables, CF WAF)

Cloud dashboard

Multi-node

Team notifications + escalation

Start a free 7-day Flowtriq trial →

License

MIT License — Copyright (c) 2026 Flowtriq

Permission is hereby granted, free of charge, to any person obtaining a copy of this software to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the software, subject to the following conditions: The above copyright notice and this permission notice shall be included in all copies...