From b6681bfb0a5fce26652d4457ba3820246e4e54f2 Mon Sep 17 00:00:00 2001
From: Gerard Wagener <gerard.wagener@circl.lu>
Date: Thu, 28 Mar 2019 11:02:05 +0100
Subject: [PATCH] add: [doc] Started to describe pibs

---
 docs/workshop/3-pibs/d4-pibs.tex | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/docs/workshop/3-pibs/d4-pibs.tex b/docs/workshop/3-pibs/d4-pibs.tex
index 1691f9c..e2cdb5d 100644
--- a/docs/workshop/3-pibs/d4-pibs.tex
+++ b/docs/workshop/3-pibs/d4-pibs.tex
@@ -46,4 +46,20 @@
     \end{itemize}
 \end{frame}
 
+
+\begin{frame}[fragile]
+    \frametitle{Handling TCP SYN scans}
+    \begin{itemize}
+        \item Was the IP seen before?
+        \item Keep a hash table of all encountered IP addresses
+        \item Consider only IP addresses where the TCP SYN flag is set
+        \item Insert the IP and the timestamp in the hash table
+        \item Display new IP addresses
+    \end{itemize}
+    \begin{block}{PIBS tool}
+        \begin{verbatim}
+            pibs -r pcapfile.cap -b
+        \end{verbatim}
+    \end{block}
+\end{frame}
 \end{document}