Set up a rotary pcap on the interface then put an alarm around your syslog. Stop the packet capture when your alarm fires  and analyse the pcap files.
Something along the lines of:
Shell 1:
tcpdump -C 100 -i ethX -s0 -w sample.pcap -W 5

Shell 2:
while true;
do
 tail -n 100 /var/log/syslog | grep max_syn_backlog && pkill tcpdump;
done

On Thu, Jun 6, 2013 at 5:31 PM, Simon Mburu <sgatonye@gmail.com> wrote:
Hello Skunks,

I am having an issue with SYN flooding on a Sigtran USSD gateway. I keep getting the following message "Jun  6 18:20:09 ussd kernel: possible SYN flooding on port 5420. Sending cookies." thus making connection/listening to port 5420 impossible.

I have tried increasing the the tcp_max_syn_backlog to 4096, 5012 and 65536 but to no avail.
My sysctl -p looks like the below

net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.conf.all.rp_filter = 1
fs.inotify.max_user_watches = 65536

My netstat -tuna | grep SYN never shows entries more than 12.

I have also noted that once i stop the gateway, the SYN flooding is no longer there thus removing the fear of outside attacks.

What could my problem/solution.
NB: I am trying to avoid solutions that will mean I have to recompile my kernel.

Kind Regards,
Frustrated Simon


_______________________________________________
skunkworks mailing list
skunkworks@lists.my.co.ke
------------
List info, subscribe/unsubscribe
http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks
------------

Skunkworks Rules
http://my.co.ke/phpbb/viewtopic.php?f=24&t=94
------------
Other services @ http://my.co.ke