That's a really good idea. Cutting the sample interval (60 seconds,
configurable) and generating an SNMP trap would be a good idea too.
You'd also want absolute and percent threshholds on the traps. This
shouldn't be tough except at the very high end router vendors hate
looking inside each packet for anything (especially if they have ASICs
helping with some of the forwarding work). Just need the protocol
number in the IP field and the TCP SYN and ACK bits and two counters.