i am stupid. sounds like a great demonstration. wispapaloosa session anyone?
or would this be one of those "hall conversations" i keep hearing about? :) ----- Original Message ----- From: That One Guy /sarcasm To: [email protected] Sent: Monday, October 12, 2015 12:27 AM Subject: Re: [AFMUG] a lot of traffic to a dead subnet I love these mikrotiks!! Thanks for pointing out I can just save the file and load it into wireshark, drag and dropped it out of winbox to my PC without having to set up a cupture for the stream or anything, this is like the greatest thing ever, or at least in the last ten minutes On Fri, Oct 9, 2015 at 3:28 PM, David <[email protected]> wrote: use wire shark or SHARKNADO tool On 10/09/2015 03:02 PM, Josh Luthman wrote: Stream it =) Josh Luthman Office: 937-552-2340 Direct: 937-552-2343 1100 Wayne St Suite 1337 Troy, OH 45373 On Fri, Oct 9, 2015 at 3:57 PM, That One Guy /sarcasm <[email protected]> wrote: without dumping it to a server. the sniffer doesnt seem to have a verbose option that ive read On Fri, Oct 9, 2015 at 2:53 PM, Josh Luthman <[email protected]> wrote: tools > sniffer Josh Luthman Office: 937-552-2340 Direct: 937-552-2343 1100 Wayne St Suite 1337 Troy, OH 45373 On Fri, Oct 9, 2015 at 3:52 PM, That One Guy /sarcasm <[email protected]> wrote: is there a way to get a tcpdump package onto mikrotik On Fri, Oct 9, 2015 at 1:00 PM, Forrest Christian (List Account) <[email protected]> wrote: If you can capture the traffic, you may find that it is legitimate traffic for a misconfigured domain. I.e. some domain has their name servers listed including that ip. A capture should show which domain the query is for. I seem to recall the sniffer functionality in a mikrotik will either decode this, or more likely save and/or stream it so that you can use Wireshark on a PC to decode. On Oct 9, 2015 9:12 AM, "That One Guy /sarcasm" <[email protected]> wrote: My policy on this interface is default deny, so it is dropping them, but its still going on to just the one IP out if the /28 subnet. I dont mind dropping them, its not noticable bandwidth, I just cant figure out why it is the traffic is focused there, I almost wonder if I ws to stick a DNS server on that IP if it would increase On Fri, Oct 9, 2015 at 8:08 AM, David <[email protected]> wrote: DDOSDNS bot trying to find a live host for pushing responses. add rule input udp dest-port 53 interface=to internet drop in your firewall hate those little bastards dont have anything else to do except do what their programmed to do On 10/08/2015 11:42 PM, That One Guy /sarcasm wrote: So I'm at home, turning up a subnet on a mikrotik on the network. Mind you this subnet hasn't been in use in 6 months. This is for some servers so I create a default deny policy with logging. One of the IPs is being hammered on port 53 udp per the packet sniffer. The IP isn't live, its just dropping because of the policy. Its not much bandwidth but as best I can tell its constantl and different IPs. Is the packet sniffer on these things similar to tcpdump, the manual page didn't seem so. All I can guess is these are part of something I'm not related to and since this IP hasn't been live in 6 months its spoofed or something and these are some sort of response packet to a denial of service somewhere else. but this subnet, not this particular IP, will house a couple DNS servers, I just want to make sure theres no shenanigans going on before I turn anything up Without being at the office to wireshark this from a switch, how do I get more out of this mikrotik packet sniffer -- If you only see yourself as part of the team but you don't see your team as part of yourself you have already failed as part of the team. -- If you only see yourself as part of the team but you don't see your team as part of yourself you have already failed as part of the team. -- If you only see yourself as part of the team but you don't see your team as part of yourself you have already failed as part of the team. -- If you only see yourself as part of the team but you don't see your team as part of yourself you have already failed as part of the team. -- If you only see yourself as part of the team but you don't see your team as part of yourself you have already failed as part of the team.
