So this is what I'm seeing No. Time Source Destination Protocol Length Info 1 0 97.244.127.16 x.x.x.29 DNS 80 Standard query 0x0f7f A ipsx.www.feiwu28.com 2 0.000041 97.244.127.16 x.x.x.29 DNS 80 Standard query 0x0f7f A ipsx.www.feiwu28.com 3 0.152372 108.149.222.68 x.x.x.29 DNS 78 Standard query 0x43de A wt.www.feiwu28.com 4 0.152419 108.149.222.68 x.x.x.29 DNS 78 Standard query 0x43de A wt.www.feiwu28.com 5 0.284983 77.1.51.122 x.x.x.29 DNS 90 Standard query 0x7933 A mzybuvoxitajax.www.feiwu28.com 6 0.285022 77.1.51.122 x.x.x.29 DNS 90 Standard query 0x7933 A mzybuvoxitajax.www.feiwu28.com 7 0.376112 90.5.169.181 x.x.x.29 DNS 88 Standard query 0xb4a9 A ydghgtwlydqn.www.feiwu28.com 8 0.376153 90.5.169.181 x.x.x.29 DNS 88 Standard query 0xb4a9 A ydghgtwlydqn.www.feiwu28.com 9 0.402671 122.238.197.130 x.x.x.29 DNS 90 Standard query 0x81c5 A cnmbabadihghyn.www.feiwu28.com 10 0.402701 122.238.197.130 x.x.x.29 DNS 90 Standard query 0x81c5 A cnmbabadihghyn.www.feiwu28.com 11 0.435507 64.25.181.145 x.x.x.29 DNS 84 Standard query 0x90b5 A azyxqpov.www.feiwu28.com 12 0.435545 64.25.181.145 x.x.x.29 DNS 84 Standard query 0x90b5 A azyxqpov.www.feiwu28.com 13 0.479851 35.105.6.37 x.x.x.29 DNS 92 Standard query 0x2406 A ujyfknkbmvazybip.www.feiwu28.com 14 0.479889 35.105.6.37 x.x.x.29 DNS 92 Standard query 0x2406 A ujyfknkbmvazybip.www.feiwu28.com 15 0.55605 53.94.187.123 x.x.x.29 DNS 86 Standard query 0x7abb A udubabytyp.www.feiwu28.com 16 0.556087 53.94.187.123 x.x.x.29 DNS 86 Standard query 0x7abb A udubabytyp.www.feiwu28.com 17 0.764436 83.102.42.152 x.x.x.29 DNS 78 Standard query 0x972a A yh.www.feiwu28.com 18 0.764491 83.102.42.152 x.x.x.29 DNS 78 Standard query 0x972a A yh.www.feiwu28.com 19 0.794148 123.253.173.4 x.x.x.29 DNS 92 Standard query 0x03ad A epaxwjolchkhkzkz.www.feiwu28.com 20 0.794189 123.253.173.4 x.x.x.29 DNS 92 Standard query 0x03ad A epaxwjolchkhkzkz.www.feiwu28.com 21 0.795351 80.152.25.238 x.x.x.29 DNS 92 Standard query 0xed19 A ujonopsvixozajwx.www.feiwu28.com 22 0.795382 80.152.25.238 x.x.x.29 DNS 92 Standard query 0xed19 A ujonopsvixozajwx.www.feiwu28.com 23 0.799311 69.172.160.207 x.x.x.29 DNS 92 Standard query 0xcea0 A gfurwzsvonohydun.www.feiwu28.com 24 0.799339 69.172.160.207 x.x.x.29 DNS 92 Standard query 0xcea0 A gfurwzsvonohydun.www.feiwu28.com 25 0.799366 116.108.83.140 x.x.x.29 DNS 92 Standard query 0x8b53 A utshctevwzczehyj.www.feiwu28.com 26 0.799397 116.108.83.140 x.x.x.29 DNS 92 Standard query 0x8b53 A utshctevwzczehyj.www.feiwu28.com 27 1.351741 95.136.208.159 x.x.x.29 DNS 78 Standard query 0x9ed0 A kr.www.feiwu28.com 28 1.351793 95.136.208.159 x.x.x.29 DNS 78 Standard query 0x9ed0 A kr.www.feiwu28.com 29 1.351799 126.133.60.242 x.x.x.29 DNS 78 Standard query 0xf13c A uf.www.feiwu28.com
On Mon, Oct 12, 2015 at 1:26 AM, CBB - Jay Fuller <[email protected] > wrote: > > > i am stupid. > sounds like a great demonstration. > wispapaloosa session anyone? > > or would this be one of those "hall conversations" i keep hearing about? :) > > ----- Original Message ----- > *From:* That One Guy /sarcasm <[email protected]> > *To:* [email protected] > *Sent:* Monday, October 12, 2015 12:27 AM > *Subject:* Re: [AFMUG] a lot of traffic to a dead subnet > > I love these mikrotiks!! > > Thanks for pointing out I can just save the file and load it into > wireshark, drag and dropped it out of winbox to my PC without having to set > up a cupture for the stream or anything, this is like the greatest thing > ever, or at least in the last ten minutes > > On Fri, Oct 9, 2015 at 3:28 PM, David <[email protected]> wrote: > >> use wire shark or SHARKNADO tool >> >> >> On 10/09/2015 03:02 PM, Josh Luthman wrote: >> >> Stream it =) >> >> >> Josh Luthman >> Office: 937-552-2340 >> Direct: 937-552-2343 >> 1100 Wayne St >> Suite 1337 >> Troy, OH 45373 >> >> On Fri, Oct 9, 2015 at 3:57 PM, That One Guy /sarcasm < >> [email protected]> wrote: >> >>> without dumping it to a server. >>> the sniffer doesnt seem to have a verbose option that ive read >>> >>> On Fri, Oct 9, 2015 at 2:53 PM, Josh Luthman < >>> [email protected]> wrote: >>> >>>> tools > sniffer >>>> >>>> >>>> Josh Luthman >>>> Office: 937-552-2340 >>>> Direct: 937-552-2343 >>>> 1100 Wayne St >>>> Suite 1337 >>>> Troy, OH 45373 >>>> >>>> On Fri, Oct 9, 2015 at 3:52 PM, That One Guy /sarcasm < >>>> [email protected]> wrote: >>>> >>>>> is there a way to get a tcpdump package onto mikrotik >>>>> >>>>> On Fri, Oct 9, 2015 at 1:00 PM, Forrest Christian (List Account) < >>>>> [email protected]> wrote: >>>>> >>>>>> If you can capture the traffic, you may find that it is legitimate >>>>>> traffic for a misconfigured domain. I.e. some domain has their name >>>>>> servers listed including that ip. A capture should show which domain >>>>>> the >>>>>> query is for. >>>>>> >>>>>> I seem to recall the sniffer functionality in a mikrotik will either >>>>>> decode this, or more likely save and/or stream it so that you can use >>>>>> Wireshark on a PC to decode. >>>>>> On Oct 9, 2015 9:12 AM, "That One Guy /sarcasm" < >>>>>> [email protected]> wrote: >>>>>> >>>>>>> My policy on this interface is default deny, so it is dropping them, >>>>>>> but its still going on to just the one IP out if the /28 subnet. I dont >>>>>>> mind dropping them, its not noticable bandwidth, I just cant figure out >>>>>>> why >>>>>>> it is the traffic is focused there, I almost wonder if I ws to stick a >>>>>>> DNS >>>>>>> server on that IP if it would increase >>>>>>> >>>>>>> On Fri, Oct 9, 2015 at 8:08 AM, David <[email protected]> wrote: >>>>>>> >>>>>>>> DDOSDNS bot trying to find a live host for pushing responses. >>>>>>>> >>>>>>>> add rule >>>>>>>> input udp dest-port 53 interface=to internet drop in your firewall >>>>>>>> >>>>>>>> hate those little bastards dont have anything else to do except do >>>>>>>> what their programmed to do >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> On 10/08/2015 11:42 PM, That One Guy /sarcasm wrote: >>>>>>>> >>>>>>>> So I'm at home, turning up a subnet on a mikrotik on the network. >>>>>>>> Mind you this subnet hasn't been in use in 6 months. This is for some >>>>>>>> servers so I create a default deny policy with logging. One of the IPs >>>>>>>> is >>>>>>>> being hammered on port 53 udp per the packet sniffer. The IP isn't >>>>>>>> live, >>>>>>>> its just dropping because of the policy. Its not much bandwidth but as >>>>>>>> best >>>>>>>> I can tell its constantl and different IPs. >>>>>>>> >>>>>>>> Is the packet sniffer on these things similar to tcpdump, the >>>>>>>> manual page didn't seem so. All I can guess is these are part of >>>>>>>> something >>>>>>>> I'm not related to and since this IP hasn't been live in 6 months its >>>>>>>> spoofed or something and these are some sort of response packet to a >>>>>>>> denial >>>>>>>> of service somewhere else. >>>>>>>> but this subnet, not this particular IP, will house a couple DNS >>>>>>>> servers, I just want to make sure theres no shenanigans going on >>>>>>>> before I >>>>>>>> turn anything up >>>>>>>> Without being at the office to wireshark this from a switch, how do >>>>>>>> I get more out of this mikrotik packet sniffer >>>>>>>> >>>>>>>> -- >>>>>>>> If you only see yourself as part of the team but you don't see your >>>>>>>> team as part of yourself you have already failed as part of the team. >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>> >>>>>>> >>>>>>> -- >>>>>>> If you only see yourself as part of the team but you don't see your >>>>>>> team as part of yourself you have already failed as part of the team. >>>>>>> >>>>>> >>>>> >>>>> >>>>> -- >>>>> If you only see yourself as part of the team but you don't see your >>>>> team as part of yourself you have already failed as part of the team. >>>>> >>>> >>>> >>> >>> >>> -- >>> If you only see yourself as part of the team but you don't see your team >>> as part of yourself you have already failed as part of the team. >>> >> >> >> > > > -- > If you only see yourself as part of the team but you don't see your team > as part of yourself you have already failed as part of the team. > > -- If you only see yourself as part of the team but you don't see your team as part of yourself you have already failed as part of the team.
