Here's the linux tie, I noticed strange messages in my firewall logs: kernel: NET: 60 messages suppressed. kernel: Neighbour table overflow.
Logging in, and searching google, someone said look at /proc/net/arp, which showed a whole bunch of addresses in the 10.x address space, but are on networks that I don't use. Bunch as in hundreds. They all had 0s for an eth address. Next I ran a tcpdump and saw thousands of "arp who is <10.x ip> tell <firewall ip>" Filtering more, I have a win2k/sql7 server that has been tring to ping every ip address from (I suppose) 9.0.0.0 to 9.255.255.255. It just stopped, having hit 9.255.255.255. I saw all this through tcpdump, however I'm inspecting my...., whoah, now it's starting at 218.75.2.0... Anyway, I'm inspecting this server to see what it has on it. Can anyone recommend some win32 forensics tools that will show me which process is sending network traffic? It's running the latest version of norton av. I also manaully checked for sobig and blaster, which it does not have according to symantec's research docs. Thanks, Cory -- Cory Petkovsek Adapting Information Adaptable IT Consulting Technology to your (541) 914-8417 business [EMAIL PROTECTED] www.AdaptableIT.com _______________________________________________ EuG-LUG mailing list [EMAIL PROTECTED] http://mailman.efn.org/cgi-bin/listinfo/eug-lug
