Dale Mirenda wrote:
On Oct 11, 2004, at 10:31 AM, Peter Mueller wrote:
Thanks for the tutorial, Peter. I'll put it to good use. This incident has taught me that I need to focus on this kind of tool to prepare for emergencies.I can do that on the one in Seattle, and on the remote router when I get to Boise, Erich. I'll read up on tcpdump (never used it before) and give it a go. Thanks for the idea; I'm getting lots of input on tools I've never had to think about before, and that is why I came to this forum for help.
E.g., tcpdump -i eth0 (or eth1) not port ssh tcpdump -i eth0 net 192.168.0/24 and not proto \\icmp tcpdump -i eth0 host 1.2.3.4 or host 5.6.7.8 and not port ssh
Protocols require double-escaping, for example ICMP above. Windump is the
windows equivelant.
I think Ray is on the right track with spyware. Be sure to check ifconfig
for transmission errors, too.
eth0 Link encap:Ethernet HWaddr 00:C0:9F:3F:44:42
inet addr:1.2.3.21 Bcast:1.2.3.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
** This is what you are looking for **
RX packets:54447768 errors:2 dropped:0 overruns:0 frame:1
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
TX packets:52184055 errors:0 dropped:0 overruns:0 carrier:0
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
collisions:0 txqueuelen:1000
**
RX bytes:854678430 (815.0 Mb) TX bytes:2033727102 (1939.5 Mb)
Base address:0xece0 Memory:fe1e0000-fe200000
A few errors - 1 every million or so is usually fine.
P
I don't have a lot to add, as it looks like you've already gotten excellent responses from others in the group, but I do have a few quick points and questions:
- I like to use the "-n" switch to tcpdump, which prevents it from trying to resolve IP addresses into domain names (especially if your network isn't working right).
- You'll find tcpdump and the required libpcap on the Dachstein CD (if you're running one of my images). Just mount and cd to the CD (packages have to be installed from the current directory), then:
lrpkg -i libpcap
lrpkg -i tcpdump
- What kind of hardware are you running? Older pentium (and especially 486 boxen) can fairly easily be overloaded by 100 MBit NICs if ad/spy/mal-ware is spewing full bore.
- I doubt your IPSec setup is to blame, even if you still have the old office in the config files, although I'd still check to make sure. I have several Dachstein boxen at multiple sites in a partial mesh VPN, and don't notice any problems when any of the sites go down (which happens fairly freqently, as a number of the sites are homes, not offices).
- Have you been using anything like MRTG to monitor bandwidth usage via snmp? The traffic graphs can often quickly tell you where to start looking for problems (ie: inbound traffic is pegged...go find the rouge kazza user and get them to "play nice"; outbound traffic pegged...look for an infected system; traffic looks normal...start verifying your configurations and infrastructure).
- My 'gut reaction' is to suspect either infrastructure (ie: bad cable, switch, hub, NIC, etc) or an unidentified host generating lots of traffic.
- Remember to look for rouge wireless APs!
Good luck!
-- Charles Steinkuehler [EMAIL PROTECTED]
------------------------------------------------------- This SF.net email is sponsored by: IT Product Guide on ITManagersJournal Use IT products in your business? Tell us what you think of them. Give us Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more http://productguide.itmanagersjournal.com/guidepromo.tmpl ------------------------------------------------------------------------ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
