Re: [Wireshark-users] top talkers by port usage or SYN attempts
On Thu, Jan 24, 2008 at 03:26:37PM -0800, jacob c wrote: I have a linux load balancer appliance where some user is constantly making too many connections to some unknow ip address. When this happens it eventually uses up all 65,000 ports. Is there some way to take a massive capture and then filter it out in wireshark by top port talkers and/or top syn attemptsby ip address? Any info would be very much appreciated. Well, ik Wireshark you can use the Endpoints option under statistics. This could give you the top10 list of ip-addresses generating to most packets or bytes. If you just want SYN packets to be counted, you can either create a 2nd trace file with only the SYN packets and look at the endpoint statistics in this new file. Or... you could use tshark with some command piping: tshark -r tracefile -T fields -e ip.src tcp.flags.syn==1 tcp.flags.ack==0 | sort | uniq -c | sort -rn | head I hope this helps, Cheers, Sake ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] top talkers by port usage or SYN attempts
To be honest, If they're creating that many connections then it should be pretty obvious from eyes on the capture itself. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of jacob c Sent: 25 January 2008 00:27 To: wireshark-users@wireshark.org Subject: [Wireshark-users] top talkers by port usage or SYN attempts I have a linux load balancer appliance where some user is constantly making too many connections to some unknow ip address. When this happens it eventually uses up all 65,000 ports. Is there some way to take a massive capture and then filter it out in wireshark by top port talkers and/or top syn attemptsby ip address? Any info would be very much appreciated. Thank you, Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try it now. http://us.rd.yahoo.com/evt=51733/*http:/mobile.yahoo.com/;_ylt=Ahu06i62 sR8HDtDypao8Wcj9tAcJ%20 ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] top talkers by port usage or SYN attempts - ericsson error
I appreciate the info. I have actually taken several captures now on individual vlans and have located the top talkers. I also tried the tshark command you mentioned below without success. I get the ericsson error as show below. Here is what happens: C:\Program Files\Wiresharktshark -r c:\captures\0_0-10mins -T fields -e ip.src tcp.flags.syn==1 Could not open file: 'Ericsson.xml', error: No such file or directory tshark: Unexpected end of filter string. C:\Program Files\Wiresharktshark -v Could not open file: 'Ericsson.xml', error: No such file or directory TShark 0.99.7 (SVN Rev 23910) Copyright 1998-2007 Gerald Combs [EMAIL PROTECTED] and contributors. This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. Compiled with GLib 2.14.3, with WinPcap (version unknown), with libz 1.2.3, with libpcre 6.4, with SMI 0.4.5, with ADNS, with Lua 5.1, with GnuTLS 1.6.1, with Gcrypt 1.2.3, with MIT Kerberos. Running on Windows XP Service Pack 2, build 2600, with WinPcap version 4.0.2 (packet.dll version 4.0.0.1040), based on libpcap version 0.9.5. Built using Microsoft Visual C++ 6.0 build 8804 C:\Program Files\Wireshark Do you know what I should modify to resolve this? Thanks, Sake Blok [EMAIL PROTECTED] wrote: On Thu, Jan 24, 2008 at 03:26:37PM -0800, jacob c wrote: I have a linux load balancer appliance where some user is constantly making too many connections to some unknow ip address. When this happens it eventually uses up all 65,000 ports. Is there some way to take a massive capture and then filter it out in wireshark by top port talkers and/or top syn attemptsby ip address? Any info would be very much appreciated. Well, ik Wireshark you can use the Endpoints option under statistics. This could give you the top10 list of ip-addresses generating to most packets or bytes. If you just want SYN packets to be counted, you can either create a 2nd trace file with only the SYN packets and look at the endpoint statistics in this new file. Or... you could use tshark with some command piping: tshark -r -T fields -e ip.src tcp.flags.syn==1 tcp.flags.ack==0 | sort | uniq -c | sort -rn | head I hope this helps, Cheers, Sake ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users - Looking for last minute shopping deals? Find them fast with Yahoo! Search.___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
Re: [Wireshark-users] top talkers by port usage or SYN attempts - ericsson error
jacob c wrote: I appreciate the info. I have actually taken several captures now on individual vlans and have located the top talkers. I also tried the tshark command you mentioned below without success. I get the ericsson error as show below. Here is what happens: C:\Program Files\Wireshark Oops, cmd.exe, not a UN*X shell, so Sake's command won't work exactly. If you have Cygwin installed, you could try it from Cygwin. tshark -r c:\captures\0_0-10mins -T fields -e ip.src tcp.flags.syn==1 Could not open file: 'Ericsson.xml', error: No such file or directory tshark: Unexpected end of filter string. The ericsson error isn't the real problem. The real problem is the Unexpected end of filter string; that command isn't complete. The complete tshark command would be tshark -r c:\captures\0_0-10mins -T fields -e ip.src tcp.flags.syn==1 tcp.flags.ack==0 on *one* command line (I don't know whether cmd.exe supports commands split across multiple command lines the way UN*X shells do. However, the rest of his command, namely the | sort | uniq -c | sort -rn | head part, is a bit trickier; cmd.exe *does* support pipes (and I suspect it supports them using Win32 pipes, rather than the old run the commands one at a time, save the output of command N to a file, and use that file as input to command N+1 hack that the MS-DOS command prompt did, due to DOS being a single-tasking system), but Windows doesn't come with those other commands. As noted, Cygwin would include those commands. ___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
[Wireshark-users] top talkers by port usage or SYN attempts
I have a linux load balancer appliance where some user is constantly making too many connections to some unknow ip address. When this happens it eventually uses up all 65,000 ports. Is there some way to take a massive capture and then filter it out in wireshark by top port talkers and/or top syn attemptsby ip address? Any info would be very much appreciated. Thank you, - Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try it now.___ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users