On Tue, Mar 1, 2011 at 2:26 PM, Andy Graybeal <andy.grayb...@casanueva.com> wrote: > Greetings, > I'm wondering if there is a DNS forwarding log? I don't have a DNS server > installed here at the site, I use OpenDNS for my name servers. > > I have a machine that is requesting a website that supposedly is related to > malware according to OpenDNS. > > How would I figure out which machine this is on my network? I figure the > best way would be with a DNS forwarding log, but there isn't one... and I > don't know much about this stuff anyway and I'm eager to learn.
You can use tcpdump on your LAN interface to see which IP is requesting the website: tcpdump -i <lan_interface> -n host name_of_malware_website replace <lan_interface> with your real name of lan interface (eg. em0). The tcpdump will show you the IP that is requesting the page of name_of_malware_website Something like the following: tcpdump -i en1 -n host 196.36.108.168 14:32:55.465558 IP 10.0.1.57.50963 > 196.36.108.168.80: Flags [.], ack 1, win 4380, length 0 14:32:55.465765 IP 10.0.1.57.50963 > 196.36.108.168.80: Flags [P.], seq 1:218, ack 1, win 4380, length 217 14:32:55.466266 IP 196.36.108.168.80 > 10.0.1.57.50963: Flags [.], ack 218, win 5840, length 0 14:32:55.506885 IP 196.36.108.168.80 > 10.0.1.57.50963: Flags [P.], seq 1:267, ack 218, win 5840, length 266 -- .warren --------------------------------------------------------------------- To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org