On Mon, 2010-09-13 at 12:30 -0700, Forbes Mercy wrote: > Brett, Not sure who Brett is, but...
> Wireshark showed some anomalies such as IPv6 traffic There is more IPV6 traffic on the network than most people realize. I've got captures from about 40 networks dating back to about a year and a half ago that nearly ALL have IPv6 traffic (tunneled over v4 of course). > Friday we changed out three Mikrotik backhauls and AP's with Ubiquity > gear and upgraded our Bandwidth manager enhancing its rules as well. > Today we're having the same attack as before but now it's not taking > down the system, Our bandwidth monitor is pegged on incoming traffic and > outgoing traffic at 176% of normal (we normally peak at 99% download 30% > up) but no radio's are going down, our system latency at the affected > tower is 300ms and we're getting intermittent down alarms. Its great > because we have the first chance to go customer by customer trying to > find the source but I guess I'm asking if you have any ideas how to find > or filter this problem? We think the source is comin Not sure what the rest of this sentence was going to be, but I may be able to offer some "quickie" checks to do. 1. Run torch on the interface(s) in question 2. Sort by source or destination IP (depending on which one is your customer IP range). 3. Look for patterns such as: a. one IP making many connections to the same IP on different ports (port scanner) b. one IP making many connections to many IPs on the same port (virus) c. one IP making many connections to many IPs on different ports (likely to be a torrent or other P2P) 4. If you don't see any of the above patterns, sort by bandwidth (tx then rx rates) and look to see if it is just one user consuming an inordinate amount of bandwidth This should give you a starting point anyway. -- ******************************************************************** * Butch Evans * Professional Network Consultation* * http://www.butchevans.com/ * Network Engineering * * http://store.wispgear.net/ * Wired or Wireless Networks * * http://blog.butchevans.com/ * ImageStream, Mikrotik and MORE! * ******************************************************************** -------------------------------------------------------------------------------- WISPA Wants You! Join today! http://signup.wispa.org/ -------------------------------------------------------------------------------- WISPA Wireless List: [email protected] Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/
