Security Basics mailing list archives
Re: weird
From: Byron Sonne <blsonne () rogers com>
Date: Sat, 21 Feb 2004 12:02:21 -0500
What could it be? Did someone flood the network on purpose? If so, how do I track it? Or could it be that a bad Nic or device on the network just went crazy for a while. (That's what my boss seems to think.) Even then, how do I track it?
Ah, problems of an intermittent nature! Is there anything more annoying? It is important to not assume what it is ahead of time. Keep an open mind!It does sound kind of like a broadcast storm since alot/all devices were affected. Or it could indeed be a flaky device throwing crud on the network. Hard to say without captures, stats or further knowledge of your network configuration. You may, for instance, have some kind of network misconfiguration that may be exacerbating (sp?) the problem.
Are you fully aware of your network structure? Arm yourself with topological diagrams, etc, and make sure you have a good view of how your network is configured. Bummer about the ntop thing, but there are other avenues. You mentioned you are familiar with ethereal, look into setting up capture filters that are triggered by different occurrences; you might be able to catch something that way.
Try monitoring from multiple points on your net as well. Here's some handy tools to look into:Arpwatch (for keeping track of ethernet/ip address pairings): ftp://ftp.ee.lbl.gov/arpwatch.tar.gz
EtherApe (displays network activity graphically): http://etherape.sourceforge.net/ Last, but not least, my personal favourite: Trafshow: http://soft.risp.ru/trafshow/index_en.shtml Regards, Byron Sonne -- For Good, return Good. For Evil, return Justice. --------------------------------------------------------------------------- Free trial: Astaro Security Linux -- firewall with Spam/Virus Protection Protect your network with the comprehensive security solution that integrates six applications for ease of use and lower TCO. Firewall - Virus protection - Spam protection - URL blocking - VPN - Wireless security. Download 30-day evaluation at: http://www.securityfocus.com/sponsor/Astaro_security-basics_040219 ----------------------------------------------------------------------------