Link to home
Start Free TrialLog in
Avatar of AlexPiko
AlexPikoFlag for Austria

asked on

Network Port logger?

Hello!
I use a linux (suse7.2) gateway for my inet connection. I am looking for a easy-to-use and almost free solution to see which ip-adress is flooding my machine and eats my bandwidth :( (adsl 512kbit).

I guess i am attacked by someone, maybe by a cheat- or flooding software. Whatever it is, its unknown to me.
A list of ip-adresses of the packets i've received would help (hope so)
Avatar of kiranghag
kiranghag

you can use tcpdump which comes with linux...
i am not sure if suse provides it, but u can download it from the net and install it.

tcpdump allows you to see the traffic in/out from your interface. it also has various options to filter out the incming packet.

at first try with the "tcpdump -i eth0 -nflNt"
this will give all traffic.
then try to identify unwanted types of packets and narrow down your display criteria to pinpoint the users...
(i mean, if u come to know, u r pinged unnecessary, u can just reduce tcpdump to see who is pinging...)
hth
you can also redirect this program's putput to a file for later reference...
IMHO, iptraf is the best tool for your needs.  You can get a realtime display of your traffic and sort it by byte and packet count.  So if you get flooded, it should be easy to spot where it's (ostensibly) coming from.
ASKER CERTIFIED SOLUTION
Avatar of Sarcos
Sarcos

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Careful: iplog seems to be no longer supported.  It has at least one unresolved memory leak, and the author would not respond to my e-mails.
You can also add a rule to your firewall.  In iptables, looking at all incoming tcp connections would look something like this:

#iptables -A INPUT -p tcp -j LOG

You should check out Rusty Russel's Packet-Filtering howto at http://netfilter.samba.org

I'm pretty sure that this will probably screw up standard usage (like ACK replies) so you should really not use it unless you're familiar with iptables.
-Jeremy
You could try ntop or intop (http://www.ntop.org). It looks like top and can display traffic load according to IP number. But anyway it is based on pcap, so it falls on the tcpdump-like software category pointed by kirhangag. And if your attacker is not dumb it won't be of much use.

Since you seem to be an end-user, your bandwidth could be eaten not by an attacker, but by a trojan inside your gateway or network. So also check you haven't been hacked, and somebody is using your boxes as a warez site.

And the -q option cuts down the output of tcpdump to the bare minimum (date, ip numbers and ports, protocol).
One additional comment: assuming you do find that the flooding is coming from an external source, if they're not established TCP connections (i.e., if he's just flooding you with spurios packets and they're not a part of any real connection) then you can't necessarily assume the "source IP" is _really_ the actual source, it could be spoofed.  But you could still report the IP to whatever ISP owns it and if it turns out to have been spoofed, then you'll need to track it down by contacting each ISP along the route and one of them should be able to find out the real source.
Ethereal should do the trick
look for ethereal on http://www.ethereal.com/
oh yes, etheral also has graphical frontend...
Avatar of AlexPiko

ASKER

Each comment helped a bit
thank you
all
:)