Network Port logger?

Hello!
I use a linux (suse7.2) gateway for my inet connection. I am looking for a easy-to-use and almost free solution to see which ip-adress is flooding my machine and eats my bandwidth :( (adsl 512kbit).

I guess i am attacked by someone, maybe by a cheat- or flooding software. Whatever it is, its unknown to me.
A list of ip-adresses of the packets i've received would help (hope so)
LVL 1
AlexPikoAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

kiranghagCommented:
you can use tcpdump which comes with linux...
i am not sure if suse provides it, but u can download it from the net and install it.

tcpdump allows you to see the traffic in/out from your interface. it also has various options to filter out the incming packet.

at first try with the "tcpdump -i eth0 -nflNt"
this will give all traffic.
then try to identify unwanted types of packets and narrow down your display criteria to pinpoint the users...
(i mean, if u come to know, u r pinged unnecessary, u can just reduce tcpdump to see who is pinging...)
hth
0
kiranghagCommented:
you can also redirect this program's putput to a file for later reference...
0
jimbbCommented:
IMHO, iptraf is the best tool for your needs.  You can get a realtime display of your traffic and sort it by byte and packet count.  So if you get flooded, it should be easy to spot where it's (ostensibly) coming from.
0
Cloud Class® Course: CompTIA Cloud+

The CompTIA Cloud+ Basic training course will teach you about cloud concepts and models, data storage, networking, and network infrastructure.

SarcosCommented:
Try iplog
Download:  http://freshmeat.net/redir/iplog/4532/url_tgz/iplog-2.2.3.tar.gz
Summary:
"iplog is a TCP/IP traffic logger. Currently, it is capable of logging TCP, UDP, and ICMP traffic. iplog is able to detect TCP port scans, TCP null scans, FIN scans, UDP and ICMP "smurf" attacks, bogus TCP flags, TCP SYN scans, TCP "Xmas" scans, ICMP ping floods, UDP scans, and IP fragment attacks. iplog is able to run in promiscuous mode and monitor traffic to all hosts on a network. iplog uses libpcap to read data from the network and can be ported to any system that supports pthreads and on which libpcap will function"
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
jimbbCommented:
Careful: iplog seems to be no longer supported.  It has at least one unresolved memory leak, and the author would not respond to my e-mails.
0
jeremynd01Commented:
You can also add a rule to your firewall.  In iptables, looking at all incoming tcp connections would look something like this:

#iptables -A INPUT -p tcp -j LOG

You should check out Rusty Russel's Packet-Filtering howto at http://netfilter.samba.org

I'm pretty sure that this will probably screw up standard usage (like ACK replies) so you should really not use it unless you're familiar with iptables.
-Jeremy
0
JaemCommented:
You could try ntop or intop (http://www.ntop.org). It looks like top and can display traffic load according to IP number. But anyway it is based on pcap, so it falls on the tcpdump-like software category pointed by kirhangag. And if your attacker is not dumb it won't be of much use.

Since you seem to be an end-user, your bandwidth could be eaten not by an attacker, but by a trojan inside your gateway or network. So also check you haven't been hacked, and somebody is using your boxes as a warez site.

And the -q option cuts down the output of tcpdump to the bare minimum (date, ip numbers and ports, protocol).
0
jimbbCommented:
One additional comment: assuming you do find that the flooding is coming from an external source, if they're not established TCP connections (i.e., if he's just flooding you with spurios packets and they're not a part of any real connection) then you can't necessarily assume the "source IP" is _really_ the actual source, it could be spoofed.  But you could still report the IP to whatever ISP owns it and if it turns out to have been spoofed, then you'll need to track it down by contacting each ISP along the route and one of them should be able to find out the real source.
0
aelhajjCommented:
Ethereal should do the trick
0
aelhajjCommented:
look for ethereal on http://www.ethereal.com/
0
kiranghagCommented:
oh yes, etheral also has graphical frontend...
0
AlexPikoAuthor Commented:
Each comment helped a bit
thank you
all
:)

0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Linux Networking

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.