?
Solved

Network Port logger?

Posted on 2003-02-28
12
Medium Priority
?
304 Views
Last Modified: 2010-03-18
Hello!
I use a linux (suse7.2) gateway for my inet connection. I am looking for a easy-to-use and almost free solution to see which ip-adress is flooding my machine and eats my bandwidth :( (adsl 512kbit).

I guess i am attacked by someone, maybe by a cheat- or flooding software. Whatever it is, its unknown to me.
A list of ip-adresses of the packets i've received would help (hope so)
0
Comment
Question by:AlexPiko
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
  • 2
  • +4
12 Comments
 
LVL 10

Expert Comment

by:kiranghag
ID: 8046176
you can use tcpdump which comes with linux...
i am not sure if suse provides it, but u can download it from the net and install it.

tcpdump allows you to see the traffic in/out from your interface. it also has various options to filter out the incming packet.

at first try with the "tcpdump -i eth0 -nflNt"
this will give all traffic.
then try to identify unwanted types of packets and narrow down your display criteria to pinpoint the users...
(i mean, if u come to know, u r pinged unnecessary, u can just reduce tcpdump to see who is pinging...)
hth
0
 
LVL 10

Expert Comment

by:kiranghag
ID: 8046177
you can also redirect this program's putput to a file for later reference...
0
 
LVL 2

Expert Comment

by:jimbb
ID: 8047013
IMHO, iptraf is the best tool for your needs.  You can get a realtime display of your traffic and sort it by byte and packet count.  So if you get flooded, it should be easy to spot where it's (ostensibly) coming from.
0
Video: Liquid Web Managed WordPress Comparisons

If you run run a WordPress, you understand the potential headaches you may face when updating your plugins and themes. Do you choose to update on the fly and risk taking down your site; or do you set up a staging, keep it in sync with your live site and use that to test updates?

 

Accepted Solution

by:
Sarcos earned 400 total points
ID: 8047812
Try iplog
Download:  http://freshmeat.net/redir/iplog/4532/url_tgz/iplog-2.2.3.tar.gz
Summary:
"iplog is a TCP/IP traffic logger. Currently, it is capable of logging TCP, UDP, and ICMP traffic. iplog is able to detect TCP port scans, TCP null scans, FIN scans, UDP and ICMP "smurf" attacks, bogus TCP flags, TCP SYN scans, TCP "Xmas" scans, ICMP ping floods, UDP scans, and IP fragment attacks. iplog is able to run in promiscuous mode and monitor traffic to all hosts on a network. iplog uses libpcap to read data from the network and can be ported to any system that supports pthreads and on which libpcap will function"
0
 
LVL 2

Expert Comment

by:jimbb
ID: 8048070
Careful: iplog seems to be no longer supported.  It has at least one unresolved memory leak, and the author would not respond to my e-mails.
0
 

Expert Comment

by:jeremynd01
ID: 8048936
You can also add a rule to your firewall.  In iptables, looking at all incoming tcp connections would look something like this:

#iptables -A INPUT -p tcp -j LOG

You should check out Rusty Russel's Packet-Filtering howto at http://netfilter.samba.org

I'm pretty sure that this will probably screw up standard usage (like ACK replies) so you should really not use it unless you're familiar with iptables.
-Jeremy
0
 
LVL 1

Expert Comment

by:Jaem
ID: 8052439
You could try ntop or intop (http://www.ntop.org). It looks like top and can display traffic load according to IP number. But anyway it is based on pcap, so it falls on the tcpdump-like software category pointed by kirhangag. And if your attacker is not dumb it won't be of much use.

Since you seem to be an end-user, your bandwidth could be eaten not by an attacker, but by a trojan inside your gateway or network. So also check you haven't been hacked, and somebody is using your boxes as a warez site.

And the -q option cuts down the output of tcpdump to the bare minimum (date, ip numbers and ports, protocol).
0
 
LVL 2

Expert Comment

by:jimbb
ID: 8052529
One additional comment: assuming you do find that the flooding is coming from an external source, if they're not established TCP connections (i.e., if he's just flooding you with spurios packets and they're not a part of any real connection) then you can't necessarily assume the "source IP" is _really_ the actual source, it could be spoofed.  But you could still report the IP to whatever ISP owns it and if it turns out to have been spoofed, then you'll need to track it down by contacting each ISP along the route and one of them should be able to find out the real source.
0
 

Expert Comment

by:aelhajj
ID: 8067942
Ethereal should do the trick
0
 

Expert Comment

by:aelhajj
ID: 8067951
look for ethereal on http://www.ethereal.com/
0
 
LVL 10

Expert Comment

by:kiranghag
ID: 8073220
oh yes, etheral also has graphical frontend...
0
 
LVL 1

Author Comment

by:AlexPiko
ID: 8135664
Each comment helped a bit
thank you
all
:)

0

Featured Post

The Ideal Solution for Multi-Display Applications

Check out ATEN’s VS1912 12-Port DP Video Wall Media Player at InfoComm 2017. Kerri describes how easy it is to design creative video walls in asymmetric layouts and schedule detailed playlists ahead of time with its advanced scheduling feature.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I have seen several blogs and forum entries elsewhere state that because NTFS volumes do not support linux ownership or permissions, they cannot be used for anonymous ftp upload through the vsftpd program.   IT can be done and here's how to get i…
Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
Add bar graphs to Access queries using Unicode block characters. Graphs appear on every record in the color you want. Give life to numbers. Hopes this gives you ideas on visualizing your data in new ways ~ Create a calculated field in a query: …
Suggested Courses

764 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question