network monitor

Posted on 2011-10-11
Last Modified: 2012-05-12
hello experts

We use Open DNS to block malicious websites.

Our report is showing domain being filtered out with a huge hit count.

It is good that it is being blocked however I suspect that there is a virus infection or malware infection on the network on one of the PCs.

But since Open DNS has no way of finding out the offending endpoint, I have to do this locally and myself.

I don't know much about the network monitoring but I do know the concept on which the utilities like ethereal and Microsoft Network monitor work.

I have never used any of that successfully after playing around with them.

So 1. Is there a way I can use any of these monitoring utilities and if so, which one and exactly how do I setup the filters etc.

2. Is there an alternative way of finding this out? Our AV monitoring suggests everything is fine.

As you can understand this is my #1 priority right now as I need to stop this before it spreads to the other branch offices as well.

Urgent help needed!!!
Question by:alex110109
    LVL 33

    Accepted Solution

    If you have an appliance on the perimeter, you should check to see if that device has any features to help you out.    I.e. Cisco ASA Informational Log can help you match traffic, or a device with netflow might be good here also.

    If you have none of these available, my next thought would be to connect a PC with wireshark to a switch monitoring port that watches your traffic heading toward the router/firewall, or you can use a hub if you have one available.    A wireshark trace run for 30 min should get you enough data.    Filter on DNS packets and browse the log to find the offending pc.


    Author Comment

    Hi Mike

    Currently I only have access to the server remotely.

    Its SBS 2008 server so essentially it is the DNS server all the client PCs use.

    I have done the capturing and filtering of packets on the server itself and it shows me the offending IP to be the server itself.

    However, I don't know if that means the server itself is the culprit here or the server is coming up in the logs because the server is simply relaying the DNS quries to external DNS servers and is being caught doing that?

    I ran this from a PC and also ticked the "run in permiscus mode" but still its not capturing the traffic from any PCs other than itself.

    Now this may be a different question but assuming server itself is infected, is there a tool I can run that will tell me which process or file is trying to access the domain in question?
    LVL 33

    Expert Comment

    >> the server is simply relaying the DNS quries to external DNS servers

    Most likely, yes.

    >>I ran this from a PC and also ticked the "run in permiscus mode" but still its not capturing the traffic from any PCs other than itself.

    It's probably on a switch, not a hub, so it won't see traffic other than that destined for it or from broadcasts.    

    You could turn on wireshark on this host.   Let PCs make the DNS requests as they normally would.    Then take the capture, filter on port 53 traffic, then just start looking for the site's FQDN on the requesting packets.  

    LVL 33

    Expert Comment

    Did the wireshark suggestion not work for you?

    Author Comment

    Hi Mike

    Yes it did work for me, however I was unsure if it was the server or any of the workstation requesting the DNS resolution.

    It did turn out to be the server as that was my first suspect and so I can say that the problem is fixed.

    However, I would have loved to go deeper in this situation to pin-point the cause.

    Author Closing Comment

    fixed the problem but took a bit of guess work.

    Featured Post

    New My Cloud Pro Series - organize everything!

    With space to keep virtually everything, the My Cloud Pro Series offers your team the network storage to edit, save and share production files from anywhere with an internet connection. Compatible with both Mac and PC, you're able to protect your content regardless of OS.

    Join & Write a Comment

    Suggested Solutions

    Password hashing is better than message digests or encryption, and you should be using it instead of message digests or encryption.  Find out why and how in this article, which supplements the original article on PHP Client Registration, Login, Logo…
    If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
    Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
    Sending a Secure fax is easy with eFax Corporate ( First, Just open a new email message.  In the To field, type your recipient's fax number You can even send a secure international fax — just include t…

    734 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    26 Experts available now in Live!

    Get 1:1 Help Now