[NTLUG:Discuss] Denial of service attack?

David david at hayes-family.org
Tue Nov 19 19:36:13 CST 2002


On Mon, Nov 18, 2002 at 10:46:00AM -0600, Rick Matthews wrote:
> At various times over the past two days, I've been seeing (virtually)
> streaming data on my nick that connects to the outside world. I 
> can't account for that activity. During those periods web browsing
> is slowed to a crawl.
> 
> What commands can I use to determine what is going on?

tcpdump is a good tool for showing exactly what packets are passing
through an interface.  Netstat is helpful, but it only shows sockets,
ie, the endpoints of connections.  It doesn't show actual packets being
sent or received from those sockets.  

Tcpdump is text-based packet sniffer.  It's GUI twin is "ethereal".  

I recommend disabling hostname lookup, so you don't cloud you link with
your own packets trying to do hostname lookups.  You can always go back
and resolve the captured IP addresses manually, after you determine
which ones are important to you.  For example:

  tcpdump -n -i ppp0

A better plan is to capture the packets, so you can do analysis later:

  tcpdump -n -i ppp0 -s 1560 -w /tmp/capture.eth

Of course, all these programs must be run as "root".

-- 
David Hayes
david at hayes-family.org




More information about the Discuss mailing list