[NTLUG:Discuss] Denial of service attack?
Rick Matthews
RedHat.Linux at verizon.net
Fri Nov 22 17:02:30 CST 2002
Thank you!
That's just what I needed. I never knew that tcpdump created a file
that Ethereal could read!
I appreciate your help!
Rick
> -----Original Message-----
> From: discuss-admin at ntlug.org [mailto:discuss-admin at ntlug.org]On Behalf
> Of David
> Sent: Tuesday, November 19, 2002 7:36 PM
> To: discuss at ntlug.org
> Subject: Re: [NTLUG:Discuss] Denial of service attack?
>
>
> On Mon, Nov 18, 2002 at 10:46:00AM -0600, Rick Matthews wrote:
> > At various times over the past two days, I've been seeing (virtually)
> > streaming data on my nick that connects to the outside world. I
> > can't account for that activity. During those periods web browsing
> > is slowed to a crawl.
> >
> > What commands can I use to determine what is going on?
>
> tcpdump is a good tool for showing exactly what packets are passing
> through an interface. Netstat is helpful, but it only shows sockets,
> ie, the endpoints of connections. It doesn't show actual packets being
> sent or received from those sockets.
>
> Tcpdump is text-based packet sniffer. It's GUI twin is "ethereal".
>
> I recommend disabling hostname lookup, so you don't cloud you link with
> your own packets trying to do hostname lookups. You can always go back
> and resolve the captured IP addresses manually, after you determine
> which ones are important to you. For example:
>
> tcpdump -n -i ppp0
>
> A better plan is to capture the packets, so you can do analysis later:
>
> tcpdump -n -i ppp0 -s 1560 -w /tmp/capture.eth
>
> Of course, all these programs must be run as "root".
>
> --
> David Hayes
> david at hayes-family.org
>
> _______________________________________________
> https://ntlug.org/mailman/listinfo/discuss
More information about the Discuss
mailing list