Post #202,402
4/8/05 1:41:58 AM
|
I'm stumped on how to find the abuser on my LAN
So I decided to install [link|http://people.ee.ethz.ch/~oetiker/webtools/mrtg/|MRTG] yesterday to monitor our Cisco PIX. Very nice tool so far, and oddly enough, very handy today. The PIX was bouncing along at < 1% usage until 1:45 PM today, when it jumped to about 36 percent, where it has stayed ever since (long after everyone has gone home):
[image|http://www.aminus.org/rbre/iwethey/traffic.png||||]
Notice you read the graph from right-to-left (left is most recent data).
I was of course curious about which client on my LAN could be passing so much gas. Or *accepting*, rather, since the green is inbound data. That's when I realized I had no way to tell, or if I do, I don't know about it. I've got an SNMP trapper, which shows me each request in both directions across the PIX, but doesn't show me total bytes. I've run Ethereal inside, but it doesn't show me _all_ the traffic on the LAN [what it *did* show me was that I had a chatty UPnP webcam, which I've since silenced, but that wasn't the pipe hog].
My two big 48-port switches aren't managed. Stupid me--I'll know better next time.
So where do I go from here to find the offending NIC?
The Sig: "Despite the seemingly endless necessity for doing so, it's actually not possible to reverse-engineer intended invariants from staring at thousands of lines of code (not in C, and not in Python code either)." Tim Peters on python-dev
|
Post #202,406
4/8/05 1:54:04 AM
|
Re: I'm stumped on how to find the abuser on my LAN
Do you have physical access to your switches, and are you using switches that have LEDs?
|
Post #202,407
4/8/05 2:15:29 AM
|
Both. I could do the unplug dance as a last resort.
Or did you have something else in mind? The LED's don't show meaningful activity rates when you're on a chatty Windows network... ;)
|
Post #202,410
4/8/05 2:41:27 AM
|
Re: Both. I could do the unplug dance as a last resort.
Even after working hours? I'd think the guilty port would glow red.
|
Post #202,411
4/8/05 2:56:17 AM
|
Not on the FS 750
[link|ftp://downloads.netgear.com/files/netgear1/FS726S750_Manual.pdf|ftp://downloads.netg...26S750_Manual.pdf]
Blinking green/yellow only, and they all blink yellow constantly. :)
|
Post #202,423
4/8/05 6:42:06 AM
|
AS Greg would say, easy peasy
With physical access, put a hub in between the PIX and the rest of the network. Put your ethereal running PC on it at well. That'll give you all the traffic.
|
Post #202,463
4/8/05 11:46:38 AM
4/8/05 11:49:47 AM
|
Gotta remember it has to be a SHARED hub, not switched.
And put the NIC in Promiscuous mode.
I have a machine setup for that.
It has 2 NICs in it. One for connecting to the LAN for regular stuff. Another for plugging into a hub, in listen only promicuous mode.
I bought on of the cheapest 10/100 hubs I could find. I leave daisy chained from the private interface of my Linux firewall.
That is the one thing I wish my unmanaged switches had, a mirroring port. (hmmm, an I idea.)
Basically, you could also use a real firewall, rather than a PIX. I hates them, I do, for reasons you are acutely aware of now.
Redo: Actually, now that I remember I am using a new setup, I actually just use the firewall itself to find the culprits. It is easy, run ethereal on the private interface for internal problems... run it on the public interface for external problems.
-- [link|mailto:greg@gregfolkert.net|greg], [link|http://www.iwethey.org/ed_curry|REMEMBER ED CURRY!] @ iwethey[link|http://it.slashdot.org/comments.pl?sid=134485&cid=11233230|"Microsoft Security" is an even better oxymoron than "Military Intelligence"] No matter how much Microsoft supporters whine about how Linux and other operating systems have just as many bugs as their operating systems do, the bottom line is that the serious, gut-wrenching problems happen on Windows, not on Linux, not on Mac OS. -- [link|http://www.eweek.com/article2/0,1759,1622086,00.asp|source]
Edited by folkert
April 8, 2005, 11:49:47 AM EDT
|
Post #202,504
4/8/05 3:12:07 PM
|
That's the ticket.
Sorry I've been quiet on this--trying different things. I don't have a spare hub lying around, but there's one *outside* the PIX, which shows me everything using Ethereal (which puts my NIC in promisc mode automatically, Greg). I can then map ports with the PIX's PAT log (show xlate) and track down traffic.
Found a LAN client which was sending spam.
But I still haven't found the major culprit. :(
Doing the unplug dance as I can.
|
Post #202,426
4/8/05 7:10:16 AM
|
if it's like that...
...about 10 seconds of watching that segment's traffic scroll by in the Ethereal window will reveal your answer.
Peter [link|http://www.ubuntulinux.org|Ubuntu Linux] [link|http://www.kuro5hin.org|There is no K5 Cabal] [link|http://guildenstern.dyndns.org|Home] Use P2P for legitimate purposes!
|
Post #202,521
4/8/05 5:27:38 PM
|
Resolution
[link|http://www.amorhq.net/blogs/index.php/fumanchu/2005/04/08/flying_the_gauges|http://www.amorhq.ne...flying_the_gauges]
|
Post #202,534
4/8/05 6:45:45 PM
|
I've had days like that. :-) Glad you got it fixored.
|
Post #202,544
4/8/05 7:33:21 PM
|
Days?? Weeks!
-- [link|mailto:greg@gregfolkert.net|greg], [link|http://www.iwethey.org/ed_curry|REMEMBER ED CURRY!] @ iwethey[link|http://it.slashdot.org/comments.pl?sid=134485&cid=11233230|"Microsoft Security" is an even better oxymoron than "Military Intelligence"] No matter how much Microsoft supporters whine about how Linux and other operating systems have just as many bugs as their operating systems do, the bottom line is that the serious, gut-wrenching problems happen on Windows, not on Linux, not on Mac OS. -- [link|http://www.eweek.com/article2/0,1759,1622086,00.asp|source]
|
Post #202,614
4/9/05 11:31:19 AM
|
<font size=8>DANG!</font>
(...and yes, I doknow that HTML doesn't work in subject lines....)
Bum-MER! Glad you tracked it down, tho....
jb4 shrub\ufffdbish (Am., from shrub + rubbish, after the derisive name for America's 43 president; 2003) n. 1. a form of nonsensical political doubletalk wherein the speaker attempts to defend the indefensible by lying, obfuscation, or otherwise misstating the facts; GIBBERISH. 2. any of a collection of utterances from America's putative 43rd president. cf. BULLSHIT
|