Re: I'm stumped on how to find the abuser on my LAN

Post #202,406 by dws 4/8/05 1:54:04 AM Reply	Re: I'm stumped on how to find the abuser on my LAN Do you have physical access to your switches, and are you using switches that have LEDs?
Post #202,407 by FuManChu 4/8/05 2:15:29 AM Reply	Both. I could do the unplug dance as a last resort. Or did you have something else in mind? The LED's don't show meaningful activity rates when you're on a chatty Windows network... ;)
Post #202,410 by dws 4/8/05 2:41:27 AM Reply	Re: Both. I could do the unplug dance as a last resort. Even after working hours? I'd think the guilty port would glow red.
Post #202,411 by FuManChu 4/8/05 2:56:17 AM Reply	Not on the FS 750 [link\|ftp://downloads.netgear.com/files/netgear1/FS726S750_Manual.pdf\|ftp://downloads.netg...26S750_Manual.pdf] Blinking green/yellow only, and they all blink yellow constantly. :)
Post #202,423 by broomberg 4/8/05 6:42:06 AM Reply	AS Greg would say, easy peasy With physical access, put a hub in between the PIX and the rest of the network. Put your ethereal running PC on it at well. That'll give you all the traffic.
Post #202,463 by folkert 4/8/05 11:46:38 AM 4/8/05 11:49:47 AM Reply	Gotta remember it has to be a SHARED hub, not switched. And put the NIC in Promiscuous mode. I have a machine setup for that. It has 2 NICs in it. One for connecting to the LAN for regular stuff. Another for plugging into a hub, in listen only promicuous mode. I bought on of the cheapest 10/100 hubs I could find. I leave daisy chained from the private interface of my Linux firewall. That is the one thing I wish my unmanaged switches had, a mirroring port. (hmmm, an I idea.) Basically, you could also use a real firewall, rather than a PIX. I hates them, I do, for reasons you are acutely aware of now. Redo: Actually, now that I remember I am using a new setup, I actually just use the firewall itself to find the culprits. It is easy, run ethereal on the private interface for internal problems... run it on the public interface for external problems. -- [link\|mailto:greg@gregfolkert.net\|greg], [link\|http://www.iwethey.org/ed_curry\|REMEMBER ED CURRY!] @ *i_wethey* [link\|http://it.slashdot.org/comments.pl?sid=134485&cid=11233230\|"Microsoft Security" is an even better oxymoron than "Military Intelligence"] No matter how much Microsoft supporters whine about how Linux and other operating systems have just as many bugs as their operating systems do, the bottom line is that the serious, gut-wrenching problems happen on Windows, not on Linux, not on Mac OS. -- [link\|http://www.eweek.com/article2/0,1759,1622086,00.asp\|source] Edited by folkert April 8, 2005, 11:49:47 AM EDT Expand All History
Post #202,504 by FuManChu 4/8/05 3:12:07 PM Reply	That's the ticket. Sorry I've been quiet on this--trying different things. I don't have a spare hub lying around, but there's one outside the PIX, which shows me everything using Ethereal (which puts my NIC in promisc mode automatically, Greg). I can then map ports with the PIX's PAT log (show xlate) and track down traffic. Found a LAN client which was sending spam. But I still haven't found the major culprit. :( Doing the unplug dance as I can.

Welcome to IWETHEY!