Help monitoring networks

skydiver_morgan_at_yahoo.com
Date: 02/01/05

  • Next message: payton: "buffer overflow to spawn shell" 
    Date: 31 Jan 2005 20:21:19 -0800

    Hi all,

    I am a new Linux user (I have been using it for about two years now)
    but quickly gaining less than newbie status. I have been setting up
    Linux systems for several projects at home and my office and have setup
    a separate boot partition on my laptop, all using FC2 or FC3.

    I ran into a situation the other day while consulting at a client's
    site that I wish to be able to solve with Linux.

    While trying to diagnose network problems at the client's site, there
    were intermittent problems accessing the Internet and their mail
    server. After not being able to nail down the problem completely, I
    removed the D-Link WAP/Router which was serving as the gateway/firewall
    for their network. We switched them over to the switch equipment from
    their T-1 provider, letting them take over the responsibility of the
    firewall. When we were still having problems, I worked with the T-1
    provider and after having switched their provided equipment from
    gateway to managed mode, they were able to determine that one of the
    computers on the internal network was infected with a virus. They were
    even able to nail it down to an internal masqueraded IP address since
    their equipment was doing NAT. I was very quickly then able to
    determine which computer is was and after removing the Marketing
    Managers laptop from the network, got everyone else back up and
    running.

    What I would like to know is how I could have used some open source
    tools on my Linux laptop install to have diagnosed this problem myself
    without having had to call the service provider to diagnose the
    problem? What tools should I have on my laptop to be able to monitor
    traffic in real time (as opposed to capture then analyze)? Also what
    kind of traffic patterns should I look for when doing the analysis?

    I tried to do an analyze of network traffic when I setup up a sandboxed
    network at my office with the Marking Manager's laptop that was
    infected and a Linux box the only two devices on the network. I used
    Ethereal but I couldn't see any indicative traffic that pointed me to
    the suspicion that he was infected. (I later cleaned his systems of
    over 4 infected files with 9 different strains of viruses).

    Let me where to start educating myself on this because I would like to
    be able to have this in my bag of tricks the next time a customer is
    having network problems.

    Skydiver

  • Next message: payton: "buffer overflow to spawn shell"
    Loading