| View previous topic :: View next topic |
| Author |
Message |
mariourk
l33t
Joined: 11 Jul 2003
Posts: 807
Location: Urk, Netherlands
|
 Posted: Wed Nov 01, 2006 10:44 am Post subject: IP-traffic monitoring |
 |
|
I'm having some bandwith problems on my network. To figure out
where the problem was, I installed ntop. Now I can see someone is using
emule and bittorrent to download stuff, wich is not authorised in our
network. Now I need to figure out where it comes from in order to
shut it down. Problem is that I don't know how to obtain the guilty IP-address.
Hopefully someone can tell me how to do that?
_________________
If there is one thing to learn from history, it's that we usualy don't learn anything from it, at all. |
|
| Back to top |
|
 |
Errtu
Apprentice
Joined: 12 Nov 2002
Posts: 155
Location: Brazil
|
| Posted: Wed Nov 01, 2006 10:52 am Post subject: |
|
|
| You can use tcpdump (emerge tcpdump) for that. Or simply block the non-standard ports on your firewall. |
|
| Back to top |
|
|
linuxtuxhellsinki
l33t
Joined: 15 Nov 2004
Posts: 700
Location: Hellsinki
|
| Posted: Wed Nov 01, 2006 10:56 am Post subject: |
|
|
Maybe you could use some of these packages to find it out ? With first two you can only catch data for your own interface (I think) but with etherape you could see which IF is really active on your network.
| Code: | $ eix iptraf && eix iftop && eix etherape
* net-analyzer/iptraf
Available versions: 2.7.0-r1 ~3.0.0 3.0.0-r2
Installed: 3.0.0-r2
Homepage: http://iptraf.seul.org/
Description: IPTraf is an ncurses-based IP LAN monitor
* net-analyzer/iftop
Available versions: 0.16 ~0.16-r1 ~0.17
Installed: 0.16
Homepage: http://www.ex-parrot.com/~pdw/iftop/
Description: display bandwidth usage on an interface
* net-analyzer/etherape
Available versions: 0.9.4 ~0.9.6 ~0.9.6-r1
Installed: 0.9.4
Homepage: http://etherape.sourceforge.net/
Description: A graphical network monitor for Unix modeled after etherman |
Or maybe with wireshark, but then you'll need to filter that output in some way cause there's too much information ?
_________________
1st use 'Search' & lastly add [Solved] to
the subject of your first post in the thread. |
|
| Back to top |
|
|
swimmer
Veteran
Joined: 15 Jul 2002
Posts: 1330
Location: Netherlands
|
| Posted: Wed Nov 01, 2006 11:09 am Post subject: |
|
|
May I add jnettop? | Quote: | eix jnettop
[I] net-analyzer/jnettop
Available versions: 0.11.0 0.13.0
Installed: 0.13.0[02:41:26 AM 09/05/2006]
Homepage: http://jnettop.kubs.info/
Description: A top like console network traffic visualiser |
It does a wonderful job for me ...
Greetz
swimmer |
|
| Back to top |
|
|
n3bul4
Apprentice
Joined: 04 Nov 2003
Posts: 187
|
| Posted: Wed Nov 01, 2006 11:21 am Post subject: |
|
|
Hello,
maybe you could yust simply set up an iptables rule, where you
block and log all traffic from emule and bittorrent
I googled a little bit and found out, that emule uses the following ports:
local port 4661 TCP outgoing to remote port 4661
remote port 4662 TCP incoming to local port 4662
local port 4665 UDP outgoing to remote port 4665
local port 4672 UDP outgoing to remote port 4672
I am not sure what ports bittorrent uses...maybe it is a range of ports.....
An other maybe faster option would be to emerge tcpdump and do somthing like:
| Code: | Omega n3bul4 # tcpdump -n|egrep "*.4661[\s:]"
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
.
.
. |
of course you could also dump the output into a file.
hope that helps....
greetz |
|
| Back to top |
|
|
Errtu
Apprentice
Joined: 12 Nov 2002
Posts: 155
Location: Brazil
|
| Posted: Wed Nov 01, 2006 11:36 am Post subject: |
|
|
| I don't know anything about emule, but with bittorrent you can specify any port you'd like. I really think that tracking down individual users is too time-consuming. It would be better to just allow some ports (21/80/443/etc) and block everything else. |
|
| Back to top |
|
|
arndawg
Tux's lil' helper
Joined: 02 Jun 2006
Posts: 97
|
| Posted: Wed Nov 01, 2006 11:39 am Post subject: |
|
|
With bittorrent you can use what ever port you want. Some torrent-networks even require you to use a non-standard bit-torrent port.
Some viruses on Windows acctually installs bit-torrent and use the pcs for bit-torrent seeding. I've experienced this on my network. uTorrent was the client of choice.
So a more strict firewall policy is recommended even if you find the source.
Good luck. |
|
| Back to top |
|
|
mariourk
l33t
Joined: 11 Jul 2003
Posts: 807
Location: Urk, Netherlands
|
| Posted: Wed Nov 01, 2006 2:17 pm Post subject: |
|
|
People, thanks a lot for all the suggestions and good will 
I think I'm going for tcpdump for now. Fortunately I'm also working
on a new router and I think I going to introduce a new policy when
it goes online. Blokking all the forward-traffic except for a few ports.
Maybe I'll even log those ports, if it doesn't consume too much diskspace...
Thanks again!
_________________
If there is one thing to learn from history, it's that we usualy don't learn anything from it, at all. |
|
| Back to top |
|
|
|
Networking & Security
