[sf-lug] LAN/WAN monitoring

David Sterry david at sterryit.com
Wed Nov 26 14:04:29 PST 2008 

Personally, I would fire up tcpdump -n -i eth0 (or whatever interface
you want to look at) and watch it until I'm satisfied at the source of
my network traffic. If you want to see the contents of the packets, you
can add the -X -s 0 which will print out the hex and ascii of the
packets. If I wanted to build a monitor on that, I'd probably write a
script to look for things outside of what I consider normal. Going
further, snort might be an option. Using this I was able to id an
infected windows box and clean it up. You'll probably just find your
boxen are broadcasting arp requests to make sure who has what ip.

-One of the assembled

Alex Kleider wrote:
>
> --- On Wed, 11/26/08, Rick Moen <rick at linuxmafia.com> wrote:
>
>   
>> From: Rick Moen <rick at linuxmafia.com>
>> Subject: Re: [sf-lug] sending mail through SSH port forwarding
>> To: sf-lug at linuxmafia.com
>> Date: Wednesday, November 26, 2008, 11:02 AM
>> Quoting Alex Kleider (a_kleider at yahoo.com):
>>
>>     
>>> Rick, may I ask for specifics as to which
>>>       
>> "monitors" do that?, alex
>>     
>>> (i.e. detect unauthorized/uninvited use of your
>>>       
>> +/-wireless network)
>>
>> Sure, you can ask.  ;->
>>
>> I have a better idea:  Rather than my posting in public the
>> details of
>> my house's particular LAN/WAN monitoring, you can ask
>> the assembled how
>> they might solve that problem.
>>
>>     
> Dear 'Assembled,'
> may I ask how you might solve this.
> Context: 1. in reference to the above ... and ...
> 2. What made me take note of this particular thread is that when I see the lights blinking on my network switch I often wonder how can I find out who/what process is carrying on the "conversation" and with "whom."
> ..not just on the wireless but on the network in general.
>
> thanks
> alex
>
> ps, Rick, is it correct to assume that you were reluctant to answer because knowing how you monitor your network would give an intruder
> a head start on thwarting it?
>
>
>       
>
> _______________________________________________
> sf-lug mailing list
> sf-lug at linuxmafia.com
> http://linuxmafia.com/mailman/listinfo/sf-lug
>
>
>   


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://linuxmafia.com/pipermail/sf-lug/attachments/20081126/47301784/attachment.html>

More information about the sf-lug mailing list