[H-GEN] IP Traffic Monitoring

Russell Stuart russell at stuart.id.au
Wed Sep 10 17:38:50 EDT 2003 

[ Humbug *General* list - semi-serious discussions about Humbug and     ]
[ Unix-related topics. Posts from non-subscribed addresses will vanish. ]

On Wed, 2003-09-10 at 18:49, Tony Nugent wrote:
> But if tcpdump can't "see" these (filtered?) packets, why does
> iptraf see it?  tcpdump is usually regarded as the semi-official
> reference tool for analysing network traffic...  :)

Yes, that is odd.  But others have told me tcpdump also can drop packets
under some conditions.

> > > Also, you should be able to gather "real" (crude raw) statistics
> > > from the relevant /proc/ files (eg "watch cat /proc/net/dev" and
> > > other similar spells).  You might also need to look at doing some
> > > tweaking to the kernel settings in /proc/sys/net/ipv4/*[2].
> > 
> > There was nothing obvious under /proc.
> 
> Perhaps nothing *obvious* :)
> 
> That would be ports 135 and 593 (along with 137-139).  And you
> should be seeing this sort of traffic in your packet dumps (if it is
> there).

Yes, I should of, and I didn't.  The only thing I did see was lots of
icmp echo requests, which apparently is one thing the worm(s) do. 
Another reason to suspect that tcpdump was not printing the packets for
some reason.

>   BTW, the latest rumours/information about the msblaster worm (and
>   who *didn't* see it? :) is that it was the cause of (or at the
>   very least a major contributing factor to) the recent massive
>   power failures in north america.  Idiots for using windows in
>   mission-critical situations... the US navy is still using winnt,
>   isn't it?  a bit of worry :)
> 
> > But according to
> > iptraf, roughly 50% of all incoming packets _still_ have bad checksums.
> 
> Still?  And as high as 50%?  I'm suspicious... was it flagging bad
> checksums before?  (You probably don't know).

Was it flagging bad checksums before: no.

> > I am still curious about where they are coming from.  My current theory
> > is that they are bad packets generated by the worms using a raw socket.
> 
> Perhaps... if you have those ports blocked, then perhaps this is why
> tcpdump isn't seeing them?  If you are, then you might want to log
> them with iptables just before the drop/reject rule.

Yes, that is a possibility.

>   I'm not sure at what "level" of the kernel packet handling tcpdump
>   and other such tools get their information, can anyone answer
>   that?  Eg, does it see all the traffic (raw), or only after
>   kernel-level and/or netfilter-level and/or routing-level
>   filtering.  Would promiscious mode make a difference? etc).
> 
> FWIW... I've just tried tcpdump and iptraf[1] on an ippp0 interface
> and saw nothing like you describe, all looks well.  There's a lot of
> one-hit port 135 traffic coming in[2], but nothing at all being
> flagged as having bad checksums.
> 
>   [1] rh7.3, kernel 2.4.20-20, hisax isdn driver, tcpdump 3.6.3-17,
>   iptraf 2.5.0-3
> 
>   [2] I wish telstra would block it everywhere (all netbios ports
>   mentioned above - if anyone needs it, well that's what VPNs are
>   all about).  I also wish telstra would filter viruses and spam out
>   of their customers' email... but I digress :)  
> 
> Good luck with figuring this out.



--
* This is list (humbug) general handled by majordomo at lists.humbug.org.au .
* Postings to this list are only accepted from subscribed addresses of
* lists 'general' or 'general-post'.  See http://www.humbug.org.au/

More information about the General mailing list