[H-GEN] Traffic analysis recommendations, Extended Question
De Crow
crowaust at hotmail.com
Tue Apr 19 19:34:34 EDT 2005
I too have been looking for a Traffic Analysis program/service/etc, however
it is not the total throughput that I need on my analysis, I need it broken
down by which IPs on the local network are transferring what amount of data
through the net-connection. The net connection is managed by an IPCop box,
I would prefer it broken down even further to see how much data is going
through which routes(in this case PIPE vs NON-PIPE).
Crowy
(aka Anthony)
-----Original Message-----
From: general-bounces at lists.humbug.org.au
[mailto:general-bounces at lists.humbug.org.au] On Behalf Of Geoff Shang
Sent: Wednesday, 20 April 2005 9:21 AM
To: general at lists.humbug.org.au
Subject: [H-GEN] Traffic analysis recommendations
[ Humbug *General* list - semi-serious discussions about Humbug and ]
[ Unix-related topics. Posts from non-subscribed addresses will vanish. ]
Hi everyone,
I'm on bigpond cable's 10 gig plan and was horrified to learn yesterday
that we'd exceeded our traffic for April (i.e. blown 10 gig in 19 days).
If my calculations are correct, this would mean an average of 60 kbps
traffic for the entire time.
Whilst I'm certain this is not correct, I've not got any way of tracking
our usage and was wondering about recommendations. I'd like something that
can:
1. Show me how much data has travelled over an interface, with daily and
hourly breakdowns.
2. Show me this data in terms of particular ports used, preferably also
being able to separate downloads and uploads.
3. Anything else that people might think is useful.
I need something that's going to work in the console as I can not use X.
I also want to find the source of the problem, assuming the figures are in
fact right (though I don't see how they could be). I've had a number of
services running which could perhaps attract unwanted traffic. These
include:
* Mutella running on a networked PC with no ports forwarded. This means
that the IP would be broadcast to the network with a number of files listed
as available, but no way for anyone to connect to such ports. I'm thinking
this could be the main cause, but still can't see how it could cause so
much.
* Asterisk PBX. This only registers with a handful of trusted sites,
mostly securely.
* IRC. I have left my IRC client logged into a standalone IRC server with
no known troublesome activity going on.
* MSN Messenger. I've been running an MSN MEssenger client written in
Python on this box, but the account is only known to a handful of people.
Still, it could possibly be opening some port that someone is finding.
Of course, the other thing that occurs to me is that someone could have
found my IP and be leaching off my bigpond login by spoofing my address.
I've shut all these processes down and will see if the usage continues to
climb (it would be easier if I could use their stupid javascript page to
log in so I could check it myself, but no matter). I will force an IP
address change if it continues to climb, but this sort of exploitation is
hard to prove to telstra, particularly as I suspect it has happened once
before.
Oh and I do have all the samba ports closed - I suspect this contributed to
my problems last time.
Any thoughts anyone has would be most helpful.
Geoff.
--
Geoff Shang <geoff at hitsandpieces.net>
Phone: +61-418-96-5590
MSN: geoff at acbradio.org
Make sure your E-mail can be read by everyone!
http://www.betips.net/etc/evilmail.html
Please avoid sending me Word or PowerPoint attachments.
See http://www.fsf.org/philosophy/no-word-attachments.html
_______________________________________________
General mailing list
General at lists.humbug.org.au
http://lists.humbug.org.au/cgi-bin/mailman/listinfo/general
More information about the General
mailing list