Simply add an access list to narrow your capture to the ip packet debug and you won't crash your router even if it's very busy. Dave Priscilla Oppenheimer wrote: > > OK, now it sounds like you are trying to troubleshoot a problem regarding > users who are logged into your FTP server. The users' packets are being > forwarded through a router so you think you can do some troubleshooting at > the router, which you can. Someone suggested using Net Flow. That's a great > idea. Access lists with logging would work also. And on a router that is > not too busy, try debug ip packet. > > Router# debug ip packet > > IP: s=172.69.13.44 (Fddi0), d=10.125.254.1 (Serial2), g=172.69.16.2, forward > IP: s=172.69.1.57 (Ethernet4), d=10.36.125.2 (Serial2), g=172.69.16.2, > forward > > So, that would give you the IP address. Then go to one of the many WHOIS > servers and see if you can get a Domain Name System domain name. For > example, try the WHOIS server at > http://www.networksolutions.com/cgi-bin/whois/whois. Be sure to type host > and the address so it knows you are doing a reverse lookup. Often you can't > easily get a domain name, though, if it's just some home user of a huge ISP. > > If you're hoping to get the FTP login name, you have false hopes. The FTP > login name only appeared in one of the first packets of the FTP session. > Unless you happened to capture that packet with a protocol analyzer, you > aren't going to get it. > > Have you considered that XP is just buggy and is incorrectly telling you > someone is still logged in??? > > Priscilla > > At 11:57 PM 8/28/01, PHIMHONGKONG wrote: > >hehehe > > > >Sorry it is not what i want to know > > > >Let me say > > > >I have a Router with 2 E > > > >I run a Ftp for 50 user download to my server > >I use to shut down my computer ( server) at night > > > >when i going to shut it off > > > >The computer promt me a message some one connecting and it wont shut down > > > >The OS is Window XP Professional > > > >I check the Servu Ftp and all clear + i turn off the FTP > > > >At that time there is no more connection to my computer > >But the Computer keep telling me ther is some one on computer and it wont > >shut down .. > > > >My Computer run Os and didnot set any fancy thing except a Servu Ftp port 21 > > > >I knew some one on my computer and Xp wont shut down > > > >I have to press Turn off button to turn it off > >:-0 > > > >ANy suggestion ? > > > >I want to know the command show who conn to your router when ever u want > >to check how many conn from outside to your router... > > > > > >any suggestion ?? > > > >Thanks > > > > > > > >""Donny Mateo"" wrote in message > >[EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > > I believe another command would also accomplish the same thing, correct > me > > > if I'm wrong : > > > > > > show users > > > > > > Donny > > > > > > > > > >From: "Priscilla Oppenheimer" > > > >Reply-To: "Priscilla Oppenheimer" > > > >To: [EMAIL PROTECTED] > > > >Subject: Re: I HAVE QUESTION How can i know who conn to my rout > [7:17611] > > > >Date: Tue, 28 Aug 2001 22:08:17 -0400 > > > > > > > >Oh, so you are considering connections TO the router, not connections > > > >through the router. You must be asking about Telnet sessions (or HTTP on > > > >some routers) used for configuring or managing the router. > > > > > > > >So, in that case, use the show tcp brief command, as John suggested. > > > > > > > >Here's an example courtesy of Leigh Anne: > > > > > > > >RouterD#show tcp brief > > > >TCB Local Address Foreign Address (state) > > > >81770CA8 172.16.1.110.23 172.16.1.1.1067 ESTAB > > > > > > > >Priscilla > > > > > > > >At 07:24 PM 8/28/01, PHIMHONGKONG wrote: > > > > >MaizeHello > > > > >Sorry I confuse all you guy > > > > > > > > > > > > > > > > > > > > > > > > > > > > > >Let say In Window xx You Put a command NETSTATS > > > > > > > > > >It will OUTPUT some thing like this > > > > > > > > > >Active Connections > > > > > > > > > > Proto Local Address Foreign Address State > > > > > TCP cx541749-a:ftp-data bb-62-5-49-77.bb.tninet.se:4227 = > > > > >TIME_WAIT > > > > > TCP cx541749-a:ftp-data bb-62-5-49-77.bb.tninet.se:4228 = > > > > >TIME_WAIT > > > > > TCP cx541749-a:ftp-data bb-62-5-49-77.bb.tninet.se:4229 = > > > > >TIME_WAIT > > > > > TCP cx541749-a:ftp-data bb-62-5-49-77.bb.tninet.se:4230 = > > > > >TIME_WAIT > > > > > TCP cx541749-a:ftp-data bb-62-5-49-77.bb.tninet.se:4231 = > > > > >TIME_WAIT > > > > > TCP cx541749-a:ftp-data c1771000-a.stcla1.sfba.home.com:2815 > >= > > > > >ESTABLISHE > > > > >D > > > > > TCP cx541749-a:ftp bb-62-5-49-77.bb.tninet.se:4226 = > > > > >ESTABLISHED > > > > > TCP cx541749-a:ftp c1771000-a.stcla1.sfba.home.com:2810 > >= > > > > >ESTABLISHE > > > > >D > > > > > TCP cx541749-a:ftp h230n3fls21o906.telia.com:65002 = > > > > >ESTABLISHED > > > > > > > > > > > > > > > > > > > >I would like to know !!!!!!1 is it possible i can do the same on > router > >= > > > > >?????? > > > > > > > > > >If yes What command !! Thanks > > > > > > > > > >If no > > > > > > > > > >What the most closest command :-) > > > > > > > > > >Thanks > > > > > > > > > > > > > > > > > > > >IF some hacker log in to your rotuer and network ( he delete history > >and > > > >= > > > > >log) > > > > > > > > > >How can you know your network hacked=20 > > > > > > > > > >Thanks > > > > > > > > > >[GroupStudy.com removed an attachment of type image/gif which had a > >name > > > >of > > > > >amaizrul.gif] > > > > > > > > > >[GroupStudy.com removed an attachment of type image/jpeg which had a > >name > > > >of > > > > >Maize Bkgrd.jpg] > > > >________________________ > > > > > > > >Priscilla Oppenheimer > > > >http://www.priscilla.com > > > _________________________________________________________________ > > > Get your FREE download of MSN Explorer at > http://explorer.msn.com/intl.asp > ________________________ > > Priscilla Oppenheimer > http://www.priscilla.com -- David Madland Sr. Network Engineer CCIE# 2016 Qwest Communications Int. Inc. [EMAIL PROTECTED] 612-664-3367 "Emotion should reflect reason not guide it" Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=17759&t=17759 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]