Le sam 24/05/2003 à 00:24, Ian Goodall a écrit : > >Try using tcpdump to investigate the problem. Make sure you use the > >'-p' flag to tcpdump to tell it not to set the interface into > >promiscuous mode. Something like > ># tcpdump -i eth0 -p -n > > I have no idea what all the output means. Below is an extract from the > output: > > 23:17:22.564132 172.16.3.195.1957 > 172.16.5.92.22: P 211401:211445(44) ack > 1380732 win 36168 (DF)
At 23:17:22.564132, a paquet from 172.16.3.195 port 1957 was received on 172.16.5.92 port 22. remaining are related to tcp, ack and flags. Here, there is no S (SYN) nor F (FIN) thus the connection was previously established and continued after your capture. Were you connected through SSH while doing your network capture? This is a _very_ good way to generate packets :-)) Each time a packet touches your box, ssh will send you the tcpdump line generating a packet that will get captured and sent to you via ssh and so on :-)). See, in your capture, packets follow each other less at sometimes less than a millisecond! It's possible to do network captures when connecting through the network, but then you have to exclude yourself from the capture for it to be usefull. With tethereal the syntax is: tethereal -n not tcp port 22 I can't remember for tcpdump but hopefully there is a "capture filter" section in the manual. > if it helps 172.16.3.195 is another computer directly connected to the > switch running windows xp. This computer is 172.16.5.92 . The switch is also > connected into the rest of the university student network. Even though the > rest of the network is connected to the server shouldn't the traffic be > ignored if it is not desined for it anyway? Are you sure it's not? Of course being connected on a big network you will receive plenty of junk, specialy as your broadcast domain seems quite big. Any machine looking for an other (dns server, gateway, whatever) will send an arp message that _everybody_ will receive (if not, your ethernet will never work), windows machines hoping to make new friends will do the same... There is very little you can do other than taking no action (which your IP stack already does for most of this stuff). You may additionnaly use iptables to remove this useless traffic (just be carefull that on a busy network you may fill your logs with useless crap) but this will not prevent the traffic from reaching you. The only other way would be to put a router between you and the big network, but you don't gain much I think. Sebastien
