Ralph Shumaker wrote:
> Some time ago, I picked up a command line formula to listen for arp
> sniffers. I just modified the formula because I am getting traffic when
> I think there should be none.
>
> Here's the formula and results:
> # tcpdump -l -n | head -100 | awk '{ print $3 $4 $5 }' | sort | uniq -c
> | sort -n
> tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
> listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
> 1 24.64.110.160.17850>68.183.me.me.1027:
> 1 24.64.110.160.17850>68.183.me.me.1028:
> 1 24.64.110.160.17850>68.183.me.me.cap:
> 1 24.64.132.160.24834>68.183.me.me.1027:
> 1 24.64.132.160.24834>68.183.me.me.1028:
> 1 24.64.132.160.24834>68.183.me.me.cap:
> 1 64.73.32.134.ntp>68.183.me.me.ntp:
> 1 66.51.205.100.domain>68.183.me.me.34899:
> 1 66.51.205.100.domain>68.183.me.me.42504:
> 1 66.51.205.100.domain>68.183.me.me.42864:
> 1 66.51.205.100.domain>68.183.me.me.56411:
> 1 66.51.206.100.domain>68.183.me.me.35097:
> 1 68.183.me.me.34899>66.51.205.100.domain:
> 1 68.183.me.me.35097>66.51.206.100.domain:
> 1 68.183.me.me.42504>66.51.205.100.domain:
> 1 68.183.me.me.42864>66.51.205.100.domain:
> 1 68.183.me.me.49685>66.51.205.100.domain:
> 1 68.183.me.me.56411>66.51.205.100.domain:
> 1 68.183.me.me.ntp>64.73.32.134.ntp:
> 2 68.183.171.148.panasas>68.183.me.me.microsoft-ds:
> 2 68.183.me.me>68.183.171.148:
> 2 68.183.me.me.ntp>69.36.240.252.ntp:
> 2 69.36.240.252.ntp>68.183.me.me.ntp:
> 3 64.233.187.136.http>68.183.me.me.37573:
> 3 68.183.me.me>24.64.110.160:
> 3 68.183.me.me>24.64.132.160:
> 4 68.183.me.me.37573>64.233.187.136.http:
> 15 66.163.181.169.mmcc>68.183.me.me.59671:
> 15 66.163.181.170.mmcc>68.183.me.me.34149:
> 15 68.183.me.me.34149>66.163.181.170.mmcc:
> 15 68.183.me.me.59671>66.163.181.169.mmcc:
> 101 packets captured
> 101 packets received by filter
> 0 packets dropped by kernel
>
> I'm not concerned about the ntp stuff. But what's all the other stuff?
> (Especially, why is there a "68.183.me.me.microsoft-ds"?)
>
> I'm going to repeat the process, but for 1000 lines.
The ports 1027, 1028 and 1026(=cap) as well as 445(-microsoft-ds) all
seem to me to be traffic that _should be_ filtered out by the packet
filtering firewall in your DSL modem. I think it's all MS oriented, and
I would say it's a defect that your modem does not allow you to drop
those incoming packets. Maybe there's some other place deep in the admin
interface to keep those from coming through?
Here's some other things you may find interesting:
dig -x 24.64.110.160
(etc for other IPs)
or you could leave off the -n, perhaps on "playback" via -r -- see below
tcpdump -nw tcpdump.save -c 10000
tcpdump -nr tcpdump.save | awk '{ print $3 $4 $5 }' | sort | uniq -c
The rationale for saving stuff is that if curious you can go back and
look at the same data again (for, say whether you replied, or for
timestamps or protocol).
The saved (binary) data from '-w file' is read back with '-r file'.
tcpdump -nr tcpdump.save | less
or, if you like wireshark, possibly better is
wireshark -nr tcpdump.save
There's not much you can (easily/safely/reasonably) do about unsolicited
probes -- those _are_ (typically) the bad guys. Seeing the stats and
sources is mildly interesting.
Sometimes it's interesting to look at arp queries to get a feel for what
is going on in your ISP segment -- Hmmm, I guess(?) this is interesting
with cable, but not (or shouldn't be) with DSL. Perhaps someone more
knowledgeable will correct me. For someone just tuning in, Ralph's DSL
modem is doing packet filtering, but (I believe) running in bridging
mode (giving him a public IP) so arp (if any) should be visible to his host.
If you play much with tcpdump, the filters start becoming pretty
interesting. The syntax is a bit(!) fussy, but one can at least find and
save some favorite recipes. There are examples in the man page and the
keyword list
tcpdump examples
is a pretty good search query.
These filters:
host 68.183.me.me
or
! host 68.183.me.me
and perhaps
src host 68.183.me.me
might be useful.
Regards,
..jim
--
[email protected]
http://www.kernel-panic.org/cgi-bin/mailman/listinfo/kplug-list
