On Oct 12, 2004, at 7:59 AM, Charles Steinkuehler wrote:
They've been wonderful. Some of the suggestions have been a bit over my head, but that won't last for long. I'll read up on the tools mentioned and be able to use them in short order.Dale Mirenda wrote:
On Oct 11, 2004, at 10:31 AM, Peter Mueller wrote:Thanks for the tutorial, Peter. I'll put it to good use. This incident has taught me that I need to focus on this kind of tool to prepare for emergencies.I can do that on the one in Seattle, and on the remote router when I get to Boise, Erich. I'll read up on tcpdump (never used it before) and give it a go. Thanks for the idea; I'm getting lots of input on tools I've never had to think about before, and that is why I came to this forum for help.
E.g., tcpdump -i eth0 (or eth1) not port ssh tcpdump -i eth0 net 192.168.0/24 and not proto \\icmp tcpdump -i eth0 host 1.2.3.4 or host 5.6.7.8 and not port ssh
Protocols require double-escaping, for example ICMP above. Windump is the
windows equivelant.
I think Ray is on the right track with spyware. Be sure to check ifconfig
for transmission errors, too.
eth0 Link encap:Ethernet HWaddr 00:C0:9F:3F:44:42
inet addr:1.2.3.21 Bcast:1.2.3.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
** This is what you are looking for **
RX packets:54447768 errors:2 dropped:0 overruns:0 frame:1
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
TX packets:52184055 errors:0 dropped:0 overruns:0 carrier:0
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
collisions:0 txqueuelen:1000
**
RX bytes:854678430 (815.0 Mb) TX bytes:2033727102 (1939.5 Mb)
Base address:0xece0 Memory:fe1e0000-fe200000
A few errors - 1 every million or so is usually fine.
P
I don't have a lot to add, as it looks like you've already gotten excellent responses from others in the group,
Very interesting point. All of my DachBoxen are retired P1 or P2 desktops. The original Boise LEAF router was a very old (but sturdy) P2. I replaced it with a spare P! that I had here in Seattle, and tested before I sent it down. Since then the Boise problem has worsened considerably. Hmmm...but I do have a few quick points and questions:
- I like to use the "-n" switch to tcpdump, which prevents it from trying to resolve IP addresses into domain names (especially if your network isn't working right).
- You'll find tcpdump and the required libpcap on the Dachstein CD (if you're running one of my images). Just mount and cd to the CD (packages have to be installed from the current directory), then:
lrpkg -i libpcap
lrpkg -i tcpdump
- What kind of hardware are you running? Older pentium (and especially 486 boxen) can fairly easily be overloaded by 100 MBit NICs if ad/spy/mal-ware is spewing full bore.
That has been my observation in the past, as well, although I intend to double-check when I arrive in Boise tomorrow.
- I doubt your IPSec setup is to blame, even if you still have the old office in the config files, although I'd still check to make sure. I have several Dachstein boxen at multiple sites in a partial mesh VPN, and don't notice any problems when any of the sites go down (which happens fairly freqently, as a number of the sites are homes, not offices).
My, that is timely. My #1 project for today was to check my SuSE distro for a network traffic monitor that I can run on Linux, with output that my untrained eye can comprehend. I will look for MRTG. Does it only work with snmp enabled devices? I know my HP ProCurve switches can be configured to provide snmp data, and I'm sure that my Linux fileservers can be somehow, and the HP networked printers probably. But how about the Win98 desktops? And does Dachstein-CD-1.0.2 provide snmp data by default, or do I need to implement that as well? I know I can find this out for myself with a bit of research, but I'm getting short of time and I'd like to play with this stuff on my healthy net in Seattle before I try to get it running in Boise, so please forgive the newbie whining. I'm not really a newbie, but this crisis has made me feel like one.
- Have you been using anything like MRTG to monitor bandwidth usage via snmp? The traffic graphs can often quickly tell you where to start looking for problems (ie: inbound traffic is pegged...go find the rouge kazza user and get them to "play nice"; outbound traffic pegged...look for an infected system; traffic looks normal...start verifying your configurations and infrastructure).
I'm kind of leaning toward infrastructure myself, although I tried to address that early on. I would like to ask a question about spyware:
- My 'gut reaction' is to suspect either infrastructure (ie: bad cable, switch, hub, NIC, etc) or an unidentified host generating lots of traffic.
I have to admit that spyware is high on my list of suspects because that office has had problems with it before, slowing and crashing computers. On a previous visit I found it on every machine and cleaned it up with the Lavasoft product. Assuming for the moment that my technically-challenged crew in Boise really did turn off all of the client machines on their network, is there any way the spyware traffic could continue to tie up the router? I thought that when the computers on the network were down, the problem should go away. Is it possible that whatever is on the other end of the spyware connection is still bombarding the network with requests and continuing to overwhelm the LEAFbox?
Well, those folks can't even spell WAP, but then the most clueless users are the most dangerous, aren't they?
- Remember to look for rouge wireless APs!
Unfortunately, I'm living proof that the same applies to network admins.
Good luck!
Thank you, Charles. I can use all I can get.
Dale Mirenda
------------------------------------------------------- This SF.net email is sponsored by: IT Product Guide on ITManagersJournal Use IT products in your business? Tell us what you think of them. Give us Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more http://productguide.itmanagersjournal.com/guidepromo.tmpl ------------------------------------------------------------------------ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
