LOG IPTRAF (???)
Bom dia , pessoal! Estou iniciando o uso do linux e na empresa preciso aprender a usar o iptraf. Filtrei o trafico entre minha máquina (192.168.0.229) e o proxy (192.168.0.4) e não consigo entender o resultado. Tô achando que a rede está sendo hackeada, mas é mera desconfiança. Segue uma parte do log gerado: Thu Sep 5 09:24:07 2013; IP traffic monitor started Thu Sep 5 09:24:07 2013; TCP; eth2; 2948 bytes; from 192.168.0.4:665 to 192.168.0.229:50778 (source MAC addr 000475812901); first packet Thu Sep 5 09:24:07 2013; TCP; eth2; 52 bytes; from 192.168.0.229:50778 to 192.168.0.4:665 (source MAC addr 5cf9ddec32fc); first packet Thu Sep 5 09:24:07 2013; ARP request for 192.168.0.107; eth2; 66 bytes; from b0487add2b3d to Thu Sep 5 09:24:07 2013; ARP request for 192.168.0.59; eth2; 66 bytes; from b0487add2b3d to Thu Sep 5 09:24:07 2013; Non-IP (0x4); eth2; 66 bytes; from a45630b83d36 to 0180c200 Thu Sep 5 09:24:07 2013; ARP request for 192.168.1.21; eth2; 40 bytes; from 002722d4cf26 to Thu Sep 5 09:24:07 2013; ARP request for 192.168.0.232; eth2; 40 bytes; from 000475812901 to 00306789dcc2 Thu Sep 5 09:24:07 2013; ARP reply from 192.168.0.232; eth2; 40 bytes; from 00306789dcc2 to 000475812901 Thu Sep 5 09:24:07 2013; ARP request for 192.168.0.249; eth2; 40 bytes; from b0487add3ba1 to Thu Sep 5 09:24:07 2013; UDP; eth2; 1448 bytes; source MAC address bc5ff434ace5; from 192.168.0.154:889 to 192.168.0.255:889 Thu Sep 5 09:24:07 2013; UDP; eth2; 1448 bytes; source MAC address bc5ff434ace5; from 192.168.0.154:889 to 192.168.0.255:889 Thu Sep 5 09:24:07 2013; ARP request for 192.168.0.100; eth2; 52 bytes; from 5cf9ddec32dc to Thu Sep 5 09:24:07 2013; Non-IP (0x86dd); eth2; 52 bytes; from 5cf9ddec32b7 to 00010002 Thu Sep 5 09:24:07 2013; Non-IP (0x86dd); eth2; 40 bytes; from 002511f29501 to 00010003 Thu Sep 5 09:24:07 2013; Non-IP (0x86dd); eth2; 52 bytes; from 002511f29501 to 00010003 Thu Sep 5 09:24:07 2013; ARP request for 192.168.2.1; eth0; 930 bytes; from 1078d2d327eb to d4ca6d64d4ea Thu Sep 5 09:24:07 2013; ARP reply from 192.168.2.1; eth0; 930 bytes; from d4ca6d64d4ea to 1078d2d327eb Thu Sep 5 09:24:07 2013; ARP request for 192.168.0.249; eth2; 40 bytes; from b0487add3ba1 to Thu Sep 5 09:24:07 2013; UDP; eth2; 78 bytes; source MAC address 002511f29501; from 192.168.0.238:137 to 192.168.0.255:137 Thu Sep 5 09:24:07 2013; UDP; eth2; 234 bytes; source MAC address 000475812901; from 192.168.0.4:138 to 192.168.0.255:138 Thu Sep 5 09:24:07 2013; ARP request for 192.168.0.107; eth2; 52 bytes; from 5cf9ddec32b7 to QUEM PODE AJUDAR, sobre o log acima, e ONDE ACHAR Manual (de preferencia em portugues) do IPtraf ? Obrigado por qualquer ajuda! @bs pinguiniano !
Re: LOG IPTRAF (???)
Em 05-09-2013 09:32, Henrique Rosa escreveu: Bom dia , pessoal! Estou iniciando o uso do linux e na empresa preciso aprender a usar o iptraf. Filtrei o trafico entre minha máquina (192.168.0.229) e o proxy (192.168.0.4) e não consigo entender o resultado. Tô achando que a rede está sendo hackeada, mas é mera desconfiança. Segue uma parte do log gerado: Thu Sep 5 09:24:07 2013; IP traffic monitor started Thu Sep 5 09:24:07 2013; TCP; eth2; 2948 bytes; from 192.168.0.4:665 http://192.168.0.4:665 to 192.168.0.229:50778 http://192.168.0.229:50778 (source MAC addr 000475812901); first packet Thu Sep 5 09:24:07 2013; TCP; eth2; 52 bytes; from 192.168.0.229:50778 http://192.168.0.229:50778 to 192.168.0.4:665 http://192.168.0.4:665 (source MAC addr 5cf9ddec32fc); first packet Thu Sep 5 09:24:07 2013; ARP request for 192.168.0.107; eth2; 66 bytes; from b0487add2b3d to Thu Sep 5 09:24:07 2013; ARP request for 192.168.0.59; eth2; 66 bytes; from b0487add2b3d to Thu Sep 5 09:24:07 2013; Non-IP (0x4); eth2; 66 bytes; from a45630b83d36 to 0180c200 Thu Sep 5 09:24:07 2013; ARP request for 192.168.1.21; eth2; 40 bytes; from 002722d4cf26 to Thu Sep 5 09:24:07 2013; ARP request for 192.168.0.232; eth2; 40 bytes; from 000475812901 to 00306789dcc2 Thu Sep 5 09:24:07 2013; ARP reply from 192.168.0.232; eth2; 40 bytes; from 00306789dcc2 to 000475812901 Thu Sep 5 09:24:07 2013; ARP request for 192.168.0.249; eth2; 40 bytes; from b0487add3ba1 to Thu Sep 5 09:24:07 2013; UDP; eth2; 1448 bytes; source MAC address bc5ff434ace5; from 192.168.0.154:889 http://192.168.0.154:889 to 192.168.0.255:889 http://192.168.0.255:889 Thu Sep 5 09:24:07 2013; UDP; eth2; 1448 bytes; source MAC address bc5ff434ace5; from 192.168.0.154:889 http://192.168.0.154:889 to 192.168.0.255:889 http://192.168.0.255:889 Thu Sep 5 09:24:07 2013; ARP request for 192.168.0.100; eth2; 52 bytes; from 5cf9ddec32dc to Thu Sep 5 09:24:07 2013; Non-IP (0x86dd); eth2; 52 bytes; from 5cf9ddec32b7 to 00010002 Thu Sep 5 09:24:07 2013; Non-IP (0x86dd); eth2; 40 bytes; from 002511f29501 to 00010003 Thu Sep 5 09:24:07 2013; Non-IP (0x86dd); eth2; 52 bytes; from 002511f29501 to 00010003 Thu Sep 5 09:24:07 2013; ARP request for 192.168.2.1; eth0; 930 bytes; from 1078d2d327eb to d4ca6d64d4ea Thu Sep 5 09:24:07 2013; ARP reply from 192.168.2.1; eth0; 930 bytes; from d4ca6d64d4ea to 1078d2d327eb Thu Sep 5 09:24:07 2013; ARP request for 192.168.0.249; eth2; 40 bytes; from b0487add3ba1 to Thu Sep 5 09:24:07 2013; UDP; eth2; 78 bytes; source MAC address 002511f29501; from 192.168.0.238:137 http://192.168.0.238:137 to 192.168.0.255:137 http://192.168.0.255:137 Thu Sep 5 09:24:07 2013; UDP; eth2; 234 bytes; source MAC address 000475812901; from 192.168.0.4:138 http://192.168.0.4:138 to 192.168.0.255:138 http://192.168.0.255:138 Thu Sep 5 09:24:07 2013; ARP request for 192.168.0.107; eth2; 52 bytes; from 5cf9ddec32b7 to QUEM PODE AJUDAR, sobre o log acima, e ONDE ACHAR Manual (de preferencia em portugues) do IPtraf ? Obrigado por qualquer ajuda! @bs pinguiniano ! Bom dia Henrique. Antes de mais nada, você tem conhecimentos do protocolo IP? O log acima está de fácil entendimento se você sabe o que significa UDP, ARP, TCP, MAC Address. -- Atenciosamente, Allan Carvalho
Re: LOG IPTRAF (???)
Henrique,Por esse log, fica claro que seu servidor não está sendo atacado.Há algumas requisições em netbios, e a grande maioria que é ARP, solicitando o endereço MAC de alguns IPs (192.168.0.59, 192.168.0.107, etc).Mas como o Allan falou, dê uma pesquisada sobre o assunto pra você analisar seu tráfego com mais certeza..Não sei te referenciar um agora, mas vai achar vários no Google, por exemplo.Boa sorte aí.Grande abraço... On 05/09/2013, at 09:32, Henrique Rosa henrique.li...@gmail.com wrote:Bom dia , pessoal!Estou iniciando o uso do linux e na empresa preciso aprender a usar o iptraf.Filtrei o trafico entre minha máquina (192.168.0.229) e o proxy (192.168.0.4) e não consigo entender o resultado. Tô achando que a rede está sendo hackeada, mas é mera desconfiança.Segue uma parte do log gerado:Thu Sep 5 09:24:07 2013; IP traffic monitor started Thu Sep 5 09:24:07 2013; TCP; eth2; 2948 bytes; from 192.168.0.4:665 to 192.168.0.229:50778 (source MAC addr 000475812901); first packet Thu Sep 5 09:24:07 2013; TCP; eth2; 52 bytes; from 192.168.0.229:50778 to 192.168.0.4:665 (source MAC addr 5cf9ddec32fc); first packetThu Sep 5 09:24:07 2013; ARP request for 192.168.0.107; eth2; 66 bytes; from b0487add2b3d to Thu Sep 5 09:24:07 2013; ARP request for 192.168.0.59; eth2; 66 bytes; from b0487add2b3d to Thu Sep 5 09:24:07 2013; Non-IP (0x4); eth2; 66 bytes; from a45630b83d36 to 0180c200Thu Sep 5 09:24:07 2013; ARP request for 192.168.1.21; eth2; 40 bytes; from 002722d4cf26 to Thu Sep 5 09:24:07 2013; ARP request for 192.168.0.232; eth2; 40 bytes; from 000475812901 to 00306789dcc2Thu Sep 5 09:24:07 2013; ARP reply from 192.168.0.232; eth2; 40 bytes; from 00306789dcc2 to 000475812901Thu Sep 5 09:24:07 2013; ARP request for 192.168.0.249; eth2; 40 bytes; from b0487add3ba1 to Thu Sep 5 09:24:07 2013; UDP; eth2; 1448 bytes; source MAC address bc5ff434ace5; from 192.168.0.154:889 to 192.168.0.255:889Thu Sep 5 09:24:07 2013; UDP; eth2; 1448 bytes; source MAC address bc5ff434ace5; from 192.168.0.154:889 to 192.168.0.255:889 Thu Sep 5 09:24:07 2013; ARP request for 192.168.0.100; eth2; 52 bytes; from 5cf9ddec32dc to Thu Sep 5 09:24:07 2013; Non-IP (0x86dd); eth2; 52 bytes; from 5cf9ddec32b7 to 00010002Thu Sep 5 09:24:07 2013; Non-IP (0x86dd); eth2; 40 bytes; from 002511f29501 to 00010003 Thu Sep 5 09:24:07 2013; Non-IP (0x86dd); eth2; 52 bytes; from 002511f29501 to 00010003Thu Sep 5 09:24:07 2013; ARP request for 192.168.2.1; eth0; 930 bytes; from 1078d2d327eb to d4ca6d64d4eaThu Sep 5 09:24:07 2013; ARP reply from 192.168.2.1; eth0; 930 bytes; from d4ca6d64d4ea to 1078d2d327eb Thu Sep 5 09:24:07 2013; ARP request for 192.168.0.249; eth2; 40 bytes; from b0487add3ba1 to Thu Sep 5 09:24:07 2013; UDP; eth2; 78 bytes; source MAC address 002511f29501; from 192.168.0.238:137 to 192.168.0.255:137 Thu Sep 5 09:24:07 2013; UDP; eth2; 234 bytes; source MAC address 000475812901; from 192.168.0.4:138 to 192.168.0.255:138Thu Sep 5 09:24:07 2013; ARP request for 192.168.0.107; eth2; 52 bytes; from 5cf9ddec32b7 to QUEM PODE AJUDAR, sobre o log acima, e ONDE ACHAR Manual (de preferencia em portugues) do IPtraf ?Obrigado por qualquer ajuda!@bs pinguiniano !