[mirror-admin] Server DOS?

[J.H.]

iptraf is probably a good place to start, it will become apparent what's 
going on if it is a DOS, if it's a DDOS you'll just see massive amounts 
of connections coming and going.  Really there's going to be a lot of 
digging into logs and connections and such.  Netstat is probably also 
helpful on top of iptraf, but it's not going to have quite as easy to 
approach user interface, and at worst case scenario there's always 
tcpdump, but that might not be useful if you haven't tried using it before.

- John 'Warthog9' Hawley

Scott Baker wrote:
> I think my server is being DOSd, or maybe it's another server on my 
> network. This isn't strictly mirror related, but there are a lot of 
> sysadmins on here maybe you can help.
> 
> I've port mirrored the port in question to another box so I can sniff 
> the traffic and see what's going on. Is there a simple way to see the 
> "top talker" so I can filter them out at the router level. If I tcpdump 
> I get a bajillion packets, so I'd need some software with some 
> intelligence to filter out how's sending the most packets (not 
> bandwidth). iftop? iptraf? I'm open to ideas.
> 
> Sorry if this is the wrong place for this, I'm running out of options.
> 

--