[mirror-admin] [mirror] Re: Server DOS?

[Dave Martin]

> Scott Baker wrote:
>> I think my server is being DOSd, or maybe it's another server on my  
>> network. This isn't strictly mirror related, but there are a lot of  
>> sysadmins on here maybe you can help.
>>
>> I've port mirrored the port in question to another box so I can sniff  
>> the traffic and see what's going on. Is there a simple way to see the  
>> "top talker" so I can filter them out at the router level. If I tcpdump 
>> I get a bajillion packets, so I'd need some software with some  
>> intelligence to filter out how's sending the most packets (not  
>> bandwidth). iftop? iptraf? I'm open to ideas.
>>
>> Sorry if this is the wrong place for this, I'm running out of options.

If you've got a packet dump, wireshark (etheral) is nice.  It's good for
poking around and has some analysis tools that might help you.  I know
it has 'top talker' and some conversation tracking tools.

-- 
Dave
-----
Nobody believed that I could build a space station here.  So I built it anyway.
It sank into the vortex.  So I built another one.  It sank into the vortex.  
The third station burned down, fell over then sank into the vortex.  The fourth
station just vanished.  And the fifth station, THAT stayed!

--