[mirror-admin] [mirror] Re: Server DOS?
Scott Baker
bakers at canbytel.com
Fri Jul 31 15:01:28 EDT 2009
On 07/31/2009 12:00 PM, Dave Martin wrote:
>> Scott Baker wrote:
>>> I think my server is being DOSd, or maybe it's another server on my
>>> network. This isn't strictly mirror related, but there are a lot of
>>> sysadmins on here maybe you can help.
>>>
>>> I've port mirrored the port in question to another box so I can sniff
>>> the traffic and see what's going on. Is there a simple way to see the
>>> "top talker" so I can filter them out at the router level. If I tcpdump
>>> I get a bajillion packets, so I'd need some software with some
>>> intelligence to filter out how's sending the most packets (not
>>> bandwidth). iftop? iptraf? I'm open to ideas.
>>>
>>> Sorry if this is the wrong place for this, I'm running out of options.
>
> If you've got a packet dump, wireshark (etheral) is nice. It's good for
> poking around and has some analysis tools that might help you. I know
> it has 'top talker' and some conversation tracking tools.
There is about a gig of traffic moving across that ethernet link. So even a
quick capture gets REALLY large, really fast.
Otherwise the ethereal tools are fantastic.
--
Scott Baker - Canby Telcom
System Administrator - RHCE - 503.266.8253
--
More information about the Mirror-admin
mailing list