cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2026
Views
0
Helpful
2
Replies

anyone has any idea how to detect a particular IP who is generating..

charleskoh
Level 1
Level 1

lots of packets jamming the network, due to virus attack/ worm attack???

Any 3rd party software to do it? need to scan the whole LAN

2 Replies 2

paddyxdoyle
Level 6
Level 6

Hi,

If you have a Cisco router you can use Netflow on the router to help detect hosts that are displaying malicous behaviour

i.e. scanning a complete range of addresses for various ports etc.

Netflow can be enabled on your gateway interface using

"ip route-cache flow"

You can view the netflow information using

"sh ip cache flow".

An example of output that could identify infected hosts would be a host scanning an entire network for say tcp port 1433. The output of netflow would look something like.. (see attachment)

The DstP field is destination port, this value is in hex, 0599 in decimal is 1433.

I hope you get the idea from this, and have a Cisco router that supports Netflow, it's great for this kind of thing :)

You can then correlate the information you are seeing from Netflow and find out the type of virus you are being infected by. i.e. tcp 1433 more than likely SQL slammer.

HTH

PJD

Sorry, i deleted the attachment as it was slighly wrong and then i couldn't add the attachment back to orginal post :(

PJD