Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2027
Views
0
Helpful
2
Replies

anyone has any idea how to detect a particular IP who is generating..

charleskoh
Level 1
Level 1

‎07-28-2005 01:52 AM

lots of packets jamming the network, due to virus attack/ worm attack???

Any 3rd party software to do it? need to scan the whole LAN

Labels:
0 Helpful
2 Replies 2

paddyxdoyle
Level 6
Level 6

‎07-28-2005 02:30 AM

Hi,

If you have a Cisco router you can use Netflow on the router to help detect hosts that are displaying malicous behaviour

i.e. scanning a complete range of addresses for various ports etc.

Netflow can be enabled on your gateway interface using

"ip route-cache flow"

You can view the netflow information using

"sh ip cache flow".

An example of output that could identify infected hosts would be a host scanning an entire network for say tcp port 1433. The output of netflow would look something like.. (see attachment)

The DstP field is destination port, this value is in hex, 0599 in decimal is 1433.

I hope you get the idea from this, and have a Cisco router that supports Netflow, it's great for this kind of thing :)

You can then correlate the information you are seeing from Netflow and find out the type of virus you are being infected by. i.e. tcp 1433 more than likely SQL slammer.

HTH

PJD

0 Helpful

paddyxdoyle
Level 6
Level 6
In response to paddyxdoyle

‎07-28-2005 02:37 AM

Sorry, i deleted the attachment as it was slighly wrong and then i couldn't add the attachment back to orginal post :(

PJD

Preview file
1 KB
0 Helpful
Customers Also Viewed These Support Documents