07-28-2005 01:52 AM
lots of packets jamming the network, due to virus attack/ worm attack???
Any 3rd party software to do it? need to scan the whole LAN
07-28-2005 02:30 AM
Hi,
If you have a Cisco router you can use Netflow on the router to help detect hosts that are displaying malicous behaviour
i.e. scanning a complete range of addresses for various ports etc.
Netflow can be enabled on your gateway interface using
"ip route-cache flow"
You can view the netflow information using
"sh ip cache flow".
An example of output that could identify infected hosts would be a host scanning an entire network for say tcp port 1433. The output of netflow would look something like.. (see attachment)
The DstP field is destination port, this value is in hex, 0599 in decimal is 1433.
I hope you get the idea from this, and have a Cisco router that supports Netflow, it's great for this kind of thing :)
You can then correlate the information you are seeing from Netflow and find out the type of virus you are being infected by. i.e. tcp 1433 more than likely SQL slammer.
HTH
PJD
07-28-2005 02:37 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide