07-16-2004 08:41 AM - edited 03-02-2019 05:07 PM
I have a 1720 series router and I suspect that one of the users on my LAN is infected with a virus that is causing the internet access to perform very slowly. All I have setup really is NAT to translate the private addresses to our one public address and a default route to the ISP's gateway. I know that there are certain commands that I can run that can give me a good idea of which IP addresses are generating traffic on given ports (I.E. port 135 for Blaster.) Could someone please give me assistance in troubleshooting this issue?
07-16-2004 09:05 AM
Hello,
you could start out with turning on IP Accounting, without knowing your exact configuration, I would guess you have a dialer interface; configure the following on that interface:
ip accounting
ip accounting output-packets
Then, from the exec prompt, check for the IP source and destination address pairs with the command:
Router#show ip accounting
Which IOS version are you running ? In order to get a better insight in which protocols are running on your network, you could configure the NBAR Protocol Discovery feature; I do not know if your IOS supports it, but if it does, turn on NBAR protocol discovery on your (Fast)Ethernet interface with the command:
ip nbar protocol-discovery
and check the results with the exec command:
show ip nbar protocol-discovery
HTH,
Georg
07-16-2004 01:11 PM
Ip accounting is one way to go about it.... if you would like more detailed info though I would suggest using netflow....
Turn cef on within the router...
cisco# config t
cisco(config)# ip cef
then go into the interface in question and turn on ip route-cache flow
so what I've done in the past is to go to the border router and turn on ip route-cache flow on both the fast ehternet that connects to my network and the serial interface that faces my isp.
cisco(config-if) ip route-cache flow
once this is done you can issue a show ip cache flow and receive more detailed info...
show ip accounting output
Source Destination Packets Bytes
131.108.19.40 192.67.67.20 7 306
131.108.13.55 192.67.67.20 67 2749
131.108.2.50 192.12.33.51 17 1111
131.108.2.50 130.93.2.1 5 319
131.108.2.50 130.93.1.2 463 30991
131.108.19.40 130.93.2.1 4 262
131.108.19.40 130.93.1.2 28 2552
sh ip cache flow
SrcIf SrcIPaddress DstIf DstIPaddress Pr SrcP DstP Pkts
AT1/0.1 10.1.10.1 Fa4/0 192.168.10.1 01 0000 0800 1131
Fa4/0 192.168.10.1 AT1/0.1 10.1.10.1 01 0000 0000 1131
Fa4/0 192.168.10.1 AT1/0.1 10.1.10.1 06 2AF8 0017 3
AT1/0.1 10.1.10.1 Fa4/0 192.168.10.1 06 0017 2AF8 3
I know this probably looks really crappy but if you look at the description of the fields on the show ip cache flow command you'll see that you get more detailed info including src port and dest port...(results are in hex mind you). This will allow you to determine what port your internal devices are trying to get to and help you filter out legit traffic from infected hosts...
-DP
07-16-2004 12:39 PM
One thing I like to do that is really simple, is make a very basic ACl and apply it 'in' on your LAN interface. it would be something like this:
permit tcp any any eq 135 log
permit ip any any
this will log all hits against port 135, and then you can look at your log and see what IP it is coming from. this doesnt stop any traffic, but lets you see if there is suspicious activity. you can also use any port you want to monitor, such as 445, 25, etc. if you are suspect of them.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide