12-04-2003 08:05 PM - edited 03-02-2019 12:09 PM
I am trying to find the source or sources of why my network traffic is saturated going outbound.
I set up a syslog server and have my pix sending it type 6 info alerts. I found some obvious problems and patched the pc's but that did not solve my problem.
I have also been running a sniffer (sniffer4.5 & ethereal) but I do not see anything obivous there either.
What should I be looking for specifically? Any one have any filters set up for ethereal that they would like to share?
12-06-2003 08:59 PM
Thanks for the advice everyone. I'll let you know how it goes.
I have two PIX to syslog logs that I looked thorough, But this time I used firewallanalyzer to do a report based on syslog data. Here is what I found:
12/4 12:33pm -2:18pm:
106011 No routing to arrival interface. event count 124426 38.45%
302013 Built TCP connection event count 84424 26.09%
106015 Deny TCP no connection established. event count 67932 20.99%
305011 TCP UDP ICMP Address Translation slot created. event count 33707 10.42%
302015 Built UDP connection event count 10883 3.36%
106023 Deny IP packet by access-list. event count 1884 0.58%
305005 Translate group not found. event count 192 0.06%
110001 No route.event count 54 0.02%
609001 event count 33 0.01%
305009 Address Translation slot created. event count 24 0.01%
Patched all the 106011 PC with latest security patched from Microsoft and the error event went away. I didn't know what to make of the 106015 events because they were from different PC's.
12-06-2003 08:59 PM
12/5 every 30 min starting at mindnight to 6 am:
106015 Deny TCP no connection established. event count 87481 75.67%
302013 Built TCP connection event count 11310 9.78%
302015 Built UDP connection event count 5048 4.37%
305011 TCP UDP ICMP Address Translation slot created. event count 3854 3.33%
305012 Teardown TCP UDP ICMP Address Translation slot. event count 3830 3.31%
106023 Deny IP packet by access-list. event count 3587 3.10%
305005 Translate group not found. event count 380 0.33%
110001 No route. event count 60 0.05%
302010 TCP connections in use. event count 21 0.02%
609002 Network state container for the host IP address connected to interface name is removed. event count 13 0.01%
A rdiculous amount of 106015 messages, 75% of my traffic, these come from about 10 different outside IP's.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide