LinuxQuestions.org
View the Most Wanted LQ Wiki articles.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices



Reply
 
Search this Thread
Old 11-02-2004, 11:25 PM   #1
AmdMhz
Member
 
Registered: Jan 2004
Location: Indiana
Distribution: Debian, OpenSUSE
Posts: 142

Rep: Reputation: 15
Network Traffic problem..Being hacked?


HI all... I have been looking at my router lights going nuts everytime I start my Slackware system. When I turn the system off, my router goes back to normal. Something seems to be hammering me but in Netstat I do not see anything strange. How can I protect my Slackware 10 system from this? This is slowing my system way down along with my DSL connections. Any suggestions will be appreciated.

Thanks
Amdmhz
 
Old 11-03-2004, 12:06 AM   #2
fblucher
Member
 
Registered: Oct 2004
Location: Australia
Distribution: NLD 9
Posts: 60

Rep: Reputation: 15
Run a "tcpdump -i <outbound interface> -n" and have a look at the traffic.

Seeya,
Finn.
 
Old 11-03-2004, 12:18 AM   #3
AmdMhz
Member
 
Registered: Jan 2004
Location: Indiana
Distribution: Debian, OpenSUSE
Posts: 142

Original Poster
Rep: Reputation: 15
Thanks for replying. Being new to this tcpdump , what is it that I am looking for in the log? Thanks
 
Old 11-03-2004, 12:27 AM   #4
fblucher
Member
 
Registered: Oct 2004
Location: Australia
Distribution: NLD 9
Posts: 60

Rep: Reputation: 15
tcpdump will show you all the traffic that is comming and going from the interface you specified. Look at the traffic and see if there's traffic you don't like in there. Feel free to read the man page to get the syntax of the output.

Seeya,
Finn.
 
Old 11-03-2004, 12:28 AM   #5
tangle
Senior Member
 
Registered: Apr 2002
Location: Smithville, TN
Distribution: Slackware
Posts: 1,745

Rep: Reputation: 71
tcpdump is a port sniffer. Look at what port the traffice is transmitting on. Some worms and viruses use certain ports to do attackes.
 
Old 11-03-2004, 11:25 PM   #6
AmdMhz
Member
 
Registered: Jan 2004
Location: Indiana
Distribution: Debian, OpenSUSE
Posts: 142

Original Poster
Rep: Reputation: 15
If I do see something strange how do I shut that port down so my network traffic calms down?
 
Old 11-03-2004, 11:29 PM   #7
fblucher
Member
 
Registered: Oct 2004
Location: Australia
Distribution: NLD 9
Posts: 60

Rep: Reputation: 15
Show us what strange is.
 
Old 11-03-2004, 11:33 PM   #8
AmdMhz
Member
 
Registered: Jan 2004
Location: Indiana
Distribution: Debian, OpenSUSE
Posts: 142

Original Poster
Rep: Reputation: 15
Here is some of the dump:

23:31:06.131588 IP 192.168.1.12.33061 > 192.168.1.102.445: P 27920:28000(80) ack 57586 win 4802 <nop,nop,timestamp 38795409 688201900>
23:31:06.132013 IP 192.168.1.102.445 > 192.168.1.12.33061: P 57586:57751(165) ack 28000 win 4344 <nop,nop,timestamp 688201900 38795409>
23:31:06.132654 IP 192.168.1.12.35202 > 192.168.1.101.445: P 27920:28000(80) ack 51653 win 5360 <nop,nop,timestamp 38795409 3885013>
23:31:06.132870 IP 192.168.1.101.445 > 192.168.1.12.35202: P 51653:51801(148) ack 28000 win 64575 <nop,nop,timestamp 3885013 38795409>
23:31:06.168502 IP 192.168.1.12.33061 > 192.168.1.102.445: . ack 57751 win 4802 <nop,nop,timestamp 38795413 688201900>
23:31:06.168522 IP 192.168.1.12.35202 > 192.168.1.101.445: . ack 51801 win 5360 <nop,nop,timestamp 38795413 3885013>
23:31:06.379901 IP 192.168.1.12.35202 > 192.168.1.101.445: P 28000:28080(80) ack 51801 win 5360 <nop,nop,timestamp 38795434 3885013>
23:31:06.380325 IP 192.168.1.101.445 > 192.168.1.12.35202: P 51801:51949(148) ack 28080 win 64495 <nop,nop,timestamp 3885015 38795434>
23:31:06.380382 IP 192.168.1.12.35202 > 192.168.1.101.445: . ack 51949 win 5212 <nop,nop,timestamp 38795434 3885015>
23:31:06.380922 IP 192.168.1.12.33061 > 192.168.1.102.445: P 28000:28080(80) ack 57751 win 4802 <nop,nop,timestamp 38795434 688201900>
23:31:06.381390 IP 192.168.1.102.445 > 192.168.1.12.33061: P 57751:57916(165) ack 28080 win 4344 <nop,nop,timestamp 688202150 38795434>
23:31:06.381436 IP 192.168.1.12.33061 > 192.168.1.102.445: . ack 57916 win 4802 <nop,nop,timestamp 38795434 688202150>
23:31:06.381894 IP 192.168.1.12.33061 > 192.168.1.102.445: P 28080:28160(80) ack 57916 win 4802 <nop,nop,timestamp 38795434 688202150>
23:31:06.382318 IP 192.168.1.102.445 > 192.168.1.12.33061: P 57916:58081(165) ack 28160 win 4344 <nop,nop,timestamp 688202151 38795434>
23:31:06.382955 IP 192.168.1.12.35202 > 192.168.1.101.445: P 28080:28160(80) ack 51949 win 5360 <nop,nop,timestamp 38795434 3885015>
 
Old 11-03-2004, 11:47 PM   #9
AmdMhz
Member
 
Registered: Jan 2004
Location: Indiana
Distribution: Debian, OpenSUSE
Posts: 142

Original Poster
Rep: Reputation: 15
My slack box above is hittting all IPs and several different port. Below is my Knoppix Dump which is only going to one other IP address.

nop,nop,timestamp 38859133 688839293>
10:40:40.792319 IP 192.168.1.12.33061 > 192.168.1.102.445: P 12240:12320(80) ack 25246 win 4802 <nop,nop,timestamp 38859133 688839293>
10:40:40.793923 IP 192.168.1.102.445 > 192.168.1.12.33061: P 25246:25411(165) ack 12320 win 4344 <nop,nop,timestamp 688839294 38859133>
10:40:40.828353 IP 192.168.1.12.33061 > 192.168.1.102.445: . ack 25411 win 4802 <nop,nop,timestamp 38859137 688839294>
10:40:41.052888 IP 192.168.1.12.33061 > 192.168.1.102.445: P 12320:12400(80) ack 25411 win 4802 <nop,nop,timestamp 38859159 688839294>
10:40:41.053539 IP 192.168.1.102.445 > 192.168.1.12.33061: P 25411:25576(165) ack 12400 win 4344 <nop,nop,timestamp 688839554 38859159>
10:40:41.053676 IP 192.168.1.12.33061 > 192.168.1.102.445: . ack 25576 win 4802 <nop,nop,timestamp 38859159 688839554>
10:40:41.053789 IP 192.168.1.12.33061 > 192.168.1.102.445: P 12400:12480(80) ack 25576 win 4802 <nop,nop,timestamp 38859159 688839554>
10:40:41.055399 IP 192.168.1.102.445 > 192.168.1.12.33061: P 25576:25741(165) ack 12480 win 4344 <nop,nop,timestamp 688839556 38859159>
10:40:41.088377 IP 192.168.1.12.33061 > 192.168.1.102.445: . ack 25741 win 4802 <nop,nop,timestamp 38859163 688839556>

Sorry I am new to this. Just trying to understand why My slack box is making my router lights go crazy
 
Old 11-04-2004, 12:02 AM   #10
AmdMhz
Member
 
Registered: Jan 2004
Location: Indiana
Distribution: Debian, OpenSUSE
Posts: 142

Original Poster
Rep: Reputation: 15
Thanks for your help. I found the problem.. It is SMB4k ... That program is wigging stuff out. I am going to get rid of it and just do my shares via command line. Thanks for your help all.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Network Traffic Brian031168 Linux - Networking 3 12-03-2005 12:18 AM
When the network traffic increase over some limit network works interruptedly therrman Linux - Hardware 0 11-15-2005 03:23 AM
How to allow traffic from One Network to Other??? cranium2004 Linux - Networking 1 01-06-2005 01:17 PM
Can't get any network traffic jonlake Linux - Networking 6 05-27-2004 11:43 AM
Network Traffic BxBoy Programming 3 02-24-2003 09:31 AM


All times are GMT -5. The time now is 09:22 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration