Hi guys Iam on a low security wan in which several lans are found... well Ive got one of the many LANs of this WAN. Sometimes some of the smart guys just start an ARP of DoS attack on my LAN "and the other lans" I notice it due to the abnormal activity on my eth0 ( the network card conected to the wan on my linux box".... Well I used to have mandrake 10.0 and I used ethereal to sniff the packets to get the hostname of their source so that I can call them and tell them to stop the fun.... Now Iam using Mandrake 10.1 the problem is that I only get the source IP address I do not get the hostname of the attacking computer "althoug Ive checked resolve hostnames in the configuration of ethereal"..... and I can not rely on the IPs since the IPs are DHCP so the attacker has each time a different IP but the same hostname....so I need a way to resolve the hostname of the attacking computer through their IPs ...............I do not think that it is a problem with ethereal it is a problem with my Mandrake configuration I guess.....


Any suggestions are welcomed

If you open a console and do "host <IP>" do you get a hostname back? If no, the error is one of DNS configuration. If yes, the error is with ethereal. I had some problems with getting ethereal to lookup IPs for a while: as a workaround, I think you can right-click on a packet and do a lookup.

its a dns problem what should I do to resolve it :S ?

Post the output of 'cat /etc/resolv.conf', 'dig -x -x 130.207.244.244' and 'dig www.google.com', please.

[ali@Aliserver ali]$ cat /etc/resolv.conf
nameserver 10.22.0.180
nameserver 213.140.2.12
nameserver 10.22.0.180 # ppp temp entry
nameserver 213.140.2.12 # ppp temp entry
[ali@Aliserver ali]$ dig -x -x 130.207.244.244

; <<>> DiG 9.3.0 <<>> -x -x 130.207.244.244
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 35192
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;-x.in-addr.arpa. IN PTR

;; Query time: 3295 msec
;; SERVER: 10.22.0.180#53(10.22.0.180)
;; WHEN: Fri Sep 2 08:57:02 2005
;; MSG SIZE rcvd: 33

;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 59673
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;130.207.244.244. IN A

;; AUTHORITY SECTION:
. 10800 IN SOA A.ROOT-SERVERS.NET. NSTLD.VERISIGN-GRS.COM. 2005090101 1800 900 604800 86400

;; Query time: 3006 msec
;; SERVER: 213.140.2.12#53(213.140.2.12)
;; WHEN: Fri Sep 2 08:57:06 2005
;; MSG SIZE rcvd: 108

[ali@Aliserver ali]$ dig www.google.com

; <<>> DiG 9.3.0 <<>> www.google.com
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13929
;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 4, ADDITIONAL: 4

;; QUESTION SECTION:
;www.google.com. IN A

;; ANSWER SECTION:
www.google.com. 754 IN CNAME www.l.google.com.
www.l.google.com. 72 IN A 216.239.59.103
www.l.google.com. 72 IN A 216.239.59.104
www.l.google.com. 72 IN A 216.239.59.147
www.l.google.com. 72 IN A 216.239.59.99

;; AUTHORITY SECTION:
google.com. 337755 IN NS ns4.google.com.
google.com. 337755 IN NS ns1.google.com.
google.com. 337755 IN NS ns2.google.com.
google.com. 337755 IN NS ns3.google.com.

;; ADDITIONAL SECTION:
ns4.google.com. 67003 IN A 216.239.38.10
ns1.google.com. 67003 IN A 216.239.32.10
ns2.google.com. 67003 IN A 216.239.34.10
ns3.google.com. 67003 IN A 216.239.36.10

;; Query time: 6803 msec
;; SERVER: 10.22.0.180#53(10.22.0.180)
;; WHEN: Fri Sep 2 08:57:28 2005
;; MSG SIZE rcvd: 252

[ali@Aliserver ali]$

Oops, in that dig -x -x command, there should've only been one -x. As in 'dig -x 130.207.244.244'.

[root@Aliserver ali]# dig -x 130.207.244.244

; <<>> DiG 9.3.0 <<>> -x 130.207.244.244
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46567
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2

;; QUESTION SECTION:
;244.244.207.130.in-addr.arpa. IN PTR

;; ANSWER SECTION:
244.244.207.130.in-addr.arpa. 86400 IN PTR gatech.edu.

;; AUTHORITY SECTION:
207.130.in-addr.arpa. 86400 IN NS gatech.edu.
207.130.in-addr.arpa. 86400 IN NS troll-gw.gatech.edu.

;; ADDITIONAL SECTION:
gatech.edu. 115559 IN A 130.207.244.244
gatech.edu. 115559 IN A 130.207.244.244

;; Query time: 3005 msec
;; SERVER: 10.22.0.180#53(10.22.0.180)
;; WHEN: Sat Sep 3 11:42:08 2005
;; MSG SIZE rcvd: 139

[root@Aliserver ali]#

Hrrm, odd, then ethereal should be able to do lookups without a problem. Perhaps the others on your WAN do not have IPs with addresses capable of reverse lookups?

hmm I really do not knw what that means....but in windows I use ehtereal lanview and Commview and they give excellent results.......but I want to stop the habbit of booting into win........anyway thanks for your time and help ......