Where is incoming traffic coming from?

Amedee @ Ubuntu amedee-ubuntu at amedee.be
Mon Aug 3 00:25:43 UTC 2009 

On Sun, August 2, 2009 18:17, drew einhorn wrote:
> What's upstream from the box that's receiving the mystery traffic?

The box itself is a Xen DomU, upstream it's a Xen Dom0, and upstream from
there it's the hetzner.de datacenter somewhere in Bavaria. Several hundred
km from where I live so no hands on.
Perhaps I should have mentioned that earlier?

> There are are several ways to monitor the traffic before it gets to your
> box.

The person who runs the Dom0 did a capture and let wireshark loose on it.
193.190.67.15 was identified with over 700 MB of traffic in one hour. That
would account for several gigabytes per day.

> 1) if the upstream box is a managed switch you can "mirror" the traffic
> to a spare port,

If it was a real physical machine under my desk, I would hook it up to my
HP ProCurve 1800-24G and mirror one switchport, as you suggest.

> 2) if you have an old ethernet hub (not a switch),
> you can put between the upstream box and the
> box getting the mystery traffic.

I have that somewhere as a doorstop, I think.
But I don't think that I can put a physical hub between a Dom0 and a
virtual DomU. ;-)

> 3) you can build an ethernet tap.
>
>     http://enigmacurry.com/category/electronics/

That also requires physical access.

> 4) if you have a spare box you can stick two ethernet cards into,
> you can manually configure a bridge using command line tools,
> or just install one of many linux based router distributions.

Plenty spare boxes, but no physical access.

> 5) There may be other options depending on what the
> current upstream box is.
>
> Once you have a hardware configuration
> that supports capturing all the traffic,
> before it gets to the firewall filters that
> drops the traffic before you see it,
>
> then you can use wireshark to analyze the traffic,
> or, if the box capturing the traffic is not running X,
> you can use tcpdump to capture a binary file first,
> then ftp it to a box with x and a wireshark.

That's what the other guy did (who runs the Dom0). He sent me the
wireshark analysis and that showed a lot of traffic from 193.190.67.15
(Belnet).
Next thing I'll do is ask him to ftp me the dump file. But not today.
Sleep needed. Have to get up in 5 hours, and I drank one Nalu too much.
:-D

--
Amedee

More information about the ubuntu-users mailing list