Ethereal-users: Re: [Ethereal-users] lan configuration for ethereal

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: Gerald Combs <gerald@xxxxxxxxxxxx>
Date: Tue, 07 Jun 2005 09:35:28 -0500
Hansang Bae wrote:
> On 02:50 PM 6/2/2005, B MCC wrote:
> 
>>[snip: virus slamming the GW. Internet traffic slowed to a crawl]
>>I finally discovered the "show ip
>>nat translation" on the cisco router and that pointed
>>out the machine that the requests were coming from.
>>Could there have been a way to find this problem using
>>ethereal in our current configuration ? 
> 
> 
> 
> Sure.  You could have spanned the router's Ethernet port (your GW) and would have seen significant traffic due to the virus.  

If you're trying to track down a virus/worm outbreak across multiple
routers you could also use NetFlow (assuming it's supported on your
hardware).  Since NetFlow runs over UDP you can export each flow to the
workstation or laptop on which Ethereal is running, and Ethereal will
act like an ersatz collector.  Although you won't see the actual packets
generated by the virus or worm, NetFlow packets have enough information
to find scanning activity.