On Thu, Jan 24, 2008 at 03:26:37PM -0800, jacob c wrote:
> I have a linux load balancer appliance where some user is constantly
> making too many connections to some unknow ip address. When this
> happens it eventually uses up all 65,000 ports. Is there some way
> to take a massive capture and then filter it out in wireshark by top
> port talkers and/or top syn attemptsby ip address? Any info would be
> very much appreciated.
Well, ik Wireshark you can use the "Endpoints" option under "statistics".
This could give you the top10 list of ip-addresses generating to most
packets or bytes.
If you just want SYN packets to be counted, you can either create a
2nd trace file with only the SYN packets and look at the endpoint
statistics in this new file.
Or... you could use tshark with some command piping:
tshark -r <tracefile> -T fields -e ip.src "tcp.flags.syn==1 && tcp.flags.ack==0" | sort | uniq -c | sort -rn | head
I hope this helps,
Cheers,
Sake