I refer to this excellent article at the Everything Sysadmin Blog:
http://everythingsysadmin.com/archives/000054.html
He uses a nifty little shell command to collect useful statistics from tcpdump and explains the whole process very very well.
In essence, infected computers (by virii or mal/spyware) typically send out tonnes of address resolution requests that flood the network. These request are in the form of ARP packets (ARP = Address Resolution Protocol). By sniffing the network for these packets, one can easily tell which machine(s) are infected.
The command in question is:
tcpdump -l -n arp | egrep 'arp who-has' | head -100 | awk '{ print $NF }' |sort | uniq -c | sort -n
See above for an explanation of how he got to that stage =)
http://everythingsysadmin.com/archives/000054.html
He uses a nifty little shell command to collect useful statistics from tcpdump and explains the whole process very very well.
In essence, infected computers (by virii or mal/spyware) typically send out tonnes of address resolution requests that flood the network. These request are in the form of ARP packets (ARP = Address Resolution Protocol). By sniffing the network for these packets, one can easily tell which machine(s) are infected.
The command in question is:
tcpdump -l -n arp | egrep 'arp who-has' | head -100 | awk '{ print $NF }' |sort | uniq -c | sort -n
See above for an explanation of how he got to that stage =)
No comments:
Post a Comment