Jason White <jason@jasonjgw.net> writes:
Michael Lindner <michael@tropyx.com> wrote:
Wireshark FTW! One way is to run Snort on the server and use WS to analyse the output.
Or tshark if you want to run it on the server, using a read filter (the -R option, see wireshark-filter)5) for details) to filter out traffic that you regard as legitimate.
tcpdump has fewer dependencies than tshark. IME best practice is to put tcpdump on your router, run tcpdump -wfoo.pcap (or to a stream, if you have no disk), and then analyze that elsewhere with tshark/wireshark. I cannot comment on snort; I haven't tried it.
Even just running it for a minute or so and looking at the output might be enough to identify the offending protocol.
+1. Last time this happened to me, I added a couple of "and not port 22 and not host me" type constraints and immediately went "hey, $brother, are you talking to random-asshole.ru and other-asshole.cn deliberately?" (His machine was doubtless full of viruses and botnets and suchlike. Or maybe just bittorrent.)
I'm not the right person to ask if you need help with the filter language; I've only used it occasionally with relatively simple filter expressions.
There are actually two -- the precapture language uses "dst foo", "port foo" and "tcp" and connects them "and"; the postcapture one looks more like C: "ip.dest==1.2.3.4 && tcp.port=17". I can usually guess the former, but I always forget the latter. Wireshark is helpful in this regard (at least to sighted people, sorry Jason) because it has a little GUI query builder thingy to remind you it's tcp.port, not ip.port, and && not &.