19 Nov
2012
19 Nov
'12
5:19 a.m.
Michael Lindner <michael@tropyx.com> wrote:
Wireshark FTW! One way is to run Snort on the server and use WS to analyse the output.
Or tshark if you want to run it on the server, using a read filter (the -R option, see wireshark-filter)5) for details) to filter out traffic that you regard as legitimate. Even just running it for a minute or so and looking at the output might be enough to identify the offending protocol. I'm not the right person to ask if you need help with the filter language; I've only used it occasionally with relatively simple filter expressions.