You are not logged in.
Hi,
I am not asking here how to detect a rootkit, etc. But...
Is there a way to tell that some network activity is harmless? Beyond suspicion, that is. For instance, I've go something like 5 K/s traffic on eth0, doing nothing, on my desktop. Is there an easy way to check its nature?
Last edited by Llama (2012-03-13 11:42:33)
Offline
Wireshark is your friend in that case. Just let the capture run for a little bit while you're "doing nothing".
Burninate!
Offline
Also
lsof -i
will show currently open network connections.
"...one cannot be angry when one looks at a penguin." - John Ruskin
"Life in general is a bit shit, and so too is the internet. And that's all there is." - scepticisle
Offline
Thanks! I've run lsof and started wireshark. GTK GUI looks nice, but it's just as I feared: I wouldn't know a red flag when I see it. There's way too much info on network security; I'm completely at sea as to where to start. Any suggestion is extremely welcome.
Last edited by Llama (2012-03-13 12:58:10)
Offline
You can post the logs here if you feel it's safe.
Also, use iftop to see where the connections are being made.
Offline
As soon as I try to close Wireshark, I get a message: "Save capture file before program quit?" [Quit without saving/Cancel]. Meanwhile, File->Save is grayed out...
Offline
snort is a good IDS with good filters/rules configuration, ettercap (has arp poisoning and other detection plugins), Wireshark is obv a good recommendation (learn to use its protocol filters etc).
Last edited by xs (2012-03-13 18:12:11)
I like pie. Especially with a side of Arch.
Offline
As soon as I try to close Wireshark, I get a message: "Save capture file before program quit?" [Quit without saving/Cancel]. Meanwhile, File->Save is grayed out...
Make sure to stop your capture (Capture --> Stop) before closing.
Burninate!
Offline
You can post the logs here if you feel it's safe.
Also, use iftop to see where the connections are being made.
I've got a good sample capture file, 3.8M. It's a binary. How am I supposed to post it here?
Offline
Just upload it to one of the free upload services (Google "free upload" and you'll get tons) and link it here.
Burninate!
Offline
links deleted
Last edited by Llama (2012-03-24 14:36:07)
Offline
I can't tell much from the logs, but i do see that a lot of udp connections are being made on port 59452. It seems that port 59452 is open and only accepting udp traffic.
Are you running some torrent client? If you are, and are using dht, then that can explain the traffic, as dht stays active even if you are not running any active torrents (but the client it on).
If this isn't the case, try iftop, it displays the active connections on the top right, and even tells the amount of traffic being exchanged with each ip. Though, it won't tell the protocol being used and other details.
Offline
It's been my hunch, too. I do seed, DHT on. The funny thing is, the logs reflect periods of deluged (I use deluge) inactivity (stopped). It looks like a case of life after death. After reboot the funny activity settles down to zero (not right away, though).
Offline