Switches, Hubs, and Modems
Showing results for 
Search instead for 
Did you mean: 

Hunt down an abusive node?

Occasional Visitor

Hunt down an abusive node?

We have an SMB with ~45 clients on a Procurve 2900-48G, a SonicWall NSA2400 router/VPN, and a Cisco IAD2400 with a bonded T1.

Last week the SonicWall started crapping out, killing the WAN every 2-20 minutes of uptime. The only remedy is a power cycle, until the next crash.

SonicWall looked at debug info of their router and concluded that it's neither a hardware nor configuration failure, but the culprit is somewhere in the LAN.

Which brings me to my question here: how do I start narrowing down the search, and where to look if there are no immediate red flags on the ProCurve? I can roam around in WireShark but am no packet analysis expert.

I can start bringing down the heaviest bandwidth users one by one, but this seems a bit too brute-force.
Frequent Advisor

Re: Hunt down an abusive node?

You can use a tool to monitor the bandwidth of the switchs ports.
You could use www.cacti.net or mrtg, per example.
Steve Britt
Respected Contributor

Re: Hunt down an abusive node?


You should try out the ProCurve Manager plugin called Network Immunity Manager, from ProCurve. This is exactly the kind of task it's designed to perform. It analyzes sFlow data gathered by PCM from your devices and looks for common traffic patterns that underly most network attacks, and when it finds suspicious traffic it will tell you what it thinks is happening, who is doing it, and where they're attached to the network. You don't have to have sFlow throughout the whole network, and you don't have to have it on the edge ports where the attacker is located to find them. If this isn't enough data to determine exactly what is happening it at least gets you to the point where you can use deeper analysis in a more directed fashion (e.g. port mirroring from the attacker's port of attachment to WireShark or an IDS).

You don't mention whether you're using ProCurve Manager or not, but if not you can try it with Network Immunity Manager for free for 60 days. It would be worth a couple of hours to try when you compare it to the time you are facing with WireShark as your analysis tool.