- Community Home
- >
- Networking
- >
- Legacy
- >
- Switches, Hubs, Modems
- >
- Hunt down an abusive node?
Switches, Hubs, and Modems
1748128
Members
3536
Online
108758
Solutions
Forums
Categories
Company
Local Language
юдл
back
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Forums
Discussions
юдл
back
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Blogs
Information
Community
Resources
Community Language
Language
Forums
Blogs
Topic Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО09-18-2009 11:48 AM
тАО09-18-2009 11:48 AM
Hunt down an abusive node?
We have an SMB with ~45 clients on a Procurve 2900-48G, a SonicWall NSA2400 router/VPN, and a Cisco IAD2400 with a bonded T1.
Last week the SonicWall started crapping out, killing the WAN every 2-20 minutes of uptime. The only remedy is a power cycle, until the next crash.
SonicWall looked at debug info of their router and concluded that it's neither a hardware nor configuration failure, but the culprit is somewhere in the LAN.
Which brings me to my question here: how do I start narrowing down the search, and where to look if there are no immediate red flags on the ProCurve? I can roam around in WireShark but am no packet analysis expert.
I can start bringing down the heaviest bandwidth users one by one, but this seems a bit too brute-force.
Last week the SonicWall started crapping out, killing the WAN every 2-20 minutes of uptime. The only remedy is a power cycle, until the next crash.
SonicWall looked at debug info of their router and concluded that it's neither a hardware nor configuration failure, but the culprit is somewhere in the LAN.
Which brings me to my question here: how do I start narrowing down the search, and where to look if there are no immediate red flags on the ProCurve? I can roam around in WireShark but am no packet analysis expert.
I can start bringing down the heaviest bandwidth users one by one, but this seems a bit too brute-force.
2 REPLIES 2
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО09-24-2009 02:07 AM
тАО09-24-2009 02:07 AM
Re: Hunt down an abusive node?
You can use a tool to monitor the bandwidth of the switchs ports.
You could use www.cacti.net or mrtg, per example.
You could use www.cacti.net or mrtg, per example.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО09-24-2009 08:26 AM
тАО09-24-2009 08:26 AM
Re: Hunt down an abusive node?
Hi,
You should try out the ProCurve Manager plugin called Network Immunity Manager, from ProCurve. This is exactly the kind of task it's designed to perform. It analyzes sFlow data gathered by PCM from your devices and looks for common traffic patterns that underly most network attacks, and when it finds suspicious traffic it will tell you what it thinks is happening, who is doing it, and where they're attached to the network. You don't have to have sFlow throughout the whole network, and you don't have to have it on the edge ports where the attacker is located to find them. If this isn't enough data to determine exactly what is happening it at least gets you to the point where you can use deeper analysis in a more directed fashion (e.g. port mirroring from the attacker's port of attachment to WireShark or an IDS).
You don't mention whether you're using ProCurve Manager or not, but if not you can try it with Network Immunity Manager for free for 60 days. It would be worth a couple of hours to try when you compare it to the time you are facing with WireShark as your analysis tool.
Regards,
SVB
You should try out the ProCurve Manager plugin called Network Immunity Manager, from ProCurve. This is exactly the kind of task it's designed to perform. It analyzes sFlow data gathered by PCM from your devices and looks for common traffic patterns that underly most network attacks, and when it finds suspicious traffic it will tell you what it thinks is happening, who is doing it, and where they're attached to the network. You don't have to have sFlow throughout the whole network, and you don't have to have it on the edge ports where the attacker is located to find them. If this isn't enough data to determine exactly what is happening it at least gets you to the point where you can use deeper analysis in a more directed fashion (e.g. port mirroring from the attacker's port of attachment to WireShark or an IDS).
You don't mention whether you're using ProCurve Manager or not, but if not you can try it with Network Immunity Manager for free for 60 days. It would be worth a couple of hours to try when you compare it to the time you are facing with WireShark as your analysis tool.
Regards,
SVB
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.
News and Events
Support
© Copyright 2024 Hewlett Packard Enterprise Development LP