Hello all, I am having a problem here. Here at our 200 node network we have a Firewall in place. It can only have a 2048 active connection limit. Well I noticed our internet has been real sluggish and its only because the firewall has hit its limit. 2048 sessions is way to high than our regular 50 active connections. I am suspecting we have computers that are infected with some type of virus. What is the easiest way to pinpoint which computers are making all these request?
March 31st, 2004, 05:11 PM
sniffing, ethereal, tcpdump......or like setting very verbose logging on your firewall and reading the logs. Could be a couple people using p2p programs. I find it a little strange that you are in charge of 200 computers and cannot figure this out it is very basic.
March 31st, 2004, 05:33 PM
What type of firewall (software or Hardware) do you have installed as it may make a difference on the tools use to solve the problem?
Also are all your computers installed with an up to date antivirus?
In any case check your logs to see if they give you some hint as to what is happening.
March 31st, 2004, 05:52 PM
Sounds like you most likely have a system or more then one system with a worm. Easiest way I've found to locate it is to setup a system running ethereal on a spanned port that can sniff the traffic heading for the firewall. Run a capture in promiscuous mode to capture all packets passing by the interface.
Using a filter of:
dst net not [your internel network]
Replace [your internal network] with something like 172.30 or 192.168.252 depending on your network configuration.
Will help you narrow down the results since that will grab only traffic heading out of the network. Depending on your traffic you will probably only want to do a 5 or 10 second capture.
In that capture you are looking for a system in your network sending packets to lots of external destinations many times in the same range.
Once you locate one, go run virus scans on it and/or remove it from the network and see if the problem goes away. You may have more then one system causing the issue.