-
April 9th, 2003, 10:53 PM
#11
Junior Member
Could you not filter it to look for specific things like port 80 or winroute.cz? The only tool that I know that could filter as it's collecting would be something like Snort IDS where you can create your own ruleset and have it only detect those that match that pattern. All others it just ignores and let's pass.
That's essentially what I did with windump. I filtered on traffic originating from my box, with a destination other than my internal net. Since I use a proxy server, all legitimate web traffic goes there, which is internal, so there wasn't much going directly outside. I was able to watch the traffic I sent out. I've got that problem pretty much under control.
What I'm still interested in, though, is something that would monitor the app that sent the packets. Your example of using snort, for instance, would enable me to see which computer is sending the packets, but that still doesn't tell me which application running on my machine is responsible for sending that packet.''
Hmm... maybe a HIDS would, though. But I'm really looking for a forensic tool that can be lightly deployed on a given box to watch what app or process is generating it. I think that could be a useful tool. (Wish I had the coding skills...)
-
April 10th, 2003, 12:29 AM
#12
Senior Member
ok jsut for a bit more information on the "who is" stuff: (See below) But here it is in a nut shell. You stated you are "back in the states" You where using a ISP in Europe. Mostly likely in Czech Rep...? ns.winroute.cz is a DNS server on the network. It is a public server and is available for DNS lookups. You can replicate this inofrmation by going to command prompt Type nslookup (W2K or better) Type: server ns.winroute.cz hit enter and your can do DNS lookup on that server. Why port 80.... Can't tell you that one but all in all I would not worry about this...
Paldie MCSE, CCNA, CCA, CCAI, CSSA, LMNOP
Summary:
Name: ignor.tinysw.cz
IP Address: 195.39.55.4
Location: PRAHA (50.090N, 14.410E)
Network: TINYSOFT-CZ
See Registrant Pane for registrant contact information.
Registrant:
This is the RIPE Whois secondary server.
The objects are in RPSL format.
Please visit http://www.ripe.net/rpsl for more information.
The object shown below is NOT in the RIPE database.
It has been obtained by querying a remote server:
(whois.nic.cz) at port 43.
To see the object stored in the RIPE database
use the -R flag in your query
REFERRAL START
This whois looks up records in off-line generated RIPE
databases maintained by the Czech Network Information
Center. Results needn't contain all available information,
see also on-line full information search service at the
web-site http://www.nic.cz/
Timestamp: 10.04.2003 (dd-mm-yyyy) 00:44 (hh:mm) CEST
domain: tinysw.cz
descr: Tiny Software CR, s.r.o.
descr: Plzen
admin-c: TH20-RIPE_XX
tech-c: TH20-RIPE_XX
bill-c: TINY-CZ
nserver: ns.winroute.cz ns.winroute.com
role: Tiny Software CR, s.r.o.
address: Sedlackova 16
address: Plzen
address: 301 11
address: The Czech Republic
admin-c: TH20-RIPE
tech-c: TH20-RIPE
nic-hdl: TH20-RIPE_XX
role: Tiny Software CR, s.r.o.
address: Sedlackova 16
address: Plzen
address: 301 11
address: The Czech Republic
nic-hdl: TINY-CZ
e-mail: tom@winroute.cz
person: Tomas Hnetila
address: Pobrezni 208
address: Blovice
address: 336 01
phone: +420 377338901
fax-no: +420 377328921
nic-hdl: TH20-RIPE
e-mail: Tom@TinySoftware.cz
Total 4 records
REFERRAL END
Network:
This is the RIPE Whois secondary server.
The objects are in RPSL format.
Please visit http://www.ripe.net/rpsl for more information.
inetnum: 195.39.55.0 - 195.39.55.255
netname: TINYSOFT-CZ
descr: Tiny Software CR, s.r.o.
country: CZ
admin-c: TH20-RIPE
tech-c: TH20-RIPE
status: ASSIGNED PA
mnt-by: GTSCZ-MNT
changed: filip.krupka@gtsgroup.cz 20021112
source: RIPE
route: 195.39.0.0/17
descr: GTSNET - II
origin: AS2819
mnt-by: GTSCZ-A-MNT
changed: tm@gts.cz 19980916
changed: mic@gts.cz 20021018
source: RIPE
person: Tomas Hnetila
address: Kerio Technologies
address: Sedlackova 16
address: Plzen
address: 301 11
address: The Czech Republic
phone: +420 377338901
fax-no: +420 377338921
e-mail: THnetila@kerio.com
nic-hdl: TH20-RIPE
notify: tom@winroute.cz
changed: tom@winroute.cz 19990524
changed: tkpv@cesnet.cz 20020920
source: RIPE
My other Computer is a 4000 node Beowulf Custer
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|