Page 2 of 2 FirstFirst 12
Results 11 to 12 of 12

Thread: What's sending this?

  1. #11
    Junior Member
    Join Date
    Feb 2003
    Posts
    6
    Could you not filter it to look for specific things like port 80 or winroute.cz? The only tool that I know that could filter as it's collecting would be something like Snort IDS where you can create your own ruleset and have it only detect those that match that pattern. All others it just ignores and let's pass.
    That's essentially what I did with windump. I filtered on traffic originating from my box, with a destination other than my internal net. Since I use a proxy server, all legitimate web traffic goes there, which is internal, so there wasn't much going directly outside. I was able to watch the traffic I sent out. I've got that problem pretty much under control.

    What I'm still interested in, though, is something that would monitor the app that sent the packets. Your example of using snort, for instance, would enable me to see which computer is sending the packets, but that still doesn't tell me which application running on my machine is responsible for sending that packet.''

    Hmm... maybe a HIDS would, though. But I'm really looking for a forensic tool that can be lightly deployed on a given box to watch what app or process is generating it. I think that could be a useful tool. (Wish I had the coding skills...)


    -- The Director

  2. #12
    Senior Member
    Join Date
    Jul 2002
    Posts
    112
    ok jsut for a bit more information on the "who is" stuff: (See below) But here it is in a nut shell. You stated you are "back in the states" You where using a ISP in Europe. Mostly likely in Czech Rep...? ns.winroute.cz is a DNS server on the network. It is a public server and is available for DNS lookups. You can replicate this inofrmation by going to command prompt Type nslookup (W2K or better) Type: server ns.winroute.cz hit enter and your can do DNS lookup on that server. Why port 80.... Can't tell you that one but all in all I would not worry about this...

    Paldie MCSE, CCNA, CCA, CCAI, CSSA, LMNOP

    Summary:
    Name: ignor.tinysw.cz
    IP Address: 195.39.55.4
    Location: PRAHA (50.090N, 14.410E)
    Network: TINYSOFT-CZ

    See Registrant Pane for registrant contact information.

    Registrant:
    This is the RIPE Whois secondary server.
    The objects are in RPSL format.
    Please visit http://www.ripe.net/rpsl for more information.

    The object shown below is NOT in the RIPE database.
    It has been obtained by querying a remote server:
    (whois.nic.cz) at port 43.
    To see the object stored in the RIPE database
    use the -R flag in your query

    REFERRAL START
    This whois looks up records in off-line generated RIPE
    databases maintained by the Czech Network Information
    Center. Results needn't contain all available information,
    see also on-line full information search service at the
    web-site http://www.nic.cz/

    Timestamp: 10.04.2003 (dd-mm-yyyy) 00:44 (hh:mm) CEST

    domain: tinysw.cz
    descr: Tiny Software CR, s.r.o.
    descr: Plzen
    admin-c: TH20-RIPE_XX
    tech-c: TH20-RIPE_XX
    bill-c: TINY-CZ
    nserver: ns.winroute.cz ns.winroute.com


    role: Tiny Software CR, s.r.o.
    address: Sedlackova 16
    address: Plzen
    address: 301 11
    address: The Czech Republic
    admin-c: TH20-RIPE
    tech-c: TH20-RIPE
    nic-hdl: TH20-RIPE_XX


    role: Tiny Software CR, s.r.o.
    address: Sedlackova 16
    address: Plzen
    address: 301 11
    address: The Czech Republic
    nic-hdl: TINY-CZ
    e-mail: tom@winroute.cz


    person: Tomas Hnetila
    address: Pobrezni 208
    address: Blovice
    address: 336 01
    phone: +420 377338901
    fax-no: +420 377328921
    nic-hdl: TH20-RIPE
    e-mail: Tom@TinySoftware.cz


    Total 4 records
    REFERRAL END

    Network:

    This is the RIPE Whois secondary server.
    The objects are in RPSL format.
    Please visit http://www.ripe.net/rpsl for more information.

    inetnum: 195.39.55.0 - 195.39.55.255
    netname: TINYSOFT-CZ
    descr: Tiny Software CR, s.r.o.
    country: CZ
    admin-c: TH20-RIPE
    tech-c: TH20-RIPE
    status: ASSIGNED PA
    mnt-by: GTSCZ-MNT
    changed: filip.krupka@gtsgroup.cz 20021112
    source: RIPE

    route: 195.39.0.0/17
    descr: GTSNET - II
    origin: AS2819
    mnt-by: GTSCZ-A-MNT
    changed: tm@gts.cz 19980916
    changed: mic@gts.cz 20021018
    source: RIPE

    person: Tomas Hnetila
    address: Kerio Technologies
    address: Sedlackova 16
    address: Plzen
    address: 301 11
    address: The Czech Republic
    phone: +420 377338901
    fax-no: +420 377338921
    e-mail: THnetila@kerio.com
    nic-hdl: TH20-RIPE
    notify: tom@winroute.cz
    changed: tom@winroute.cz 19990524
    changed: tkpv@cesnet.cz 20020920
    source: RIPE
    My other Computer is a 4000 node Beowulf Custer

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •