Internet Link Detective Audit

I'm hoping someone on this list can steer me in the right direction
towards figuring out what is going on with my internet link. (Or rather
the tools to figure it out on my own).

I had a call from my ISP claiming that they saw unusual network
activity (high usage). At first we though it was simply my New peering
but a few weeks later they claimed up to 7GB on port 5560 (iMesh).
Since I block port 5560 incoming I have to figure it must be from the
inside.

I'm puzzled because as far as I can tell from my Postfix and Inn logs
I'm using only 100 MB per do or so. With about 15 machines on our
buildings network, it might be a bit difficult to figure out what is
going on just by inspection (also some of the clients are Mac, Windows
XP and Ubuntu).

What I'd like is a tool running on FreeBSD that will sort IP traffic
coming across my Internet interface by:
SRC IP, PROTOCOL and PORT
DEST IP, PROTOCOL and PORT
then give me total KBs passed in that interval.

I currently have one FreeBSD machine devoted to Gateway Router and NAT.
It runs ipfilter (ipf). From reading the list over the years I know
about tools that do things like this but don't know of one that does
this exactly.

I set up ifstat, but it doesn't sort the traffic by src, dest, port,
etc, just a total KB/s in/out.

I know that one can use dummynet, or ALTQ to do bandwith shaping, but
I'd rather find out where all the traffic is going rather than just
restricting it.

Perhaps snort would do what I want, but before I spent the time setting
it up I wanted to make sure that I could easily get a count of Kb/s flowing
across the interface, since my main interest isn't intrusion detection,
but really something more like a traffic audit.

Any pointers for how to instrument this are greatly appreciated.

--
Edward Elhauge <ee@xxxxxxxxxxx>
"The life which is unexamined is not worth living." -- Plato
_______________________________________________
freebsd-isp@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-isp
To unsubscribe, send any mail to "freebsd-isp-unsubscribe@xxxxxxxxxxx"

Relevant Pages

  • Re: Internet Link Detective Audit
    ... Bob Martin wrote: ... towards figuring out what is going on with my internet link. ... DEST IP, PROTOCOL and PORT ...
    (freebsd-isp)
  • I closed my own door with IPSec
    ... Protocol: Any ... Source Port: Any ... Dest. ... Client to this server, because the server accepts only traffic from source ...
    (microsoft.public.win2000.security)
  • Re: Internet Link Detective Audit
    ... towards figuring out what is going on with my internet link. ... DEST IP, PROTOCOL and PORT ...
    (freebsd-isp)
  • Re: IoCancelIrp and TDI
    ... slow) Internet link is a good idea. ... I've written a com port redirector that redirects com port data over the ... Then I send a large file to the com port via Tera Term. ... Since Tera Term requested a timeout of 500 milliseconds, ...
    (microsoft.public.development.device.drivers)
  • perl net::rawip help
    ... Now the packet is sent out but when I view it in ethereal under the "User Datagram Protocol" section it is showing the source port, destination port and len as all having a value of 0. ...
    (perl.beginners)