FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora User

 
 
LinkBack Thread Tools
 
Old 02-18-2010, 08:47 PM
Rick Stevens
 
Default what network monitor will display which applications are using which connections?

On 02/18/2010 09:52 AM, Wendell Nichols wrote:
> I would like to monitor network connections on my servers. Users run
> all sorts of stuff and I want to know when some chat client starts
> shipping data to a system in china etc.

Snort is probably the best (and complicated) network sniffer out
there. It can do some serious analysis. It also eats up CPU cycles
like crazy. You've been warned.

If you try to use something like "netstat" and such, you can't be sure
which application is using which port without finding the port being
used and analyzing the output of something like "lsof -i ort".
Example: port 22 is ssh, but you can tell ssh to listen on a completely
different port. This is true of many applications.

You should also keep in mind that if the connection is being originated
at your end, the source port could be on any one. You'd need to look
at the destination port to see what it's talking to and even then it
could be completely bogus. All you know for sure is that if the
destination port is 22, it's talking to a port that was reserved for
ssh by the IETF. It doesn't mean that what's actually at the other end
is an sshd instance.
----------------------------------------------------------------------
- Rick Stevens, Systems Engineer ricks@nerd.com -
- AIM/Skype: therps2 ICQ: 22643734 Yahoo: origrps2 -
- -
- We have enough youth, how about a fountain of SMART? -
----------------------------------------------------------------------
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
 
Old 02-18-2010, 10:01 PM
Patrick O'Callaghan
 
Default what network monitor will display which applications are using which connections?

On Thu, 2010-02-18 at 13:47 -0800, Rick Stevens wrote:
> On 02/18/2010 09:52 AM, Wendell Nichols wrote:
> > I would like to monitor network connections on my servers. Users run
> > all sorts of stuff and I want to know when some chat client starts
> > shipping data to a system in china etc.
>
> Snort is probably the best (and complicated) network sniffer out
> there. It can do some serious analysis. It also eats up CPU cycles
> like crazy. You've been warned.

Other things to look at: ntop and wireshark (not for the faint of
heart).

poc

--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
 
Old 02-19-2010, 12:57 AM
Rick Stevens
 
Default what network monitor will display which applications are using which connections?

On 02/18/2010 03:01 PM, Patrick O'Callaghan wrote:
> On Thu, 2010-02-18 at 13:47 -0800, Rick Stevens wrote:
>> On 02/18/2010 09:52 AM, Wendell Nichols wrote:
>>> I would like to monitor network connections on my servers. Users run
>>> all sorts of stuff and I want to know when some chat client starts
>>> shipping data to a system in china etc.
>>
>> Snort is probably the best (and complicated) network sniffer out
>> there. It can do some serious analysis. It also eats up CPU cycles
>> like crazy. You've been warned.
>
> Other things to look at: ntop and wireshark (not for the faint of
> heart).

Wireshark, of course, being the GUI side of tcpdump. But you knew that!
----------------------------------------------------------------------
- Rick Stevens, Systems Engineer ricks@nerd.com -
- AIM/Skype: therps2 ICQ: 22643734 Yahoo: origrps2 -
- -
- "Doctor! My brain hurts!" "It will have to come out!" -
----------------------------------------------------------------------
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
 
Old 02-19-2010, 02:59 PM
Wendell Nichols
 
Default what network monitor will display which applications are using which connections?

Rick Stevens wrote:
> On 02/18/2010 03:01 PM, Patrick O'Callaghan wrote:
>
>> On Thu, 2010-02-18 at 13:47 -0800, Rick Stevens wrote:
>>
>>> On 02/18/2010 09:52 AM, Wendell Nichols wrote:
>>>
>>>> I would like to monitor network connections on my servers. Users run
>>>> all sorts of stuff and I want to know when some chat client starts
>>>> shipping data to a system in china etc.
>>>>
>>> Snort is probably the best (and complicated) network sniffer out
>>> there. It can do some serious analysis. It also eats up CPU cycles
>>> like crazy. You've been warned.
>>>
>> Other things to look at: ntop and wireshark (not for the faint of
>> heart).
>>
>
> Wireshark, of course, being the GUI side of tcpdump. But you knew that!
Thankyou for your input. I've looked at all these things and a few
more. One of the more interesting tools is etherape (available at your
friendly neighbourhood fedora repo site). It gives you a nice picture
of what machines on your lan are connected to what machines both off and
on your lan. The thing it doesn't tell me is what app is responsible
for the connection and where the end point is. There is also no
logging. I have snort on my firewall and I'll look more closely at it
before I move on.
I'm mostly concerned with apps on windows machines on my local lan
having connections to machines which are not expected. You read nearly
every week about some social networking game or app (tomtom skype?)
which funnels the chat content to either a foreign government or an
organization collecting identities for fraud purposes. I'm interested
in tools which might plug those holes... but perhaps they don't exist or
are out of the reach of the "little guy"
Thanks again for your thoughts..
Wendell Nichols

--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
 
Old 02-19-2010, 05:59 PM
Rick Stevens
 
Default what network monitor will display which applications are using which connections?

On 02/19/2010 07:59 AM, Wendell Nichols wrote:
> Rick Stevens wrote:
>> On 02/18/2010 03:01 PM, Patrick O'Callaghan wrote:
>>
>>> On Thu, 2010-02-18 at 13:47 -0800, Rick Stevens wrote:
>>>
>>>> On 02/18/2010 09:52 AM, Wendell Nichols wrote:
>>>>
>>>>> I would like to monitor network connections on my servers. Users run
>>>>> all sorts of stuff and I want to know when some chat client starts
>>>>> shipping data to a system in china etc.
>>>>>
>>>> Snort is probably the best (and complicated) network sniffer out
>>>> there. It can do some serious analysis. It also eats up CPU cycles
>>>> like crazy. You've been warned.
>>>>
>>> Other things to look at: ntop and wireshark (not for the faint of
>>> heart).
>>>
>>
>> Wireshark, of course, being the GUI side of tcpdump. But you knew that!
> Thankyou for your input. I've looked at all these things and a few
> more. One of the more interesting tools is etherape (available at your
> friendly neighbourhood fedora repo site). It gives you a nice picture
> of what machines on your lan are connected to what machines both off and
> on your lan. The thing it doesn't tell me is what app is responsible
> for the connection and where the end point is. There is also no
> logging. I have snort on my firewall and I'll look more closely at it
> before I move on.
> I'm mostly concerned with apps on windows machines on my local lan
> having connections to machines which are not expected. You read nearly
> every week about some social networking game or app (tomtom skype?)
> which funnels the chat content to either a foreign government or an
> organization collecting identities for fraud purposes. I'm interested
> in tools which might plug those holes... but perhaps they don't exist or
> are out of the reach of the "little guy"
> Thanks again for your thoughts..

snort isn't that hard to set up using its default rules. The trick is
in tweaking them to analyze what's going on.

Remember, even at the firewall all you have available to you is IP
addresses and ports involved. You have no visibility as to what
application on any given machine is opening those connections unless
you're on the machine involved and doing something like

lsof -i ortnumber-of-interest

while the connection is being made or is open (I don't know if there
is an equivalent application under Windows). With iptables, you can,
of course, log all outgoing packets with the SYN bit set (your machine
trying to open a TCP connection):

iptables -A OUTPUT -p tcp -m tcp --tcp-flags SYN SYN -j LOG

but again, you don't know which application was doing that.

If you're intensely paranoid, put rules on your firewall that block
all outgoing packets to anything other than well-known ports that you
are fairly sure you'll use. If someone whines that they can't do
something, sort out what it is, verify the IPs and ports involved and
put a "hole" in your firewall to allow access for that port to that
specific destination IP. Do this VERY reluctantly...a firewall that
resembles swiss cheese is no longer a firewall.

Network security and security analysis are pretty complex beasts, which
is why good consultants in those areas can make some serious money.
----------------------------------------------------------------------
- Rick Stevens, Systems Engineer ricks@nerd.com -
- AIM/Skype: therps2 ICQ: 22643734 Yahoo: origrps2 -
- -
- What's small, yellow and very, VERY dangerous? The root canary! -
----------------------------------------------------------------------
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
 

Thread Tools




All times are GMT. The time now is 04:50 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org