AANTS - Find a Workstation That's Abusing Your Server

How to use NetWatch and other AANTS tools to locate abusive or anomalous traffic

Presumably you know the IP or MAC of your server, so the easiest way to see what that traffic looked like in the traffic graphs is to pull up the graph for the port that server is on.

I'd do this using NetWatch:

1) select "ALL" devices
2) enter one of the hostname (DNS), IP, or MAC address of the server
3) do nothing (leave w/dates select)
4) Submit Query

Then in the "port" column there are links to the "Bits", "Pkts", and "Errs" graphs. If its overwhelmed by packets, i'd suggest the "Pkts" graph, because the packet rate may have been high, but if they were small packets it would not be obvious in the Bits rate graphs.

Once you know what sort of rate spike you're interested in, then the Port Stats Search "Report Most Active" form could be used to find other access ports in your building(s) with similar activity levels.

If you can't find the identity of the source (MAC or IP) of the packets with the servers' operating system or tools, it would be best to use a packet capture utility (such as ethereal under Windows or Linux) on the same switchport as the server to capture sample packets. The capture can expose the MAC address (and possibly IP address) of the misbehaving source host.

Then it's simply a matter of entering that MAC or IP in NetWatch, and it will tell you where that machine is or has been connected.

Dave Plonka




Keywords:AANTS, Abuse, NetWatch, Traffic, Trouble-shooting, Network, tools, tool   Doc ID:4813
Owner:Charles T.Group:Network Services
Created:2006-06-26 19:00 CDTUpdated:2011-05-18 19:00 CDT
Sites:DoIT Help Desk, Network Services, Systems & Network Control Center, Systems Engineering
Feedback:  0   0