Or... Setup the uplink to a tagged vlan, and compile your kernel with 802 VLAN support, and sniff the vlan on your linux box. On Mon, 2002-09-30 at 22:38, Bob Tanner wrote: > Quoting Raymond Norton (admin at lctn.org): > > Over the last week we had a few Linux servers abused at some member > > schools. The culprits took advantage of poorly configured squid.conf files > > that had the default 0.0.0.0/0.0.0.0 statement in the ACL section. We have > > corrected most of the problem by only letting local LANS use squid. I have > > one school in particular who is still being abused. It is peculiar because > > Network topology switched or shared? > > If switched, do your switches support port mirroring? > > Does all the traffic do through a firewall? > > What I'm getting at is, can snoop all incoming/outgoing traffic somewhere? > > Install tcpdump and capture a sample of the traffic, or use ethereal to view > it and see what's going on. > > Both tools are in the tclug's greyhatpak. > > Let's say you are switched, and the switches support port mirroring. At the > min, mirror your uplink port (router, dsl modem, etc) to an open port. > > Plug a linux box into the open port, run ethereal on the that NIC interface and > you'll get what you need. > > If you want to do it remotely, it's little more involved, but.... > > Let's say you have a linux firewall, ssh to it, install tcpdump, run tcpdump on > both interfaces. > > /usr/sbin/tcpdump -w eth0.pcap -i eth0 -n > /usr/sbin/tcpdump -w eth1.pcap -i eth1 -n > > scp the *.pcap files to your linux box running X, load up the files with > ethereal. > > -- > Bob Tanner <tanner at real-time.com> | Phone : (952)943-8700 > http://www.mn-linux.org, Minnesota, Linux | Fax : (952)943-8500 > http://www.tcwug.org, Minnesota, Wireless | Coding isn't a crime. > Fingerprint: 02E0 2734 A1A1 DBA1 0E15 623D 0036 7327 93D9 7DA3 > _______________________________________________ > Twin Cities Linux Users Group Mailing List - Minneapolis/St. Paul, Minnesota > http://www.mn-linux.org > tclug-list at mn-linux.org > https://mailman.mn-linux.org/mailman/listinfo/tclug-list -- Jonathan Kline Milwaukee School of Engineering klinej at msoe.edu PGP Key fingerprint = 8923 7266 CC84 6D39 6AEA 2313 4241 7851 068E BD2A PGP Key ID = 068EBD2A