On Wed, 2003-08-13 at 12:12, Robert L Cochran wrote:
[snip]
> Is there a way I can just monitor traffic on these ports for a while to
> get a sense of what is happening on my network?
The other suggestions are probably better for monitor whats happening,
but this way can let you know depending on your iptables rules:
I recommend ulog for logging (-j ULOG), along with ulogd. This serves
two purposes: 1. ulog gives you more options for sending different logs
to different files, so if you were just interested in a particular set
of ports, you could tail that file, and 2. your /var/log/messages
doesn't get so clogged!
If you wanted to log all windows file sharing traffic, you could then do
something like
-A eth0-Input -p tcp -m tcp -m multiport -s 172.16.0.0/255.255.255.0 --dports 137,138,139,445 -j ULOG --ulog-nlgroup 1 --ulog-prefix "Samba eth0 DROP: "
-A eth0-Input -p tcp -m tcp -m multiport -s 172.16.0.0/255.255.255.0 --dports 137,138,139,445 -j ACCEPT
(watch for text wrap)
Then you could say
tail -f /var/log/ulogd.syslogemu | grep "Samba eth0 DROP: "
and watch the traffic go. I usually get 2-3 attempts to connect to
these ports every few seconds or so from outside my network...
(this is an inbound rule, but I don't think it takes much to turn it
into an outbound rule)
HTH,
--
Iain Buchanan <iain@xxxxxxxxxxxxxxxxxxx>
Lisa: Remember, Dad. The handle of the Big Dipper points to the
North Star.
Homer: That's nice, Lisa, but we're not in astronomy class. We're in
the woods.
The Call of the Simpsons
--
Shrike-list mailing list
Shrike-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/shrike-list
