Sniffing Around

Chris Partridge chris.partridge at vintek.net
Thu May 25 06:40:55 CST 2006


Hi Andrew,

Just as a side note, many popular BitTorrent clients are now
implementing encryption - which might make things just a little bit
harder to track.

Kind Regards, 

Chris Partridge 
 

> -----Original Message-----
> From: linuxsa-bounces at linuxsa.org.au 
> [mailto:linuxsa-bounces at linuxsa.org.au] On Behalf Of 
> andrew.reid at plug.cx
> Sent: Thursday, 25 May 2006 2:26 PM
> To: linuxsa at linuxsa.org.au
> Subject: Sniffing Around
> 
> I've got a wireless network that is used by a variety of 
> users. They're authenticated to the network, then they get 
> carte blanch out to the Internet.
> For a variety of reasons outside of my control, that's how 
> it's going to stay.
> 
> As you can imagine, that can be a bit of a problem. At the 
> moment, we're finding that people sitting around using things 
> like, say, BitTorrent and downloading massive files is 
> soaking up all the wireless bandwidth (that is, between the 
> AP and the client machines).
> 
> Using tcpkill from the dsniff package, I've think I've 
> successfully managed to kill off some BitTorrent connections, 
> but from what I can tell, I can only see connections made by 
> other clients of my particular AP. Elsewhere in the building, 
> from another AP, there might be some other scallywag doing 
> exactly the same thing.
> 
> To formulate a plan of attack, I want to get some sniffing 
> set up to show me the sort of traffic that is going through 
> the APs, allowing me to target my tcpkilling. I'll do that by 
> having RSPAN ports setup on our Cisco switches.
> 
> Is snort the sort of thing that I want to look at? I've been 
> having a troll around the website, but I haven't got a clear 
> answer as to whether or not I'll be able to get some sort of 
> traffic pattern breakdown (e.g., 40% HTTP, 40% BitTorrent, 
> 20% FTP etc.).
> 
> Is that doable? Should I be looking at something else that is 
> better suited to doing this kind of thing?
> 
> It's been a while since I've had to do anything of this kind 
> of nature, so I'm a little rusty.
> 
>    - andrew
> 
> --
> | Andrew Reid [mailto:andrew.reid at plug.cx] Overworked and 
> Underpaid 
> | Network Monkey
> | C: +61-401-946-813  F: +61-8-8219-0034
> --
> LinuxSA WWW: http://www.linuxsa.org.au/ IRC: #linuxsa on 
> irc.freenode.net To unsubscribe or change your options:
>   http://www.netcraft.com.au/mailman/listinfo/linuxsa
> 

This email and any attachments are confidential and may be privileged in which case neither is intended to be waived. If you have received this message in error, please notify us and remove it from your system. It is your responsibility to check any attachments for viruses and defects before opening or sending them on. 





More information about the linuxsa mailing list