top talkers by port usage or SYN attempts

Discussion:

jacob c

2008-01-24 23:26:37 UTC

I have a linux load balancer appliance where some user is constantly making too many connections to some unknow ip address. When this happens it eventually uses up all 65,000 ports. Is there some way to take a massive capture and then filter it out in wireshark by top port talkers and/or top syn attemptsby ip address? Any info would be very much appreciated.

Thank you,

---------------------------------
Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try it now.

Sake Blok

2008-01-25 09:31:52 UTC

Permalink

Post by jacob c
I have a linux load balancer appliance where some user is constantly
making too many connections to some unknow ip address. When this
happens it eventually uses up all 65,000 ports. Is there some way
to take a massive capture and then filter it out in wireshark by top
port talkers and/or top syn attemptsby ip address? Any info would be
very much appreciated.

jacob c

2008-01-25 19:56:59 UTC

Permalink

I appreciate the info. I have actually taken several captures now on individual vlans and have located the top talkers. I also tried the tshark command you mentioned below without success. I get the "ericsson error" as show below. Here is what happens:
C:\Program Files\Wireshark>tshark -r c:\captures\0_0-10mins -T fields -e ip.src
"tcp.flags.syn==1 &&
Could not open file: 'Ericsson.xml', error: No such file or directory
tshark: Unexpected end of filter string.

C:\Program Files\Wireshark>tshark -v
Could not open file: 'Ericsson.xml', error: No such file or directory
TShark 0.99.7 (SVN Rev 23910)
Copyright 1998-2007 Gerald Combs <gerald-IZ8446WsY0/***@public.gmane.org> and contributors.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
Compiled with GLib 2.14.3, with WinPcap (version unknown), with libz 1.2.3, with
libpcre 6.4, with SMI 0.4.5, with ADNS, with Lua 5.1, with GnuTLS 1.6.1, with
Gcrypt 1.2.3, with MIT Kerberos.
Running on Windows XP Service Pack 2, build 2600, with WinPcap version 4.0.2
(packet.dll version 4.0.0.1040), based on libpcap version 0.9.5.
Built using Microsoft Visual C++ 6.0 build 8804
C:\Program Files\Wireshark>

Do you know what I should modify to resolve this?
Thanks,

Well, ik Wireshark you can use the "Endpoints" option under "statistics".
This could give you the top10 list of ip-addresses generating to most
packets or bytes.

If you just want SYN packets to be counted, you can either create a
2nd trace file with only the SYN packets and look at the endpoint
statistics in this new file.

Or... you could use tshark with some command piping:

tshark -r -T fields -e ip.src "tcp.flags.syn==1 && tcp.flags.ack==0" | sort | uniq -c | sort -rn | head

I hope this helps,
Cheers,
Sake
_______________________________________________
Wireshark-users mailing list
Wireshark-users-IZ8446WsY0/***@public.gmane.org
http://www.wireshark.org/mailman/listinfo/wireshark-users

---------------------------------
Looking for last minute shopping deals? Find them fast with Yahoo! Search.

Guy Harris

2008-01-25 20:36:52 UTC

Permalink

Post by jacob c
I appreciate the info. I have actually taken several captures now on
individual vlans and have located the top talkers. I also tried the
tshark command you mentioned below without success. I get the "ericsson
C:\Program Files\Wireshark>

Oops, cmd.exe, not a UN*X shell, so Sake's command won't work exactly.

If you have Cygwin installed, you could try it from Cygwin.

Post by jacob c
tshark -r c:\captures\0_0-10mins -T fields -e
ip.src
"tcp.flags.syn==1 &&
Could not open file: 'Ericsson.xml', error: No such file or directory
tshark: Unexpected end of filter string.

The "ericsson error" isn't the real problem. The real problem is the
"Unexpected end of filter string"; that command isn't complete.

The complete tshark command would be

tshark -r c:\captures\0_0-10mins -T fields -e ip.src "tcp.flags.syn==1
&& tcp.flags.ack==0"

on *one* command line (I don't know whether cmd.exe supports commands
split across multiple command lines the way UN*X shells do.

However, the rest of his command, namely the

| sort | uniq -c | sort -rn | head

part, is a bit trickier; cmd.exe *does* support pipes (and I suspect it
supports them using Win32 pipes, rather than the old "run the commands
one at a time, save the output of command N to a file, and use that file
as input to command N+1" hack that the MS-DOS command prompt did, due to
DOS being a single-tasking system), but Windows doesn't come with those
other commands.

As noted, Cygwin would include those commands.

Giles Coochey

2008-01-25 09:42:17 UTC

Permalink

To be honest, If they're creating that many connections then it should
be pretty obvious from eyes on the capture itself.

________________________________

From: wireshark-users-bounces-IZ8446WsY0/***@public.gmane.org
[mailto:wireshark-users-bounces-IZ8446WsY0/***@public.gmane.org] On Behalf Of jacob c
Sent: 25 January 2008 00:27
To: wireshark-users-IZ8446WsY0/***@public.gmane.org
Subject: [Wireshark-users] top talkers by port usage or SYN attempts

I have a linux load balancer appliance where some user is constantly
making too many connections to some unknow ip address. When this happens
it eventually uses up all 65,000 ports. Is there some way to take a
massive capture and then filter it out in wireshark by top port talkers
and/or top syn attemptsby ip address? Any info would be very much
appreciated.

Thank you,

________________________________

Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try
it now.
<http://us.rd.yahoo.com/evt=51733/*http:/mobile.yahoo.com/;_ylt=Ahu06i62
sR8HDtDypao8Wcj9tAcJ%20>