|
|
|
|
Thread Tools | Display Modes |
02-28-2007, 10:37 AM | #1 |
Scooby Specialist
Member#: 10814
Join Date: Oct 2001
Chapter/Region:
South East
Location: Stanley, NC
Vehicle:'13 ToyobaruFRZ-86 97 Miata M |
Attn: Juniper router gurus, quick question
Since yesterday around 2pm, there has been a sustained 100k of traffic between two of our routers. I can't trace it to any servers, and I'm wondering what the hell is causing it.
What's the best way to go about figuring this out? Netflows? Sniffing the port on the switch that the router is plugged into? Hitting the router with a hammer? Any other features on the router itself to monitor this and find out what addresses it's talking to?
* Registered users of the site do not see these ads.
|
02-28-2007, 10:44 AM | #2 |
Scooby Specialist
Member#: 87294
Join Date: May 2005
Chapter/Region:
South East
Location: Wanna fight ab'at it?
Vehicle:98 Silver POS |
Some sort of Debug maybe?
Sorry, I do Cisco |
02-28-2007, 10:55 AM | #3 |
Scooby Specialist
Member#: 82595
Join Date: Mar 2005
Chapter/Region:
MAIC
Location: 'Cookies'
Vehicle:let N/A |
buarahaha... i dunno but i hate work windows on junipers and their blades suck at fitting... +1 hammer option. isnt that info proprietary :O can you tell traffic from witch blade then switch?
|
02-28-2007, 10:59 AM | #4 |
Scooby Specialist
Member#: 10814
Join Date: Oct 2001
Chapter/Region:
South East
Location: Stanley, NC
Vehicle:'13 ToyobaruFRZ-86 97 Miata M |
Been waiting for a while to find a reason to use this, and my time has come....
What you've just said is one of the most insanely idiotic things I have ever heard. At no point in your rambling, incoherent response were you even close to anything that could be considered a rational thought. Everyone in this room is now dumber for having listened to it. I award you no points, and may God have mercy on your soul. |
02-28-2007, 11:02 AM | #5 |
Scooby Specialist
Member#: 87294
Join Date: May 2005
Chapter/Region:
South East
Location: Wanna fight ab'at it?
Vehicle:98 Silver POS |
|
02-28-2007, 11:34 AM | #6 |
Miss You Mom
Oct 1940 - Feb 2008 Super Moderator Member#: 809
Join Date: Jan 2000
Chapter/Region:
NESIC
Location: NH, Land Of Many Trees
Vehicle:2000 2.5 RS, '14 For 92 5MT SVX |
I don't think there is anything native to the Juniper that will help you out.
Having a packet sniffer would be optimal, however some basic troubleshooting can help narrow things down for you. I know nothing about the topology you are working with, but let's say that router is connected to a switch. Start unplugging or shutting down switch ports one at a time and see what effect it has on the traffic. If you can narrow it down to one port, you usually only have a few (or one) device that could be causing the traffic. Benefit one is that you stop whatever traffic is being sent- being that you don't know what it is, this can only be a good thing. Benefit two is once you narrow it down to one or a few devices, you can take a hard look at what that/those device(s) are doing. Substitue actual topology for my hypothetical scenario (or post here what you have going on physically). Is the facility 24/7? That traffic is outbound, and at decidedly non-normal business hours. Brian |
02-28-2007, 11:53 AM | #7 |
Scooby Specialist
Member#: 10814
Join Date: Oct 2001
Chapter/Region:
South East
Location: Stanley, NC
Vehicle:'13 ToyobaruFRZ-86 97 Miata M |
Well sumbitch.... I just installed Wireshark on a nearby computer, set the switch for a network monitoring port, and went back to look at Cacti.....
The traffic stopped 5 minutes ago when I was trying to set all this up. Fun |
02-28-2007, 11:59 AM | #8 |
Miss You Mom
Oct 1940 - Feb 2008 Super Moderator Member#: 809
Join Date: Jan 2000
Chapter/Region:
NESIC
Location: NH, Land Of Many Trees
Vehicle:2000 2.5 RS, '14 For 92 5MT SVX |
Typical . Same thing happened to one of our customers- he was flooding a full T1 with traffic from somewhere on his network. We prepared to start unplugging switch ports to narrow things down, and then the traffic suddenly died and never recurred. It's like mechanic's syndrome, only with network hardware .
Brian |
02-28-2007, 12:24 PM | #9 | |
Scooby Newbie
Member#: 2281
Join Date: Sep 2000
Chapter/Region:
MAIC
Location: Centreville, VA
Vehicle:2008 e90 M3 |
Quote:
I'm assuming this is an M series though. Best bet if it happens again would be to setup a firewall group to deny traffic if you can take a hit or permit if you can't for protocols, TCP, ICMP, UDP, and turn logging on. After that, apply them one at a time and see which one stops the traffic. After that just check the logs with show firewall log interface x. |
|
02-28-2007, 12:30 PM | #10 |
Scooby Specialist
Member#: 10814
Join Date: Oct 2001
Chapter/Region:
South East
Location: Stanley, NC
Vehicle:'13 ToyobaruFRZ-86 97 Miata M |
|
02-28-2007, 01:20 PM | #11 |
Scooby Newbie
Member#: 2281
Join Date: Sep 2000
Chapter/Region:
MAIC
Location: Centreville, VA
Vehicle:2008 e90 M3 |
heh, forgot about those. I work on the E, M, and T series. So not sure exactly how to apply my solution on the J series. It should be pretty universal though. it is how I used to track DOS attacks. Even if someone is spoofing the source ip you can still log what interface the traffic is coming in on whether it is a cisco or juniper and track it back once you've found what port and protocol it is using to the destination. Unless you are using MPLS that is.
|
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
attn: wireless gurus... quick question... | shipjumper | Off-Topic | 15 | 08-05-2009 04:12 PM |
Graphic Gurus...quick question | Drew888 | Off-Topic | 8 | 03-14-2005 06:01 PM |
OT Computer Gurus...quick question | az ej20 fan | Off-Topic | 5 | 12-15-2004 01:29 AM |
Math gurus, quick question... | Schleppy | Off-Topic | 16 | 11-20-2004 01:49 PM |
Brake gurus...quick question | BlueWRXagon | Service & Maintenance | 12 | 09-03-2003 04:05 PM |