Welcome to the North American Subaru Impreza Owners Club Monday July 28, 2014
Home Forums WikiNASIOC Products Store Modifications Upgrade Garage
NASIOC
Here you can view your subscribed threads, work with private messages and edit your profile and preferences Home Registration is free! Visit the NASIOC Store NASIOC Rules Search Find other members Frequently Asked Questions Calendar Archive NASIOC Upgrade Garage Logout
Go Back   NASIOC > NASIOC Miscellaneous > Off-Topic

Welcome to NASIOC - The world's largest online community for Subaru enthusiasts!
Welcome to the NASIOC.com Subaru forum.

You are currently viewing our forum as a guest, which gives you limited access to view most discussions and access our other features. By joining our community, free of charge, you will have access to post topics, communicate privately with other members (PM), respond to polls, upload content and access many other special features. Registration is free, fast and simple, so please join our community today!

If you have any problems with the registration process or your account login, please contact us.
* Registered users of the site do not see these ads.
Reply
 
Thread Tools Display Modes
Old 02-28-2007, 10:37 AM   #1
chkltcow
Scooby Specialist
 
Member#: 10814
Join Date: Oct 2001
Chapter/Region: South East
Location: Stanley, NC
Vehicle:
'13 ToyobaruFRZ-86
97 Miata M

Default Attn: Juniper router gurus, quick question

Since yesterday around 2pm, there has been a sustained 100k of traffic between two of our routers. I can't trace it to any servers, and I'm wondering what the hell is causing it.



What's the best way to go about figuring this out? Netflows? Sniffing the port on the switch that the router is plugged into? Hitting the router with a hammer? Any other features on the router itself to monitor this and find out what addresses it's talking to?
* Registered users of the site do not see these ads.
chkltcow is offline   Reply With Quote
Old 02-28-2007, 10:44 AM   #2
BhamRoadrunner
Scooby Specialist
 
Member#: 87294
Join Date: May 2005
Chapter/Region: South East
Location: Wanna fight ab'at it?
Vehicle:
98 Silver
POS

Default

Some sort of Debug maybe?


Sorry, I do Cisco
BhamRoadrunner is offline   Reply With Quote
Old 02-28-2007, 10:55 AM   #3
drrice
Scooby Specialist
 
Member#: 82595
Join Date: Mar 2005
Chapter/Region: MAIC
Location: 'Cookies'
Vehicle:
let me see ur feetz

Default

buarahaha... i dunno but i hate work windows on junipers and their blades suck at fitting... +1 hammer option. isnt that info proprietary :O can you tell traffic from witch blade then switch?
drrice is offline   Reply With Quote
Old 02-28-2007, 10:59 AM   #4
chkltcow
Scooby Specialist
 
Member#: 10814
Join Date: Oct 2001
Chapter/Region: South East
Location: Stanley, NC
Vehicle:
'13 ToyobaruFRZ-86
97 Miata M

Default

Been waiting for a while to find a reason to use this, and my time has come....

What you've just said is one of the most insanely idiotic things I have ever heard. At no point in your rambling, incoherent response were you even close to anything that could be considered a rational thought. Everyone in this room is now dumber for having listened to it. I award you no points, and may God have mercy on your soul.
chkltcow is offline   Reply With Quote
Old 02-28-2007, 11:02 AM   #5
BhamRoadrunner
Scooby Specialist
 
Member#: 87294
Join Date: May 2005
Chapter/Region: South East
Location: Wanna fight ab'at it?
Vehicle:
98 Silver
POS

Default

Quote:
Originally Posted by drrice View Post
buarahaha... i dunno but i hate work windows on junipers and their blades suck at fitting... +1 hammer option. isnt that info proprietary :O can you tell traffic from witch blade then switch?
BhamRoadrunner is offline   Reply With Quote
Old 02-28-2007, 11:34 AM   #6
North Ursalia
Miss You Mom
Oct 1940 - Feb 2008

Super Moderator
 
Member#: 809
Join Date: Jan 2000
Chapter/Region: NESIC
Location: NH, Land Of Many Trees
Vehicle:
2000 2.5 RS, '14 For
92 5MT SVX

Default

I don't think there is anything native to the Juniper that will help you out.

Having a packet sniffer would be optimal, however some basic troubleshooting can help narrow things down for you. I know nothing about the topology you are working with, but let's say that router is connected to a switch. Start unplugging or shutting down switch ports one at a time and see what effect it has on the traffic. If you can narrow it down to one port, you usually only have a few (or one) device that could be causing the traffic. Benefit one is that you stop whatever traffic is being sent- being that you don't know what it is, this can only be a good thing. Benefit two is once you narrow it down to one or a few devices, you can take a hard look at what that/those device(s) are doing. Substitue actual topology for my hypothetical scenario (or post here what you have going on physically).

Is the facility 24/7? That traffic is outbound, and at decidedly non-normal business hours.


Brian

North Ursalia is offline   Reply With Quote
Old 02-28-2007, 11:53 AM   #7
chkltcow
Scooby Specialist
 
Member#: 10814
Join Date: Oct 2001
Chapter/Region: South East
Location: Stanley, NC
Vehicle:
'13 ToyobaruFRZ-86
97 Miata M

Default

Well sumbitch.... I just installed Wireshark on a nearby computer, set the switch for a network monitoring port, and went back to look at Cacti.....


The traffic stopped 5 minutes ago when I was trying to set all this up.

Fun
chkltcow is offline   Reply With Quote
Old 02-28-2007, 11:59 AM   #8
North Ursalia
Miss You Mom
Oct 1940 - Feb 2008

Super Moderator
 
Member#: 809
Join Date: Jan 2000
Chapter/Region: NESIC
Location: NH, Land Of Many Trees
Vehicle:
2000 2.5 RS, '14 For
92 5MT SVX

Default

Typical . Same thing happened to one of our customers- he was flooding a full T1 with traffic from somewhere on his network. We prepared to start unplugging switch ports to narrow things down, and then the traffic suddenly died and never recurred. It's like mechanic's syndrome, only with network hardware .


Brian

North Ursalia is offline   Reply With Quote
Old 02-28-2007, 12:24 PM   #9
closure
Scooby Newbie
 
Member#: 2281
Join Date: Sep 2000
Chapter/Region: MAIC
Location: Centreville, VA
Vehicle:
2008 e90 M3

Default

Quote:
Originally Posted by North Ursalia View Post
I don't think there is anything native to the Juniper that will help you out.
Actually, on their E series routers you can enable J-flow.

I'm assuming this is an M series though. Best bet if it happens again would be to setup a firewall group to deny traffic if you can take a hit or permit if you can't for protocols, TCP, ICMP, UDP, and turn logging on. After that, apply them one at a time and see which one stops the traffic. After that just check the logs with show firewall log interface x.
closure is offline   Reply With Quote
Old 02-28-2007, 12:30 PM   #10
chkltcow
Scooby Specialist
 
Member#: 10814
Join Date: Oct 2001
Chapter/Region: South East
Location: Stanley, NC
Vehicle:
'13 ToyobaruFRZ-86
97 Miata M

Default

Quote:
Originally Posted by closure View Post

I'm assuming this is an M series though.
J2300... for a measly T1 connection to an MPLS network, the J series did the job for a LOT less money than the M series.
chkltcow is offline   Reply With Quote
Old 02-28-2007, 01:20 PM   #11
closure
Scooby Newbie
 
Member#: 2281
Join Date: Sep 2000
Chapter/Region: MAIC
Location: Centreville, VA
Vehicle:
2008 e90 M3

Default

heh, forgot about those. I work on the E, M, and T series. So not sure exactly how to apply my solution on the J series. It should be pretty universal though. it is how I used to track DOS attacks. Even if someone is spoofing the source ip you can still log what interface the traffic is coming in on whether it is a cisco or juniper and track it back once you've found what port and protocol it is using to the destination. Unless you are using MPLS that is.
closure is offline   Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
attn: wireless gurus... quick question... shipjumper Off-Topic 15 08-05-2009 04:12 PM
Graphic Gurus...quick question Drew888 Off-Topic 8 03-14-2005 06:01 PM
OT Computer Gurus...quick question az ej20 fan Off-Topic 5 12-15-2004 01:29 AM
Math gurus, quick question... Schleppy Off-Topic 16 11-20-2004 01:49 PM
Brake gurus...quick question BlueWRXagon Service & Maintenance 12 09-03-2003 04:05 PM


All times are GMT -4. The time now is 03:09 AM.


Powered by vBulletin® Version 3.7.0
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Powered by Searchlight © 2014 Axivo Inc.
Copyright ©1999 - 2014, North American Subaru Impreza Owners Club, Inc.