IF you know the Byte count how do you find the type of software attacking????????

Discussion in 'Cisco' started by William J King, Dec 17, 2003.

  1. If you know from Show IP Accounting the packet size and byte count
    as follows:

    Source Destination Packets Bytes
    162.xx.x.x 132.x.x.x 56 2688
    162.xx.x.x 132.x.x.x 56 2688
    etc etc etc etc etc....................

    How can I find the software name doing the attack?

    Have tried Semantic, Netowrk associates and Google URLs with the byte count
    nothing useful


    suggestions appreciated.
    Wm j king


    --
     
    William J King, Dec 17, 2003
    #1
    1. Advertisements

  2. :If you know from Show IP Accounting the packet size and byte count
    :as follows:

    : Source Destination Packets Bytes
    : 162.xx.x.x 132.x.x.x 56 2688
    : 162.xx.x.x 132.x.x.x 56 2688
    : etc etc etc etc etc....................

    : How can I find the software name doing the attack?

    You can't.

    2688 bytes / 56 packets = 48 bytes per packet average. If that is
    the entire packet length, then the packets are too short to be
    valid packets and should have been discarded long before getting to
    you. Thus, there must be some overhead associated that is not being
    counted, or else the counters are wrong. It can't be just the
    layer 2 information -- that is 12 bytes per packet, which would
    only raise the total to 60 bytes when the minimum for ethernet is
    64 bytes. It -could- be the IP payload size; you will need to
    investigate, add back in the overheads, and -then- you might be able
    to figure out what the packets are.

    My guess: Natchi. Or perhaps port 135 scans via msblast.
     
    Walter Roberson, Dec 17, 2003
    #2
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.