From: Lucas Rockwell (lr_at_socrates.berkeley.edu)
Date: Mon Aug 25 2003 - 12:49:59 PDT
Hi Eric,
It is possible that a machine on your network has been "hacked" or
"wormed" and is "flooding" the network with traffic, thereby "tying"
things up, or even making it impossible to do anything on the network.
We had this exact problem on the 200 subnet last week, and a simple
tcpdump from the OS X terminal pointed out the problem machine. The
machine had an ftp server running *and* the Sobig.f worm.
Since you mention that this happens during the day, and if you turn your
computers off at night, it might be a good indication that a machine
(most likely a Windows machine), has been "hacked" and is being used as
an ftp server, mail server, etc.
When traffic on the network seems to slow down or even stop, use tcpdump
if you have an OS X machine.
To use tcpdump from the OS X terminal do the following (note, you will
need admin rights and need to enter *your* password when asked for it):
% sudo tcpdump > dumpfile
(This is where you will be prompted for your password.)
Do this for about 15 seconds only, as this file can get very large very
quickly.
Then you can scroll through the file with your favorite pager (i use
less):
% less dumpfile
The spacebar forwards you through the file. Hit "q" to exit.
You will probably see one machine on the network that is getting massive
amounts of traffic. We did (~12,000 out of 15,000 lines were for one
computer (ip address)).
-lucas
On Mon, 25 Aug 2003, Eric Saxby wrote:
>
> Heya,
>
> is anyone else experiencing general network problems on campus? We've
> been having a lot of problems at one of our buildings, with lost
> connectivity for anywhere upwards of five minutes at a time occuring
> all throughout the day. The problem's only really surfaced during
> normal business hours, which brings me to my questions:
>
> Is this happening to anyone else?
> Does anyone know of anything going on in the area that could be causing
> something like this... ie is some section of the fiber network being
> worked on?
>
> Anyways, this is kind of a shot in the dark. I figured if it was
> something not directly tied to our building, someone on these lists
> would know about it.
>
> Thanks!
>
> Eric
>
> --
>
> Eric Saxby Berkeley Art Museum/Pacific Film Archive
> Computer Resource Specialist Digital Media Department
> esaxby_at_uclink.berkeley.edu 510-642-9623
>
>
>
> ------------------------------------------------------------------------
> The following was automatically added to this message by the list server:
>
> For information about MAGNet, its meetings and events, and its
> mailing list, including information on subscribing and unsubscribing,
> see the MAGNet Web site at <http://magnet.berkeley.edu/>.
>
------------------------------------------------------------------------
The following was automatically added to this message by the list server:
For information about Micronet, including subscribing to
or unsubscribing from its mailing list and finding out
about upcoming meetings, please visit the Micronet Web site:
<http://micronet.berkeley.edu/>.
This archive was generated by hypermail 2.1.5 : Mon Aug 25 2003 - 15:02:19 PDT