How would you recommend parsing tcpdump?

T

Talyan2019-11-12 22:54:16

linux

Talyan, 2019-11-12 22:54:16

In Vlana with PPPoE's because of old switches where there is no ACL (or if this ACL is stupidly not included) completely different packets skip. They are few. Very few, but I don't like them. Especially after today's storm.
I have a few questions for those people who work closely with this.
1) what types of ethernet frames can be allowed for PPPUs on the access switch port, except for 0x8663 and 0x8664? Do they need ARPs? I doubt it for some reason - it seems like they need ARP requests to find a PPPoE hub.
2) whether there is a ready tool to search and catch any sracha in Vlan? Example: searching tcpdump output for identical poppies.
It’s just that at the moment, in order to find where and from which poppy the storm is coming, I open TCPDUMP in a boring vlan, and begin to peer into the dump vigilantly, looking for identical poppies with my eyes, sometimes (if there is a suspicion) I use GREP.
Can eat here who from provider? I'll listen to your advice.
In general, to catch a shitting poppy by hand, 10 minutes is enough for me, but it’s not beautiful.

Reply

Answer the question

In order to leave comments, you need to log in

3 answer(s)

J

jcmvbkbc, 2019-11-13
@flapflapjack

is there a ready-made tool to search and catch all sorts of srach

iptraf has a LAN station monitor mode, it shows how many packets/bytes it comes from/leaves from and can be sorted:
RFC on the protocol read? What did you understand?
Hint: ARP associates MAC with IP. And PPPoE is never IP.

R

Ronald McDonald, 2019-11-12
@Zoominger

Feed Wireshark.

V

Valentin, 2019-11-13
@vvpoloskin

There are providers, but I have never seen ARP filtering. A bunch of techniques have been invented from storms:
1) storm control
2) a separate vlan for each port
3) limiting the number of poppies on the port 4) lupdetect
, etc.
5) port isolate
.