Announcement

Collapse
No announcement yet.

Logging TCP and UDP connections?

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Logging TCP and UDP connections?

    I'm trying to solve what device on my network is initiating too many DNS queries and also triggering the intrusion detection system which is managed by a 3rd party. I've already ruled out the email system thinking the holiday spam waves were causing it but traffic there looks normal.

    I figured I could use Microsoft Port Reporter but since it's a 2003 SP2 Domain Controller with DNS service enabled, the port reporter service doesn't want to launch. This is evidently a common issue and Google hits support this observation.

    So what other mechanism would you use on a 2003 SP2 DC which hopefully is not an installation or requires reboot? Or any ideas to solve this another way?

  • #2
    Re: Logging TCP and UDP connections?

    Can't you do it on your firewall and see what is causing the DNS queries???

    All you need to do is filter the traffic for port 53.

    Comment


    • #3
      Re: Logging TCP and UDP connections?

      No, the firewall and router is managed by another group so there's a lot of obstacles to jump through to get them to play.

      Comment


      • #4
        Re: Logging TCP and UDP connections?

        Only other thing i can think of then is to install Microsoft Net Monitor and monitor for DNS traffic and trace it. That however requires an installation and possibly a reboot, its been a while since i installed it.

        Can't the 3rd party that is telling you this tell you what IP is causing the IPS to trigger???

        Another thing to check out is DNS logging on the server which could help pin down where the problem is

        Comment


        • #5
          Re: Logging TCP and UDP connections?

          The IDS people are "looking into it" so we'll see.

          I'll check the logging.

          Comment


          • #6
            Re: Logging TCP and UDP connections?

            You'll need to turn it on as its not on by default.

            Comment


            • #7
              Re: Logging TCP and UDP connections?

              Got it enabled and found WinTail to watch it in real-time. The log isn't growing rapidly so whatever it was I'm guessing stopped when the user shut down their pc for the day. Going to have to wait for the next spike of activity now.

              Comment


              • #8
                Re: Logging TCP and UDP connections?

                Remember Windows DNS has a large amount of monitoring capability itself.
                Tom Jones
                MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
                PhD, MSc, FIAP, MIITT
                IT Trainer / Consultant
                Ossian Ltd
                Scotland

                ** Remember to give credit where credit is due and leave reputation points where appropriate **

                Comment

                Working...
                X