Peter Jeremy PeterJeremy at
Thu Dec 16 01:14:02 PST 2004

On Wed, 2004-Dec-15 18:55:20 -0500, John Von Essen wrote:
>Whatever this thing is, its tricky. It only runs a few times a day, so it
>is tough to find the culprit source with ethereal unless I run ethereal
>all day. In packet capture mode.

Depending on how much disk space you have spare on your firewall and
how much ssh traffic you get normally, running "tcpdump -w ... port 22"
for a day or so may be feasible.  You can add the target boxes address
to the filter and you won't get anything except the culprit address.
(Of course, permanently running tcpdump may or may not be practical for
other reasons).

Peter Jeremy

More information about the freebsd-hackers mailing list