kevin.wilcox at gmail.com
Wed Jan 5 18:44:59 UTC 2011
On 5 January 2011 13:25, David Brodbeck <gull at gull.us> wrote:
> On Wed, Jan 5, 2011 at 8:15 AM, Kevin Wilcox <kevin.wilcox at gmail.com> wrote:
>> To really see what your machine is doing, consider taking a look at
>> the network flows. pfflowd, netflowd, ipaudit and a host of others can
>> get you flow data with mostly minimal overhead.
> Also, keep in mind that depending on how badly the machine has been
> compromised, you may not be able to trust the output of utilities
> running on the machine itself. You may have to resort to capturing
> its network traffic on another machine for analysis.
That's an excellent point. A span port from the upstream switch/router
would be ideal unless you've verified, through mechanisms external to
the machine (known good test media), the tools on that machine are
More information about the freebsd-questions