" to receive such reports. E-mail sent
to other accounts is likely to be ignored.)
The information you should be ready to send to the ISP are:
- attack-list.csv
-
This file lists the time and date of the attack, and contains
parameters about the attack.
- evd1999xxyy-01.enc
-
This is a "sniffer" tracefile that contains part of the
traffic from the attack. The ".enc" file contains the
actual network traffic that was part of the attack.
It is not readable by normal programs, but must instead
be decoded by standard sniffing program that network technicians
use to analyze network traffic.
An analyst can
sometimes find out more information about the attack.
The file name is that date the file was captured on:
for example, evd19991231-01.enc is a file captured
on 1999-12-31, or December 31, 1999. The final two digits
are not important.
- host/www_xxx_yyy_zzz.txt
-
This file contains a log of the backtrace information,
and may contain such items as user names and machine names.
Packet Log
If you are under persistent attack, consider turning on the
"PacketLog" feature. This feature will log all of
your network traffic, not just the suspicious bits.
If you are considering legal prosecution, you will
probably need to make use of this feature. However,
be aware that this will also log all of your own traffic,
allowing anybody to whom you send the file to read
all of what you have done as well (example: when you log on
to read e-mail, your e-mail server password will be visible
in the packet log).
These files are stored in a standard "sniffer tracefile".
These files can only be analyzed by programs that network
technicians use to analyze network traffic. Your ISP and
network consultants are likely to have these programs,
but they are expensive and hard to find on the net.
We've tested the files with the following products, though
there are many others that can analyze these files.
- Microsoft Network Monitor
-
This is not available as a stand-alone product, but instead
comes with Windows NT Server and SMS. It only runs on Windows NT.
A sample of the output of this program is shown below.
- Sniffer Network Analyzer
-
An older version runs on DOS, the latest version runs on Windows NT.
- NetXRay for Windows
-
The free demo version (which runs on Win9x and WinNT) can
analyze the first 5 frames in the file. See article
q000057 for more information.
More information on
this file and what to do with it can be found at
sniffing-faq.html
To turn on "PacketLog", open the configuration screen, select the "Packet Log"
tab, click the enable button, then configure the size of files you want to generate.
Network packets are logged in a "round-robin" format, so that after the last
file is written, it will begin overwriting the first file. An example
is shown below.
In the above example, the 10-files have been specified at 1.4-megabytes
each. Thus, the packet log will never exceed 14-megabytes, because
as soon as it fills up, it wraps around to the beginning again.
The file size of 1.4-megabytes is a good number, because it can fit
onto a single floppy. Packet logs are usually very compressible, so the
entire set of files can be zipped up into a single archive file
for sending over the Internet.
Network ICE is always interested in seeing real-world traffic examples.
We encourage customers to send us copies of large packet logs. These
will be stored on an encrypted server, and run through our product
every release as part of our quality assurance test.
The following is an example of using Microsoft's Network Monitor
to view a tracefile generated by the Packet Logging feature.
