[Zorlak]

Okay, so to start, I work for a small business and belong to the IT staff. Recently I got an email from Qwest (our ISP) saying that they have detected port scans coming off of our network. They gave me the times in which the scans have been occuring and told me that the scans are searching for common malware ports. They also were nice enough to inform me that this violates the Qwest Business terms of use policy and must stop asap or we're liable to loose our service.

Inconclusion, the times in which the scans are taking place are after office hours, at the same time everyday. This leads me to believe we have an infected machine (infected with malware) that is running a port scan and trying to spread. I need to isolate this activity somehow. I have tried well over 15 network monitoring tools, but none of them seem to have the simple feature of showing me all the computers on the LAN and which one is using excessive bandwidth. I simply need a tool that can do those basic tasks I think, unless anyone else has a simple solution? Can anyone point me to a tool that can do that? If so, that would be most helpful! Thank you so very much in advance.

Any other suggestions are also welcome.

[office politics]

www.ethereal.com

you'll need to place a hub befor eyour gateway and set ether to passive mode. This will allow you to sniff all your traffic.

[Law]

May I ask what brand of router your company use?

[Zorlak]

LoL, I have lots of experience with Ethereal, but that is mostly just sniffing out clear text passwords... I didn't know it could tell you where the bandwidth intesive machines are? Where in Ethereal might I be able to view this information?

In response to the second question, we're using a Cisco router. I don't really want to start throwing out model numbers and such though, as that leads to easy exploits.

[Law]

Well I am familiar with cisco IOS with the latest version you can create access-list and access-list logging. With the "log-input" command at the end of every access-list you can log where each packet matches the suspect traffic. If you wanted to find that specific host you would create an extended access-list that would denied a specific port and add the "log-input" or "log" command (the "log" command may be use for earlier version but does the same function) this way once the packet reaches that interfaces the access-list will log access-list number, rather it was denied, source address and how much packet was sent.

check this link out, hope it'll give you some clue.

http://www.cisco.com/warp/public/707/22.html

[Zorlak]

Thank you much, I will begin to mess around with the logging abilities. This is of great help!