2010-2Q: CORE: Automatic TCP Dump
A new enhancement has been added to SIMPLer that will attempt to perform a TCP dump on the WIB in the event that the WIB reaches an alert state as set in the WISP setup.
Figure 1: WIB Alert Thresholds
The feature has to be turned on on a per WIB basis. When 'on' the TCP dump will be automatically e-mailed to the support e-mail specified (or the general email if no support email is entered). These TCP dumps can be crucial in tracking down attacks originating from within the radio network as often the traffic may have stopped by the time an investigation is able to take place. Please note that the TCPDump will be a maximum size of 5MB or will take place for a maximum of 5 minutes, whichever comes first.
In order to view the contents of this file network traffic inspection software, like WireShark, is required. WireShark can be downloaded for free from http://www.wireshark.org/. If unfamiliar with the usage of WireShark there are some brief introductory videos on their web site.
If trying to find traffic related to a large number of SYNCs or Connection IDs, look for the same IP showing up many times (>100) within a single second. Once the IP has been identified the user can search SIMPLer for the infected customer.
Azotel | River House | Blackpool Park | Cork | Ireland
US +1-312-239-0680 | IE +353-21-234-8100 | UK +44-207-193-4170 | SA +27-11-083-6900