免费注册 查看新帖 |

Chinaunix

  平台 论坛 博客 文库
论坛 IT运维 网络技术 说说即将过去的05年里发先的一个问题
最近访问板块 发新帖
查看: 1826 | 回复: 6
打印 上一主题 下一主题

说说即将过去的05年里发先的一个问题 [复制链接]

ycflash

论坛徽章:
0
跳转到指定楼层
1 [收藏(0)] [报告]
发表于 2005-12-31 23:54 |只看该作者 |倒序浏览
环境:某高校校园网
主角:S6503
发现时间:2005年的早些时候
暴露时间:2005年10月28日
网络拓扑简述:汇聚层采用S6503交换机、分布层采用E050交换机。一台6503下接3、4或8台E050;每个分布层交换机端口下面有不多余8台PC。在E050一个端口下可以嗅探到大量嗅探主机不应该得到数据流量,多数是连续的TCP流量,目的MAC统计总数远远大于分布层交换机端口下PC数量。进一步分析嗅探发现:6503的一个端口上同样可以嗅探到这些流量,问题自然集中在6503身上。我想交换机工作的原理大家都有深刻的理解。我很想知道大家对这个嗅探结果怎么看。
下面是简单的嗅探统计结果:(该网络主机IP段为:59.64.192.0/22)

  2. Address A,Address B,Packets,Bytes,Packets A->B,Bytes A->B,Packets A<-B,Bytes A<-B,
  3. 59.64.193.105,219.133.38.20,1,98,0,0,1,98,
  4. 59.64.193.253,218.62.54.14,1,1514,0,0,1,1514,
  5. 59.64.193.74,202.193.15.108,1,60,0,0,1,60,
  6. 59.64.195.184,221.8.32.218,1,60,0,0,1,60,
  7. 59.64.195.41,61.49.238.217,1,70,0,0,1,70,
  8. 59.64.194.3,219.133.60.28,1,98,0,0,1,98,
  9. 59.64.195.184,222.89.94.236,1,62,0,0,1,62,
  10. 59.64.193.218,211.83.147.158,1,104,0,0,1,104,
  11. 59.36.37.37,59.64.192.220,1,119,1,119,0,0,
  12. 59.64.195.184,61.175.198.148,1,60,0,0,1,60,
  13. 59.64.193.80,219.224.61.105,1,104,0,0,1,104,
  14. 59.64.193.235,211.68.71.4,1,135,0,0,1,135,
  15. 59.64.193.73,218.19.214.109,1,104,0,0,1,104,
  16. 59.64.194.3,219.140.21.254,1,66,0,0,1,66,
  17. 59.64.193.73,211.158.44.31,1,590,0,0,1,590,
  18. 59.64.195.184,220.184.255.226,1,60,0,0,1,60,
  19. 59.64.195.102,202.205.213.37,1,191,0,0,1,191,
  20. 59.64.195.76,218.64.44.20,1,63,0,0,1,63,
  21. 59.64.194.207,202.205.5.3,1,446,0,0,1,446,
  22. 59.64.193.253,222.47.140.216,1,66,0,0,1,66,
  23. 59.64.195.168,61.172.132.217,1,104,0,0,1,104,
  24. 59.64.195.41,219.157.230.3,1,70,0,0,1,70,
  25. 59.64.193.253,221.137.86.122,1,66,0,0,1,66,
  26. 59.64.195.41,211.154.203.167,1,95,0,0,1,95,
  27. 58.212.84.246,59.64.195.76,1,66,1,66,0,0,
  28. 59.36.14.60,59.64.193.253,1,60,1,60,0,0,
  29. 59.64.195.133,218.244.95.72,1,78,0,0,1,78,
  30. 59.64.193.253,60.26.131.206,1,70,0,0,1,70,
  31. 59.64.194.87,59.64.195.255,1,223,1,223,0,0,
  32. 59.64.192.220,219.230.92.87,1,70,0,0,1,70,
  33. 59.64.193.218,162.105.146.88,1,60,0,0,1,60,
  34. 59.64.194.36,219.133.49.173,1,98,0,0,1,98,
  35. 59.64.195.76,61.180.87.132,1,66,0,0,1,66,
  36. 59.64.194.204,210.45.124.203,1,104,0,0,1,104,
  37. 59.64.195.168,222.63.18.107,1,60,0,0,1,60,
  38. 59.64.195.183,222.17.221.145,1,62,0,0,1,62,
  39. 59.64.195.213,211.68.71.4,1,202,0,0,1,202,
  40. 59.64.193.237,219.229.140.136,1,91,0,0,1,91,
  41. 59.64.195.41,222.212.7.183,1,132,0,0,1,132,
  42. 59.64.194.201,211.66.19.228,1,91,0,0,1,91,
  43. 58.24.20.29,59.64.193.73,1,60,1,60,0,0,
  44. 59.64.194.131,219.133.38.229,1,66,0,0,1,66,
  45. 59.64.194.69,59.64.195.255,1,62,1,62,0,0,
  46. 59.64.195.41,218.11.74.59,1,95,0,0,1,95,
  47. 59.64.194.228,211.91.150.51,1,1183,0,0,1,1183,
  48. 59.64.192.220,211.71.195.117,1,63,0,0,1,63,
  49. 59.64.195.76,222.92.208.82,1,60,0,0,1,60,
  50. 59.64.193.253,219.95.188.70,1,62,0,0,1,62,
  51. 35.11.210.250,59.64.195.76,1,62,1,62,0,0,
  52. 59.64.195.124,211.100.26.166,1,60,0,0,1,60,
  53. 24.83.203.186,59.64.195.76,1,62,1,62,0,0,
  54. 59.64.195.219,218.197.218.87,1,60,0,0,1,60,
  55. 59.64.195.155,222.18.62.254,1,66,0,0,1,66,
  56. 59.64.195.168,83.248.4.9,1,140,0,0,1,140,
  57. 59.64.194.32,211.68.71.4,1,314,0,0,1,314,
  58. 59.64.194.201,219.137.188.140,1,140,0,0,1,140,
  59. 59.64.193.73,221.221.168.69,1,70,0,0,1,70,
  60. 59.64.194.180,219.133.40.179,1,106,0,0,1,106,
  61. 59.64.193.132,218.172.249.43,1,140,0,0,1,140,
  62. 59.64.195.41,221.210.38.35,1,70,0,0,1,70,
  63. 59.64.194.40,219.133.60.37,1,106,0,0,1,106,
  64. 59.64.193.73,202.117.18.53,1,104,0,0,1,104,
  65. 59.64.194.201,202.202.67.212,1,91,0,0,1,91,
  66. 59.64.193.73,221.7.156.125,1,314,0,0,1,314,
  67. 59.64.194.117,219.133.48.94,1,98,0,0,1,98,
  68. 59.64.195.158,139.18.180.81,1,62,0,0,1,62,
  69. 59.64.195.252,222.18.32.192,1,60,0,0,1,60,
  70. 59.64.195.168,202.198.30.49,1,143,0,0,1,143,
  71. 59.64.195.76,221.234.222.2,1,60,0,0,1,60,
  72. 59.64.193.132,62.237.210.91,1,104,0,0,1,104,
  73. 59.64.195.252,210.26.60.30,1,145,0,0,1,145,
  74. 59.64.194.206,219.133.38.252,1,126,0,0,1,126,
  75. 59.64.193.79,219.133.38.253,1,126,0,0,1,126,
  76. 59.64.195.168,218.170.219.45,1,62,0,0,1,62,
  77. 59.64.192.129,219.134.112.5,1,62,0,0,1,62,
  78. 59.64.194.181,219.133.60.21,1,98,0,0,1,98,
  79. 59.64.195.41,222.82.40.85,1,95,0,0,1,95,
  80. 59.64.192.207,210.87.139.2,1,60,0,0,1,60,
  81. 59.64.195.151,211.68.71.4,1,315,0,0,1,315,
  82. 59.64.192.129,220.160.56.71,1,78,0,0,1,78,
  83. 59.64.192.50,255.255.255.255,1,342,1,342,0,0,
  84. 59.64.195.41,221.210.154.137,1,70,0,0,1,70,
  85. 59.64.193.73,222.240.85.97,1,134,0,0,1,134,
  86. 59.64.195.41,219.159.62.235,1,70,0,0,1,70,
  87. 59.64.195.76,219.144.246.130,1,63,0,0,1,63,
  88. 59.64.195.19,211.67.62.133,1,91,0,0,1,91,
  89. 59.64.195.168,81.56.14.67,1,140,0,0,1,140,
  90. 59.64.193.73,61.178.41.21,1,104,0,0,1,104,
  91. 59.64.195.219,202.192.167.231,1,60,0,0,1,60,
  92. 59.64.195.38,218.108.246.81,1,60,0,0,1,60,
  93. 59.44.215.128,59.64.193.253,1,62,1,62,0,0,
  94. 59.64.192.207,221.137.205.150,1,130,0,0,1,130,
  95. 59.64.193.253,61.146.163.242,1,66,0,0,1,66,
  96. 59.64.193.132,202.113.57.117,1,140,0,0,1,140,
  97. 59.50.67.242,59.64.194.3,1,66,1,66,0,0,
  98. 59.64.192.220,221.238.128.109,1,78,0,0,1,78,
  99. 59.64.192.207,222.16.59.70,1,60,0,0,1,60,
  100. 59.64.195.162,221.221.22.216,1,60,0,0,1,60,
  101. 59.64.195.41,211.83.253.87,1,95,0,0,1,95,
  102. 59.64.195.219,222.222.158.37,1,177,0,0,1,177,
  103. 59.64.194.122,59.64.203.177,1,140,0,0,1,140,
  104. 59.64.192.129,202.117.46.195,1,104,0,0,1,104,
  105. 59.64.194.228,222.16.57.249,1,62,0,0,1,62,
  106. 59.64.195.41,221.197.230.27,1,314,0,0,1,314,
  107. 59.64.195.184,222.89.92.52,1,60,0,0,1,60,
  108. 59.64.194.228,202.120.127.137,1,60,0,0,1,60,
  109. 59.64.195.41,219.149.12.137,1,95,0,0,1,95,
  110. 59.64.195.41,202.193.63.181,1,95,0,0,1,95,
  111. 59.64.193.253,209.29.202.66,1,62,0,0,1,62,
  112. 59.64.194.154,202.38.243.153,1,69,0,0,1,69,
  113. 59.64.193.73,219.79.66.121,1,62,0,0,1,62,
  114. 59.64.195.53,219.133.62.4,1,106,0,0,1,106,
  115. 59.64.194.228,61.51.40.209,1,84,0,0,1,84,
  116. 59.64.195.41,60.25.132.193,1,314,0,0,1,314,
  117. 59.64.192.220,61.149.64.141,1,1494,0,0,1,1494,
  118. 59.64.195.41,221.7.74.51,1,70,0,0,1,70,
  119. 59.64.193.253,221.192.208.62,1,66,0,0,1,66,
  120. 59.64.195.168,203.80.81.107,1,62,0,0,1,62,
  121. 59.64.194.3,222.76.192.138,1,1494,0,0,1,1494,
  122. 59.64.193.207,220.181.28.219,1,60,0,0,1,60,
  123. 59.64.193.79,202.205.5.3,1,270,0,0,1,270,
  124. 59.64.193.107,219.133.60.37,1,98,0,0,1,98,
  125. 59.64.194.122,221.235.209.58,1,104,0,0,1,104,
  126. 59.64.194.228,221.221.152.155,1,62,0,0,1,62,
  127. 59.64.193.73,218.98.116.155,1,104,0,0,1,104,
  128. 59.64.194.204,218.83.153.231,1,66,0,0,1,66,
  129. 59.64.192.147,219.77.158.215,1,62,0,0,1,62,
  130. 59.64.193.253,219.128.196.18,1,94,0,0,1,94,
  131. 59.64.194.201,202.192.158.10,1,91,0,0,1,91,
  132. 59.64.195.102,218.79.217.73,1,66,0,0,1,66,
  133. 59.64.194.228,211.68.2.33,1,177,0,0,1,177,
  134. 59.64.193.132,82.126.14.149,1,140,0,0,1,140,
  135. 59.64.195.41,222.138.79.239,1,314,0,0,1,314,
  136. 59.64.193.123,202.115.125.9,1,62,0,0,1,62,
  137. 59.64.195.184,218.57.243.52,1,60,0,0,1,60,
  138. 59.64.193.227,219.133.49.172,1,98,0,0,1,98,
  139. 59.64.194.228,219.229.2.17,1,66,0,0,1,66,
  140. 59.64.194.228,202.117.19.137,1,66,0,0,1,66,
  141. 59.64.192.220,218.25.73.133,1,179,0,0,1,179,
  142. 59.64.194.228,211.65.85.149,1,66,0,0,1,66,
  143. 59.64.195.184,61.144.186.24,1,72,0,0,1,72,
  144. 59.64.194.228,219.222.22.23,1,230,0,0,1,230,
  145. 59.64.192.187,210.36.159.26,1,91,0,0,1,91,
  146. 59.64.194.228,221.208.13.143,1,66,0,0,1,66,
  147. 59.64.194.228,210.38.202.139,1,60,0,0,1,60,
  148. 59.64.193.253,219.133.49.164,1,106,0,0,1,106,
  149. 59.64.194.228,222.16.63.67,1,66,0,0,1,66,
  150. 59.64.193.253,219.131.190.200,1,95,0,0,1,95,
  151. 59.64.195.241,219.133.49.172,1,66,0,0,1,66,
  152. 59.64.193.207,219.133.38.135,1,106,0,0,1,106,
  153. 59.64.195.41,221.3.141.47,1,314,0,0,1,314,
  154. 59.64.192.183,255.255.255.255,1,77,1,77,0,0,
  155. 59.64.193.79,219.245.127.83,1,68,0,0,1,68,
  156. 59.64.195.162,222.200.116.236,1,104,0,0,1,104,
  157. 59.64.194.228,222.69.176.195,1,78,0,0,1,78,
  158. 59.64.194.201,222.16.66.76,1,62,0,0,1,62,
  159. 59.64.194.139,211.148.127.222,1,60,0,0,1,60,
  160. 59.64.195.168,220.175.79.107,1,590,0,0,1,590,
  161. 59.64.192.220,219.238.148.187,1,63,0,0,1,63,
  162. 59.64.195.41,222.183.85.51,1,344,0,0,1,344,
  163. 59.64.194.122,222.200.43.146,1,104,0,0,1,104,
  164. 59.64.194.3,162.105.146.88,1,60,0,0,1,60,
  165. 59.64.193.79,202.115.30.71,1,104,0,0,1,104,
  166. 59.64.195.102,61.149.60.55,1,143,0,0,1,143,
  167. 59.64.195.76,222.33.68.216,2,120,0,0,2,120,
  168. 59.64.192.12,222.83.177.23,2,1180,0,0,2,1180,
  169. 59.64.195.238,203.195.70.222,2,124,0,0,2,124,
  170. 59.64.192.57,218.57.243.53,2,120,0,0,2,120,
  171. 59.64.195.183,202.198.27.193,2,388,0,0,2,388,
  172. 59.64.192.220,222.76.171.177,2,191,0,0,2,191,
  173. 59.64.192.104,200.234.128.98,2,124,0,0,2,124,
  174. 24.57.175.12,59.64.194.3,2,124,2,124,0,0,
  175. 59.64.195.76,218.72.157.34,2,3012,0,0,2,3012,
  176. 59.64.193.73,61.62.188.111,2,132,0,0,2,132,
  177. 59.64.195.76,222.79.141.64,2,199,0,0,2,199,
  178. 59.64.193.253,60.0.129.152,2,120,0,0,2,120,
  179. 59.64.194.228,222.21.192.67,2,120,0,0,2,120,
  180. 59.64.195.213,61.141.168.74,2,120,0,0,2,120,
  181. 59.64.193.253,211.160.122.160,2,126,0,0,2,126,
  182. 12.22.220.199,59.64.192.220,2,124,2,124,0,0,
  183. 59.64.193.73,60.55.122.113,2,124,0,0,2,124,
  184. 59.64.195.76,61.183.238.48,2,124,0,0,2,124,
  185. 59.64.195.252,221.7.129.246,2,140,0,0,2,140,
  186. 59.64.194.79,219.133.60.29,2,164,0,0,2,164,
  187. 59.64.195.133,218.2.197.178,2,144,0,0,2,144,
  188. 59.64.194.154,69.159.136.107,2,124,0,0,2,124,
  189. 59.64.194.3,221.196.239.48,2,165,0,0,2,165,
  190. 59.64.192.12,222.18.61.243,2,131,0,0,2,131,
  191. 59.64.194.180,222.77.177.115,2,382,0,0,2,382,
  192. 59.64.193.74,210.38.202.136,2,120,0,0,2,120,


复制代码


请大家帮忙分析一下上面结果,有兴趣的可以联系我所要嗅探文件。如果有使用以上设备的朋友,希望您能够嗅探分析一下,是否也存在这个问题。一些细节我处于某些原因已隐去。

summary.GIF (96.43 KB, 下载次数: 23)

summary.GIF
ycflash

论坛徽章:
0
2 [报告]
发表于 2005-12-31 23:57 |只看该作者
补帖摘要信息入图

sum.GIF (24.88 KB, 下载次数: 23)

sum.GIF
实战分享:从技术角度谈机器学习入门| 【大话IT】RadonDB低门槛向MySQL集群下战书 | ChinaUnix打赏功能已上线! | 新一代分布式关系型数据库RadonDB知多少?
ycflash

论坛徽章:
0
3 [报告]
发表于 2006-01-01 00:05 |只看该作者
拓扑简图

Drawing1.gif (25.82 KB, 下载次数: 24)

Drawing1.gif
实战分享:从技术角度谈机器学习入门| 【大话IT】RadonDB低门槛向MySQL集群下战书 | ChinaUnix打赏功能已上线! | 新一代分布式关系型数据库RadonDB知多少?
cnadl

论坛徽章:
0
4 [报告]
发表于 2006-01-01 08:11 |只看该作者
进一步分析嗅探发现:6503的一个端口上同样可以嗅探到这些流量,问题自然集中在6503身上。


交换机不会产生流量,问题自然不会在交换机上。

BTW,结果汇总下贴出来比较好,看惯了sniffer,看这个还真不大适应。

另外最好把数据集中在异常流量上,这么多信息,可是就是无助于归纳出异常流量的特征来。
实战分享:从技术角度谈机器学习入门| 【大话IT】RadonDB低门槛向MySQL集群下战书 | ChinaUnix打赏功能已上线! | 新一代分布式关系型数据库RadonDB知多少?
charlesc

论坛徽章:
0
5 [报告]
发表于 2006-01-01 11:15 |只看该作者
这些地址是你们内部还是外部使用。
实战分享:从技术角度谈机器学习入门| 【大话IT】RadonDB低门槛向MySQL集群下战书 | ChinaUnix打赏功能已上线! | 新一代分布式关系型数据库RadonDB知多少?
ycflash

论坛徽章:
0
6 [报告]
发表于 2006-01-01 16:37 |只看该作者
原帖由 cnadl 于 2006-1-1 08:11 发表


交换机不会产生流量,问题自然不会在交换机上。

BTW,结果汇总下贴出来比较好,看惯了sniffer,看这个还真不大适应。

另外最好把数据集中在异常流量上,这么多信息,可是就是无助于归纳出异常流量的特征 ...


交换机产生的流量我们可以不看。这是分布层一个端口下嗅探的结果。下面的PC(包括嗅探PC)共6台。
在65 IOS版本为VRP(R) software, Version 3.10, Release 2021之前的,均存在这个问题。

tcp_conversations.GIF (63.82 KB, 下载次数: 25)

tcp_conversations.GIF
实战分享:从技术角度谈机器学习入门| 【大话IT】RadonDB低门槛向MySQL集群下战书 | ChinaUnix打赏功能已上线! | 新一代分布式关系型数据库RadonDB知多少?
ycflash

论坛徽章:
0
7 [报告]
发表于 2006-01-01 16:48 |只看该作者
再来两张图片

io.GIF (25.33 KB, 下载次数: 24)

io.GIF

hierarchy.GIF (30.42 KB, 下载次数: 23)

hierarchy.GIF
实战分享:从技术角度谈机器学习入门| 【大话IT】RadonDB低门槛向MySQL集群下战书 | ChinaUnix打赏功能已上线! | 新一代分布式关系型数据库RadonDB知多少?
返回列表 发新帖
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 注册

本版积分规则 发表回复

  

北京盛拓优讯信息技术有限公司. 版权所有 京ICP备16024965号-6 北京市公安局海淀分局网监中心备案编号:11010802020122 niuxiaotong@pcpop.com 17352615567
未成年举报专区
中国互联网协会会员  联系我们:huangweiwei@itpub.net
感谢所有关心和支持过ChinaUnix的朋友们 转载本站内容请注明原作者名及出处

清除 Cookies - ChinaUnix - Archiver - WAP - TOP