On Mon, 16 Sep 1996, Craig A. Huegen wrote: |} Paul is correct; I left out the caveat that you have to go "hunting" |} once you get to a multi-access media network. I've already tossed most of the messages from this thread, but someone mentioned using Cisco's flow statistics to track the attacker. Mark even offered the URL to an analysis toolkit he's been working on. After using either flow or accounting data to track down the attacker, further flow data can be extracted to provide next hop and/or AS_path information. AS_path could direct you to the final ISP or organization in the path of the network address. (This doesn't take into account if the attacker has hacked an account, etc. :) This should severely limited the ammunition required to go hunting, but it does have the requirement of using Cisco's NetFlow feature(s). |} However, a good tool at this point becomes the monitor option/port |} found on certain switches which will redirect traffic bound for a |} certain port to also appear on the monitor port for sniffing. I don't |} know if the GIGAswitches have such a monitoring option or port; if so, |} cooperation from the various IXP operators would be a great help in |} determining the hop. I don't recall if the Gigaswitch supports this or not (a scan of the "Manager's Guide" doesn't mention anything), but even if it did; each port would have to be replicated independantly, eating alot of the IXP operators' time. Jonathan Heiliger \|/ _____ \|/ I S I VP, Research & Development @~/ . . \~@ Internet Systems, Inc. ________________________________/_( \___/ )_\____________________________ \__U__/ E-Mail: loco@isi.net Phone: 415.943.2915