On Mon, 16 Sep 1996, Paul A Vixie wrote: ==>If Cisco routers had TCPDUMP capability this would be a lot simpler. If ==>all the routers in the universe had TCPDUMP, and all the router operators ==>had eachother's phone numbers, we could track this to the source in less ==>than five minutes. Alas, the misfit teenagers of the underworld have ==>caught us without any of the tools we need be able to track this down. cisco routers do have tcpdump capability. lab-2503#debug ip packet detail ? <1-199> Access list <cr> You can show all IP packets flowing through the router (with source address/port/interface, dest address/port/interface, flags, sequence number, and window size; or limit it based on an access-list (which you'd want to do in case of a very busy router). Based on the source interface, you'd trace it to the next link, and go back from there. The debug output looks like this: IP: s=172.30.119.242 (Ethernet0), d=204.245.15.11 (BRI0), g=172.30.112.129, len 60, forward TCP src=1059, dst=80, seq=74416335, ack=0, win=8192 SYN Translation: A packet sourced from 172.30.19.242 which came in on ethernet0, had a destination of 204.245.15.11. The route-table lookup says our next hop is not directly connected (hence the g=172.30.12.129), and sent it out to 172.30.12.129 via interface BRI0. It was a TCP packet with source port of 1059, destination port of 80, sequence number of 74416335, wasn't ACKing any packet, had a window size of 8192 bytes, and had the SYN flag on. This helps tremendously in tracking down bogus packets (as long as the hacker keeps the attack up long enough for you to determine the edge of the network/the next provider in the attack). /cah ---- Craig A. Huegen CCIE #2100 || || Network Analyst, IS-Network/Telecom || || cisco Systems, Inc., 250 West Tasman Drive |||| |||| San Jose, CA 95134, (408) 526-8104 ..:||||||:..:||||||:.. email: chuegen@cisco.com c i s c o S y s t e m s