On 5 January 2011 13:25, David Brodbeck <g...@gull.us> wrote: > On Wed, Jan 5, 2011 at 8:15 AM, Kevin Wilcox <kevin.wil...@gmail.com> wrote:
>> To really see what your machine is doing, consider taking a look at >> the network flows. pfflowd, netflowd, ipaudit and a host of others can >> get you flow data with mostly minimal overhead. > Also, keep in mind that depending on how badly the machine has been > compromised, you may not be able to trust the output of utilities > running on the machine itself. You may have to resort to capturing > its network traffic on another machine for analysis. That's an excellent point. A span port from the upstream switch/router would be ideal unless you've verified, through mechanisms external to the machine (known good test media), the tools on that machine are trustworthy. kmw _______________________________________________ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
