How to address a spike in TCP and UDP flows
I noticed an unusual spike in TCP and UDP flows from a single internal source to multiple destinations. What steps you would take to determine the type of traffic that this represents?

    Requires Free Membership to View

    Login

    SearchSecurity.co.UK members gain immediate and unlimited access to breaking UK industry news, virus alerts, new hacker threats, highly focused security newsletters, and more -- all at no cost. Join me on SearchSecurity.co.UK today!

    Michael S. Mimoso, Editorial Director

    By submitting your registration information to SearchSecurity.co.uk you agree to receive email communications from TechTarget and TechTarget partners. We encourage you to read our Privacy Policy which contains important disclosures about how we collect and use your registration and other information. If you reside outside of the United States, by submitting this registration information you consent to having your personal data transferred to and processed in the United States. Your use of SearchSecurity.co.uk is governed by our Terms of Use. You may contact us at webmaster@TechTarget.com.

To address a spike in TCP and UDP flows, run a packet sniffer such as Wireshark or CommView on a hub connected to the target device. Both these programs give you the opportunity to filter traffic during capture and post-capture to determine what is going on. Filters can be set for individual ports or protocols, as well as source and destination IP addresses. You can also rebuild sessions using either of these tools. If the device is non-critical, you may wish to isolate it first, in case it has been infected with malware.

This was first published in October 2009