Hi, I use TCPDump but its output is how do you say quite verbose. I second John's suggestion of ngrep - I use it at work but I probably wouldn't spin up a machine just to use it. Can you detail what exactly is happening to your friends network? Cheers, Ben. On 12/16/16, Jackie McBride wrote:

https://www.wireshark.org/docs/wsug_html_chunked/ChCustCommandLine.html

& don't forget netstat /B (uppercase).

On 12/16/16, John G Heim wrote:

...

I use ngrep but that's linux. I haven't used Windows in many years. There are only like eleventy gazillion network tools for linux. I use ngrep because it was the first one I found 20 years ago. I learned it's command line syntax and have been using it ever since. I did track down a problem almost exactly like this many years ago with ngrep. I wrote a perl script thatsniffed packets with ngrep for about 30 seconds and then printed a list of the IP addresses and ports that were getting the most traffic. I can share that perl script but I suspect that by now there are linux network utilities that do it better.

Maybe it's that when you have a hammer, everything looks like a nail but if I had a problem like this, I sure would want to use a linux machine to track it down.

On 12/16/2016 10:32 AM, Steve Matzura wrote:

...

I have a friend with a big problem. Something is eating his network alive. Could be a computer, could be the modem, in which case a re-flash of firmware will fix it. All his computers are virus- and badware-free, according to up-to-date installations of antivirus and all kinds of anti-badware softwares. Meantime, I thought I'd see what Wireshark is like with a screenreader, test it locally, get my friend to install it, Tandem into that machine, run it, and see what's what. FORGETABOUTIT! Using the JAWS cursor doesn't do much, not even with the OCR feature. There are some tabbable dialogs, or screens that act like they're dialogs, but to kick the thing started, I just cannot seem to get it to start listening and collecting packets and doing its thing with them. I remember using this tool way back when it was EtherNim and thought it was pretty accessible. But that was more than a decade-and-a-half ago, and times (and obviously software) have changed. Anyone got any accessibility hacks for Wireshark, or can recommend another tool that runs on anything--Windows, OS X, some Linux--heck, I'd even run it on a Raspberry Pi if it's accessible!!--that will do the same thing?

Thanks in advance.

_______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org https://lists.hodgsonfamily.org/listinfo/blind-sysadmins

_______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org https://lists.hodgsonfamily.org/listinfo/blind-sysadmins

-- Jackie McBride Website Hosting, Repair, & Development Author of the Book "My Site's Been Hacked, Now what?: A Guide to Preventing and Fixing a Compromised Website" www.brighter-vision.com Where Visionaries & Technology Unite for Good

_______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org https://lists.hodgsonfamily.org/listinfo/blind-sysadmins

This is precisely what netstat (using the upper case b as in bravo switch) does--it lets u know what the machine is connected to. My own personal guess is that he's got some kinda rootkit that's not being detected because the driver loads prior to the protection software & subverts it. 1 of my favorite tools in this regard is Farbar Recovery scan tool, but u *really* need to know what you're doing w/it or u could muck the machine up bigtime lol. Gl w/it, Steve. I know you're more than capable of figuring it out. On 12/16/16, Steve Matzura wrote:

I can't because I hadn't decided on what tool to use to obtain that information. Now that I know how to run Wireshark from the command line, I will get it. All he knows is that every day, his data usage climbs by leaps and bounds, some days by hundreds of gigs per day, and he swears he's just sitting there watching paint dry. In other words, his machine is on but he's not doing anything with it that would or should impact network statistics as they have been lately. A few emails now and then, no streaming audio or video, nothing of which he can think that would point to big daily data usage numbers.

On Fri, 16 Dec 2016 19:14:29 +0000, you wrote:

...

Hi,

I use TCPDump but its output is how do you say quite verbose. I second John's suggestion of ngrep - I use it at work but I probably wouldn't spin up a machine just to use it. Can you detail what exactly is happening to your friends network?

Cheers, Ben.

On 12/16/16, Jackie McBride wrote:

...

https://www.wireshark.org/docs/wsug_html_chunked/ChCustCommandLine.html

& don't forget netstat /B (uppercase).

On 12/16/16, John G Heim wrote:

...

I use ngrep but that's linux. I haven't used Windows in many years. There are only like eleventy gazillion network tools for linux. I use ngrep because it was the first one I found 20 years ago. I learned it's command line syntax and have been using it ever since. I did track down a problem almost exactly like this many years ago with ngrep. I wrote a perl script thatsniffed packets with ngrep for about 30 seconds and then printed a list of the IP addresses and ports that were getting the most traffic. I can share that perl script but I suspect that by now there are linux network utilities that do it better.

Maybe it's that when you have a hammer, everything looks like a nail but if I had a problem like this, I sure would want to use a linux machine to track it down.

On 12/16/2016 10:32 AM, Steve Matzura wrote:

...

I have a friend with a big problem. Something is eating his network alive. Could be a computer, could be the modem, in which case a re-flash of firmware will fix it. All his computers are virus- and badware-free, according to up-to-date installations of antivirus and all kinds of anti-badware softwares. Meantime, I thought I'd see what Wireshark is like with a screenreader, test it locally, get my friend to install it, Tandem into that machine, run it, and see what's what. FORGETABOUTIT! Using the JAWS cursor doesn't do much, not even with the OCR feature. There are some tabbable dialogs, or screens that act like they're dialogs, but to kick the thing started, I just cannot seem to get it to start listening and collecting packets and doing its thing with them. I remember using this tool way back when it was EtherNim and thought it was pretty accessible. But that was more than a decade-and-a-half ago, and times (and obviously software) have changed. Anyone got any accessibility hacks for Wireshark, or can recommend another tool that runs on anything--Windows, OS X, some Linux--heck, I'd even run it on a Raspberry Pi if it's accessible!!--that will do the same thing?

Thanks in advance.

_______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org https://lists.hodgsonfamily.org/listinfo/blind-sysadmins

_______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org https://lists.hodgsonfamily.org/listinfo/blind-sysadmins

-- Jackie McBride Website Hosting, Repair, & Development Author of the Book "My Site's Been Hacked, Now what?: A Guide to Preventing and Fixing a Compromised Website" www.brighter-vision.com Where Visionaries & Technology Unite for Good

_______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org https://lists.hodgsonfamily.org/listinfo/blind-sysadmins

_______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org https://lists.hodgsonfamily.org/listinfo/blind-sysadmins

_______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org https://lists.hodgsonfamily.org/listinfo/blind-sysadmins

-- Jackie McBride Website Hosting, Repair, & Development Author of the Book "My Site's Been Hacked, Now what?: A Guide to Preventing and Fixing a Compromised Website" www.brighter-vision.com Where Visionaries & Technology Unite for Good

Hi, I use TCPDump but its output is how do you say quite verbose. I second John's suggestion of ngrep - I use it at work but I probably wouldn't spin up a machine just to use it. Can you detail what exactly is happening to your friends network? Cheers, Ben. On 12/16/16, Jackie McBride wrote:

https://www.wireshark.org/docs/wsug_html_chunked/ChCustCommandLine.html

& don't forget netstat /B (uppercase).

On 12/16/16, John G Heim wrote:

...

I use ngrep but that's linux. I haven't used Windows in many years. There are only like eleventy gazillion network tools for linux. I use ngrep because it was the first one I found 20 years ago. I learned it's command line syntax and have been using it ever since. I did track down a problem almost exactly like this many years ago with ngrep. I wrote a perl script thatsniffed packets with ngrep for about 30 seconds and then printed a list of the IP addresses and ports that were getting the most traffic. I can share that perl script but I suspect that by now there are linux network utilities that do it better.

Maybe it's that when you have a hammer, everything looks like a nail but if I had a problem like this, I sure would want to use a linux machine to track it down.

On 12/16/2016 10:32 AM, Steve Matzura wrote:

...

I have a friend with a big problem. Something is eating his network alive. Could be a computer, could be the modem, in which case a re-flash of firmware will fix it. All his computers are virus- and badware-free, according to up-to-date installations of antivirus and all kinds of anti-badware softwares. Meantime, I thought I'd see what Wireshark is like with a screenreader, test it locally, get my friend to install it, Tandem into that machine, run it, and see what's what. FORGETABOUTIT! Using the JAWS cursor doesn't do much, not even with the OCR feature. There are some tabbable dialogs, or screens that act like they're dialogs, but to kick the thing started, I just cannot seem to get it to start listening and collecting packets and doing its thing with them. I remember using this tool way back when it was EtherNim and thought it was pretty accessible. But that was more than a decade-and-a-half ago, and times (and obviously software) have changed. Anyone got any accessibility hacks for Wireshark, or can recommend another tool that runs on anything--Windows, OS X, some Linux--heck, I'd even run it on a Raspberry Pi if it's accessible!!--that will do the same thing?

Thanks in advance.

_______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org https://lists.hodgsonfamily.org/listinfo/blind-sysadmins

_______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org https://lists.hodgsonfamily.org/listinfo/blind-sysadmins

-- Jackie McBride Website Hosting, Repair, & Development Author of the Book "My Site's Been Hacked, Now what?: A Guide to Preventing and Fixing a Compromised Website" www.brighter-vision.com Where Visionaries & Technology Unite for Good

_______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org https://lists.hodgsonfamily.org/listinfo/blind-sysadmins

https://www.wireshark.org/docs/wsug_html_chunked/ChCustCommandLine.html & don't forget netstat /B (uppercase). On 12/16/16, John G Heim wrote:

I use ngrep but that's linux. I haven't used Windows in many years. There are only like eleventy gazillion network tools for linux. I use ngrep because it was the first one I found 20 years ago. I learned it's command line syntax and have been using it ever since. I did track down a problem almost exactly like this many years ago with ngrep. I wrote a perl script thatsniffed packets with ngrep for about 30 seconds and then printed a list of the IP addresses and ports that were getting the most traffic. I can share that perl script but I suspect that by now there are linux network utilities that do it better.

Maybe it's that when you have a hammer, everything looks like a nail but if I had a problem like this, I sure would want to use a linux machine to track it down.

On 12/16/2016 10:32 AM, Steve Matzura wrote:

...

I have a friend with a big problem. Something is eating his network alive. Could be a computer, could be the modem, in which case a re-flash of firmware will fix it. All his computers are virus- and badware-free, according to up-to-date installations of antivirus and all kinds of anti-badware softwares. Meantime, I thought I'd see what Wireshark is like with a screenreader, test it locally, get my friend to install it, Tandem into that machine, run it, and see what's what. FORGETABOUTIT! Using the JAWS cursor doesn't do much, not even with the OCR feature. There are some tabbable dialogs, or screens that act like they're dialogs, but to kick the thing started, I just cannot seem to get it to start listening and collecting packets and doing its thing with them. I remember using this tool way back when it was EtherNim and thought it was pretty accessible. But that was more than a decade-and-a-half ago, and times (and obviously software) have changed. Anyone got any accessibility hacks for Wireshark, or can recommend another tool that runs on anything--Windows, OS X, some Linux--heck, I'd even run it on a Raspberry Pi if it's accessible!!--that will do the same thing?

Thanks in advance.

_______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org https://lists.hodgsonfamily.org/listinfo/blind-sysadmins

_______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org https://lists.hodgsonfamily.org/listinfo/blind-sysadmins

-- Jackie McBride Website Hosting, Repair, & Development Author of the Book "My Site's Been Hacked, Now what?: A Guide to Preventing and Fixing a Compromised Website" www.brighter-vision.com Where Visionaries & Technology Unite for Good

If you're going with Linux, the iftop package may also be worth a look. It presents a view similar to top so you can see top IP addresses by port, etc. I've found the latest wireshark GUI to be usable if I'm looking at specifics, but not if I'm trying to get an overview of activity. Chris On Fri, Dec 16, 2016 at 02:19:18PM -0500, Steve Matzura wrote:

If it were my network, I'd do just that, and for that matter, I'd like to learn the state of the art in these tools so I could try it on my own machine here at home with is a Debian 8.5 box. Thanks for the tip about NGrep. I'll look into it further.

On Fri, 16 Dec 2016 10:55:26 -0600, you wrote:

...

I use ngrep but that's linux. I haven't used Windows in many years. There are only like eleventy gazillion network tools for linux. I use ngrep because it was the first one I found 20 years ago. I learned it's command line syntax and have been using it ever since. I did track down a problem almost exactly like this many years ago with ngrep. I wrote a perl script thatsniffed packets with ngrep for about 30 seconds and then printed a list of the IP addresses and ports that were getting the most traffic. I can share that perl script but I suspect that by now there are linux network utilities that do it better.

Maybe it's that when you have a hammer, everything looks like a nail but if I had a problem like this, I sure would want to use a linux machine to track it down.

On 12/16/2016 10:32 AM, Steve Matzura wrote:

...

I have a friend with a big problem. Something is eating his network alive. Could be a computer, could be the modem, in which case a re-flash of firmware will fix it. All his computers are virus- and badware-free, according to up-to-date installations of antivirus and all kinds of anti-badware softwares. Meantime, I thought I'd see what Wireshark is like with a screenreader, test it locally, get my friend to install it, Tandem into that machine, run it, and see what's what. FORGETABOUTIT! Using the JAWS cursor doesn't do much, not even with the OCR feature. There are some tabbable dialogs, or screens that act like they're dialogs, but to kick the thing started, I just cannot seem to get it to start listening and collecting packets and doing its thing with them. I remember using this tool way back when it was EtherNim and thought it was pretty accessible. But that was more than a decade-and-a-half ago, and times (and obviously software) have changed. Anyone got any accessibility hacks for Wireshark, or can recommend another tool that runs on anything--Windows, OS X, some Linux--heck, I'd even run it on a Raspberry Pi if it's accessible!!--that will do the same thing?

Thanks in advance.

_______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org https://lists.hodgsonfamily.org/listinfo/blind-sysadmins

_______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org https://lists.hodgsonfamily.org/listinfo/blind-sysadmins

_______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org https://lists.hodgsonfamily.org/listinfo/blind-sysadmins

All, The only way you will track this issue down is by being on the router that is on the edge of the network. If this router does not support TCPDump which is what Wireshark relies on. Then you are out of luck. The reason is due to how the l2 translation on the router will occur. If you have Pc1, PC2 directly connect to a router which is on the edge. If PC2 is sending a lot of traffic to the Internet. PC1 will not see this traffic at all. This is why you need to do the TCPDump on the router. If the router does not support TCPDump or have its own form of packet dumping. Then set up a firewall and block everything except for tcp:port 80, 25 and IMAP/POP3. If the issue goes away then you have to start identifying the possible port. A very painful method to work out the issue. Depending on the capabilities of your router. If it can do a range of ports for UDP/TcP. Then start using the range option as it will make things easier. Most home routers done’t do this. If you are using Cisco, then it is really easy by the ACL’s. Sean

On 18 Dec 2016, at 2:26 am, Chris Turner via Blind-sysadmins wrote:

Not had to use these on vast networks but personally I use the command line tools Tshark or Tcpdump. That in combination with grep and awk to filter output.

Unfortunately as screen reader users, we just don't get the nice intuitive view of a packet stream that the gui stuff can give someone at a glance. There are other tools like Ntopng which present packet capture information in a webgui.

You probably know but in case not, it matters where you place your sniffing machine too. On a wired network, you want to connect it to a SPAN or Mirror port with the sniffer's interface in promiscuous mode. You could use a old layer 1 hub instead otherwise you have to mess about doing man in the middle njiggery pokery to see all the traffic on the LAN. Unless you're router is linux based, then run the commands on there.

Regards

Chris Turner

On 16/12/2016 16:55, John G Heim wrote:

...

I use ngrep but that's linux. I haven't used Windows in many years. There are only like eleventy gazillion network tools for linux. I use ngrep because it was the first one I found 20 years ago. I learned it's command line syntax and have been using it ever since. I did track down a problem almost exactly like this many years ago with ngrep. I wrote a perl script thatsniffed packets with ngrep for about 30 seconds and then printed a list of the IP addresses and ports that were getting the most traffic. I can share that perl script but I suspect that by now there are linux network utilities that do it better.

Maybe it's that when you have a hammer, everything looks like a nail but if I had a problem like this, I sure would want to use a linux machine to track it down.

On 12/16/2016 10:32 AM, Steve Matzura wrote:

...

I have a friend with a big problem. Something is eating his network alive. Could be a computer, could be the modem, in which case a re-flash of firmware will fix it. All his computers are virus- and badware-free, according to up-to-date installations of antivirus and all kinds of anti-badware softwares. Meantime, I thought I'd see what Wireshark is like with a screenreader, test it locally, get my friend to install it, Tandem into that machine, run it, and see what's what. FORGETABOUTIT! Using the JAWS cursor doesn't do much, not even with the OCR feature. There are some tabbable dialogs, or screens that act like they're dialogs, but to kick the thing started, I just cannot seem to get it to start listening and collecting packets and doing its thing with them. I remember using this tool way back when it was EtherNim and thought it was pretty accessible. But that was more than a decade-and-a-half ago, and times (and obviously software) have changed. Anyone got any accessibility hacks for Wireshark, or can recommend another tool that runs on anything--Windows, OS X, some Linux--heck, I'd even run it on a Raspberry Pi if it's accessible!!--that will do the same thing?

Thanks in advance.

_______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org https://lists.hodgsonfamily.org/listinfo/blind-sysadmins

_______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org https://lists.hodgsonfamily.org/listinfo/blind-sysadmins

--- This email has been checked for viruses by Avast antivirus software. https://www.avast.com/antivirus

_______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org https://lists.hodgsonfamily.org/listinfo/blind-sysadmins

U also may wish to see if your router has logging facility, &, if so, whether u can glean or set it to be able to glean any information from those. Another thing that might be helpful is to isolate machines, i.e., turn off all but 1 & see if data spikes occur. Obviously that can pose inconveniences, but there've been times I had to do so in order to isolate which machine was infected, though I was always pretty sure which 1 it was due to the nature of the behavior of the network participants in question. Enough said about that, I'm pretty sure lol. On 12/19/16, Kelly Prescott wrote:

When I have a network where I cannot get access to the edge router is I put a box with 2 ethernet interfaces in bridge mode between the network and router. Then I can see all the trafic no problem. This does not give me a view into encrypted trafic, but it does tell me who is talking and how much. Setup is not in the scope of this list, but lots of web info is out there.

kp

On Mon, 19 Dec 2016, Sean Murphy wrote:

...

All,

The only way you will track this issue down is by being on the router that is on the edge of the network. If this router does not support TCPDump which is what Wireshark relies on. Then you are out of luck. The reason is due to how the l2 translation on the router will occur.

If you have Pc1, PC2 directly connect to a router which is on the edge. If PC2 is sending a lot of traffic to the Internet. PC1 will not see this traffic at all. This is why you need to do the TCPDump on the router.

If the router does not support TCPDump or have its own form of packet dumping. Then set up a firewall and block everything except for tcp:port 80, 25 and IMAP/POP3. If the issue goes away then you have to start identifying the possible port. A very painful method to work out the issue. Depending on the capabilities of your router. If it can do a range of ports for UDP/TcP. Then start using the range option as it will make things easier.

Most home routers done’t do this. If you are using Cisco, then it is really easy by the ACL’s.

Sean

...

On 18 Dec 2016, at 2:26 am, Chris Turner via Blind-sysadmins wrote:

Not had to use these on vast networks but personally I use the command line tools Tshark or Tcpdump. That in combination with grep and awk to filter output.

Unfortunately as screen reader users, we just don't get the nice intuitive view of a packet stream that the gui stuff can give someone at a glance. There are other tools like Ntopng which present packet capture information in a webgui.

You probably know but in case not, it matters where you place your sniffing machine too. On a wired network, you want to connect it to a SPAN or Mirror port with the sniffer's interface in promiscuous mode. You could use a old layer 1 hub instead otherwise you have to mess about doing man in the middle njiggery pokery to see all the traffic on the LAN. Unless you're router is linux based, then run the commands on there.

Regards

Chris Turner

On 16/12/2016 16:55, John G Heim wrote:

...

I use ngrep but that's linux. I haven't used Windows in many years. There are only like eleventy gazillion network tools for linux. I use ngrep because it was the first one I found 20 years ago. I learned it's command line syntax and have been using it ever since. I did track down a problem almost exactly like this many years ago with ngrep. I wrote a perl script thatsniffed packets with ngrep for about 30 seconds and then printed a list of the IP addresses and ports that were getting the most traffic. I can share that perl script but I suspect that by now there are linux network utilities that do it better.

Maybe it's that when you have a hammer, everything looks like a nail but if I had a problem like this, I sure would want to use a linux machine to track it down.

On 12/16/2016 10:32 AM, Steve Matzura wrote:

...

I have a friend with a big problem. Something is eating his network alive. Could be a computer, could be the modem, in which case a re-flash of firmware will fix it. All his computers are virus- and badware-free, according to up-to-date installations of antivirus and all kinds of anti-badware softwares. Meantime, I thought I'd see what Wireshark is like with a screenreader, test it locally, get my friend to install it, Tandem into that machine, run it, and see what's what. FORGETABOUTIT! Using the JAWS cursor doesn't do much, not even with the OCR feature. There are some tabbable dialogs, or screens that act like they're dialogs, but to kick the thing started, I just cannot seem to get it to start listening and collecting packets and doing its thing with them. I remember using this tool way back when it was EtherNim and thought it was pretty accessible. But that was more than a decade-and-a-half ago, and times (and obviously software) have changed. Anyone got any accessibility hacks for Wireshark, or can recommend another tool that runs on anything--Windows, OS X, some Linux--heck, I'd even run it on a Raspberry Pi if it's accessible!!--that will do the same thing?

Thanks in advance.

_______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org https://lists.hodgsonfamily.org/listinfo/blind-sysadmins

_______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org https://lists.hodgsonfamily.org/listinfo/blind-sysadmins

--- This email has been checked for viruses by Avast antivirus software. https://www.avast.com/antivirus

_______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org https://lists.hodgsonfamily.org/listinfo/blind-sysadmins

_______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org https://lists.hodgsonfamily.org/listinfo/blind-sysadmins

---

Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org https://lists.hodgsonfamily.org/listinfo/blind-sysadmins

-- Jackie McBride Website Hosting, Repair, & Development Author of the Book "My Site's Been Hacked, Now what?: A Guide to Preventing and Fixing a Compromised Website" www.brighter-vision.com Where Visionaries & Technology Unite for Good

If I were on-site, I'd do just that. On Mon, 19 Dec 2016 12:00:52 -0600 (CST), you wrote:

When I have a network where I cannot get access to the edge router is I put a box with 2 ethernet interfaces in bridge mode between the network and router. Then I can see all the trafic no problem. This does not give me a view into encrypted trafic, but it does tell me who is talking and how much. Setup is not in the scope of this list, but lots of web info is out there.

kp

On Mon, 19 Dec 2016, Sean Murphy wrote:

...

All,

The only way you will track this issue down is by being on the router that is on the edge of the network. If this router does not support TCPDump which is what Wireshark relies on. Then you are out of luck. The reason is due to how the l2 translation on the router will occur.

If you have Pc1, PC2 directly connect to a router which is on the edge. If PC2 is sending a lot of traffic to the Internet. PC1 will not see this traffic at all. This is why you need to do the TCPDump on the router.

If the router does not support TCPDump or have its own form of packet dumping. Then set up a firewall and block everything except for tcp:port 80, 25 and IMAP/POP3. If the issue goes away then you have to start identifying the possible port. A very painful method to work out the issue. Depending on the capabilities of your router. If it can do a range of ports for UDP/TcP. Then start using the range option as it will make things easier.

Most home routers done’t do this. If you are using Cisco, then it is really easy by the ACL’s.

Sean

...

On 18 Dec 2016, at 2:26 am, Chris Turner via Blind-sysadmins wrote:

Not had to use these on vast networks but personally I use the command line tools Tshark or Tcpdump. That in combination with grep and awk to filter output.

Unfortunately as screen reader users, we just don't get the nice intuitive view of a packet stream that the gui stuff can give someone at a glance. There are other tools like Ntopng which present packet capture information in a webgui.

You probably know but in case not, it matters where you place your sniffing machine too. On a wired network, you want to connect it to a SPAN or Mirror port with the sniffer's interface in promiscuous mode. You could use a old layer 1 hub instead otherwise you have to mess about doing man in the middle njiggery pokery to see all the traffic on the LAN. Unless you're router is linux based, then run the commands on there.

Regards

Chris Turner

On 16/12/2016 16:55, John G Heim wrote:

...

I use ngrep but that's linux. I haven't used Windows in many years. There are only like eleventy gazillion network tools for linux. I use ngrep because it was the first one I found 20 years ago. I learned it's command line syntax and have been using it ever since. I did track down a problem almost exactly like this many years ago with ngrep. I wrote a perl script thatsniffed packets with ngrep for about 30 seconds and then printed a list of the IP addresses and ports that were getting the most traffic. I can share that perl script but I suspect that by now there are linux network utilities that do it better.

Maybe it's that when you have a hammer, everything looks like a nail but if I had a problem like this, I sure would want to use a linux machine to track it down.

On 12/16/2016 10:32 AM, Steve Matzura wrote:

...

I have a friend with a big problem. Something is eating his network alive. Could be a computer, could be the modem, in which case a re-flash of firmware will fix it. All his computers are virus- and badware-free, according to up-to-date installations of antivirus and all kinds of anti-badware softwares. Meantime, I thought I'd see what Wireshark is like with a screenreader, test it locally, get my friend to install it, Tandem into that machine, run it, and see what's what. FORGETABOUTIT! Using the JAWS cursor doesn't do much, not even with the OCR feature. There are some tabbable dialogs, or screens that act like they're dialogs, but to kick the thing started, I just cannot seem to get it to start listening and collecting packets and doing its thing with them. I remember using this tool way back when it was EtherNim and thought it was pretty accessible. But that was more than a decade-and-a-half ago, and times (and obviously software) have changed. Anyone got any accessibility hacks for Wireshark, or can recommend another tool that runs on anything--Windows, OS X, some Linux--heck, I'd even run it on a Raspberry Pi if it's accessible!!--that will do the same thing?

Thanks in advance.

_______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org https://lists.hodgsonfamily.org/listinfo/blind-sysadmins

_______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org https://lists.hodgsonfamily.org/listinfo/blind-sysadmins

--- This email has been checked for viruses by Avast antivirus software. https://www.avast.com/antivirus

_______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org https://lists.hodgsonfamily.org/listinfo/blind-sysadmins

_______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org https://lists.hodgsonfamily.org/listinfo/blind-sysadmins

---

Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org https://lists.hodgsonfamily.org/listinfo/blind-sysadmins

From my knowledge unless things have changed. Lynxsys doesn’t use images that support Linux or you can gain access to them. Thus TCPDump will not work in this situation. You can always install it on all the machines and see what is going on. Sean

On 23 Dec 2016, at 1:23 pm, Steve Matzura wrote:

The router in question is a Linksys E2500.

On Mon, 19 Dec 2016 16:50:20 +1100, you wrote:

...

All,

The only way you will track this issue down is by being on the router that is on the edge of the network. If this router does not support TCPDump which is what Wireshark relies on. Then you are out of luck. The reason is due to how the l2 translation on the router will occur.

If you have Pc1, PC2 directly connect to a router which is on the edge. If PC2 is sending a lot of traffic to the Internet. PC1 will not see this traffic at all. This is why you need to do the TCPDump on the router.

If the router does not support TCPDump or have its own form of packet dumping. Then set up a firewall and block everything except for tcp:port 80, 25 and IMAP/POP3. If the issue goes away then you have to start identifying the possible port. A very painful method to work out the issue. Depending on the capabilities of your router. If it can do a range of ports for UDP/TcP. Then start using the range option as it will make things easier.

Most home routers done’t do this. If you are using Cisco, then it is really easy by the ACL’s.

Sean

...

On 18 Dec 2016, at 2:26 am, Chris Turner via Blind-sysadmins wrote:

Not had to use these on vast networks but personally I use the command line tools Tshark or Tcpdump. That in combination with grep and awk to filter output.

Unfortunately as screen reader users, we just don't get the nice intuitive view of a packet stream that the gui stuff can give someone at a glance. There are other tools like Ntopng which present packet capture information in a webgui.

You probably know but in case not, it matters where you place your sniffing machine too. On a wired network, you want to connect it to a SPAN or Mirror port with the sniffer's interface in promiscuous mode. You could use a old layer 1 hub instead otherwise you have to mess about doing man in the middle njiggery pokery to see all the traffic on the LAN. Unless you're router is linux based, then run the commands on there.

Regards

Chris Turner

On 16/12/2016 16:55, John G Heim wrote:

...

I use ngrep but that's linux. I haven't used Windows in many years. There are only like eleventy gazillion network tools for linux. I use ngrep because it was the first one I found 20 years ago. I learned it's command line syntax and have been using it ever since. I did track down a problem almost exactly like this many years ago with ngrep. I wrote a perl script thatsniffed packets with ngrep for about 30 seconds and then printed a list of the IP addresses and ports that were getting the most traffic. I can share that perl script but I suspect that by now there are linux network utilities that do it better.

Maybe it's that when you have a hammer, everything looks like a nail but if I had a problem like this, I sure would want to use a linux machine to track it down.

On 12/16/2016 10:32 AM, Steve Matzura wrote:

...

I have a friend with a big problem. Something is eating his network alive. Could be a computer, could be the modem, in which case a re-flash of firmware will fix it. All his computers are virus- and badware-free, according to up-to-date installations of antivirus and all kinds of anti-badware softwares. Meantime, I thought I'd see what Wireshark is like with a screenreader, test it locally, get my friend to install it, Tandem into that machine, run it, and see what's what. FORGETABOUTIT! Using the JAWS cursor doesn't do much, not even with the OCR feature. There are some tabbable dialogs, or screens that act like they're dialogs, but to kick the thing started, I just cannot seem to get it to start listening and collecting packets and doing its thing with them. I remember using this tool way back when it was EtherNim and thought it was pretty accessible. But that was more than a decade-and-a-half ago, and times (and obviously software) have changed. Anyone got any accessibility hacks for Wireshark, or can recommend another tool that runs on anything--Windows, OS X, some Linux--heck, I'd even run it on a Raspberry Pi if it's accessible!!--that will do the same thing?

Thanks in advance.

_______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org https://lists.hodgsonfamily.org/listinfo/blind-sysadmins

_______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org https://lists.hodgsonfamily.org/listinfo/blind-sysadmins

--- This email has been checked for viruses by Avast antivirus software. https://www.avast.com/antivirus

_______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org https://lists.hodgsonfamily.org/listinfo/blind-sysadmins

_______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org https://lists.hodgsonfamily.org/listinfo/blind-sysadmins

_______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org https://lists.hodgsonfamily.org/listinfo/blind-sysadmins