Posted at 2009-10-31 18:55 GMT by RevK
Update #0: 2009-10-31 18:58 GMT

We are testing a new feature which we plan to launch when the main
LNS's are next upgraded (probably a few weeks off). It is on the test
LNS for now (see previous post).

The new feature shows as a Dump link on your line pages on clueless. It
allows a network traffic dump of all the lines on your login for 10
seconds (PPP snaplen 64) which is then decoded using tcpdump on screen
or down-loadable as a pcap file for your own analysis (e.g. on
wireshark or tcpdump).

This is mainly aimed at helping people understand why their line has
unusual activity and diagnose problems.

Our staff will have access to more detailed traffic dumping features to
assist with more complex issues if necessary.[IMAGE]

URL: http://aaisp.blogspot.com/2009/10/info-new-diagnostic-feature.html

-- 
AAISP Status Blog
URL:http://aaisp.blogspot.com/

In article <hci1gk$5oi$1@news.eternal-september.org>,
	RevK  writes:
> Posted at 2009-10-31 18:55 GMT by RevK
> Update #0: 2009-10-31 18:58 GMT
> 
> We are testing a new feature which we plan to launch when the main
> LNS's are next upgraded (probably a few weeks off). It is on the test
> LNS for now (see previous post).
> 
> The new feature shows as a Dump link on your line pages on clueless. It
> allows a network traffic dump of all the lines on your login for 10
> seconds (PPP snaplen 64) which is then decoded using tcpdump on screen
> or down-loadable as a pcap file for your own analysis (e.g. on
> wireshark or tcpdump).
> 
> This is mainly aimed at helping people understand why their line has
> unusual activity and diagnose problems.

Excellent!
I could have used this a few weeks back when graphs showed continuous
low level traffic, but there was nothing coming out of my router.
Closing off the router admin pages from the Internet stopped the
traffic, but I'd love to know what it was.

-- 
Andrew Gabriel
[email address is not usable -- followup in the newsgroup]

Posted at 2009-10-31 18:55 GMT by RevK
Update #1: 2009-11-01 10:17 GMT

  We are testing a new feature which we plan to launch when the main
  LNS's are next upgraded (probably a few weeks off). It is on the test
  LNS for now (see previous post).
  
  The new feature shows as a Dump link on your line pages on clueless. It
  allows a network traffic dump of all the lines on your login for 10
  seconds (PPP snaplen 64) which is then decoded using tcpdump on screen
  or down-loadable as a pcap file for your own analysis (e.g. on
  wireshark or tcpdump).
  
  This is mainly aimed at helping people understand why their line has
  unusual activity and diagnose problems.
  
  Our staff will have access to more detailed traffic dumping features to
| assist with more complex issues if necessary.
> 
> Privacy concerns: The dump is available to anyone who has the details
> to login to our control pages and manage your line. This is normally
> just you and staff, but if you have a dealer (e.g. IT consultant) they
> usually have these details too.
> 
> We have taken several steps to address privacy concerns:-
> 
>   * The network dump logs headers only (IP, TCP, UDP, ICMP) and does
>     not log the content. This is a special feature of the FB6000 as
>     network dumps normally operate on a fixed snap length. This means
>     the log contains only communications data and not the actual data
>     carried.
> 
>   * The network dump request is logged including the login of the
>     person requesting it and their IP address.
> 
>   * We consider that the requester is the person doing the interception
>     and there is a warning about illegality of unauthorised
>     interception of communications on the dump page.
> 
> If any customers have concerns over this new feature - please let us
> know.[IMAGE]

URL: http://aaisp.blogspot.com/2009/10/info-new-diagnostic-feature.html

-- 
AAISP Status Blog
URL:http://aaisp.blogspot.com/

Posted at 2009-10-31 18:55 GMT by RevK
Update #2: 2009-11-01 16:00 GMT

  We are testing a new feature which we plan to launch when the main
  LNS's are next upgraded (probably a few weeks off). It is on the test
  LNS for now (see previous post).
  
  The new feature shows as a Dump link on your line pages on clueless. It
  allows a network traffic dump of all the lines on your login for 10
| seconds which is then decoded using tcpdump on screen or down-loadable
| as a pcap file for your own analysis (e.g. on wireshark or tcpdump).
<
  
  This is mainly aimed at helping people understand why their line has
  unusual activity and diagnose problems.
  
  Our staff will have access to more detailed traffic dumping features to
  assist with more complex issues if necessary.
  
  Privacy concerns: The dump is available to anyone who has the details
  to login to our control pages and manage your line. This is normally
  just you and staff, but if you have a dealer (e.g. IT consultant) they
  usually have these details too.
  
  We have taken several steps to address privacy concerns:-
  
    * The network dump logs headers only (IP, TCP, UDP, ICMP) and does
      not log the content. This is a special feature of the FB6000 as
      network dumps normally operate on a fixed snap length. This means
      the log contains only communications data and not the actual data
      carried.
  
    * The network dump request is logged including the login of the
      person requesting it and their IP address.
  
    * We consider that the requester is the person doing the interception
      and there is a warning about illegality of unauthorised
      interception of communications on the dump page.
  
  If any customers have concerns over this new feature - please let us
  know.[IMAGE]

URL: http://aaisp.blogspot.com/2009/10/info-new-diagnostic-feature.html

-- 
AAISP Status Blog
URL:http://aaisp.blogspot.com/

RevK wrote:
>   If any customers have concerns over this new feature - please let us
>   know.

I have no concerns. Presumably I could use this if I suspected that a 
large amount of traffic was arriving at my router but then being 
discarded by the NAT routing? Or is there anything in place to detect 
such activity already?

I doubt it is happening, buy a malicious person could use a botnet 
against my IP address and cause my traffic to skyrocket. Or it might 
just be my missus doing some surreptitious shopping from her laptop. :-)

-- 
Steve Swift
http://www.swiftys.org.uk/swifty.html
http://www.ringers.org.uk

Swifty wrote:
> RevK wrote:
>>   If any customers have concerns over this new feature - please let us
>>   know.
> 
> I have no concerns. Presumably I could use this if I suspected that a 
> large amount of traffic was arriving at my router but then being 
> discarded by the NAT routing? Or is there anything in place to detect 
> such activity already?
> 
> I doubt it is happening, buy a malicious person could use a botnet 
> against my IP address and cause my traffic to skyrocket. Or it might 
> just be my missus doing some surreptitious shopping from her laptop. :-)


The per-ip stats were my usual first call for that as attacks
on the router don't get to my firewall. Now it's mostly spotted
first from cqm graph or mrtg running on one of servers but I
then have to eliminate genuine traffic.

RevK, any idea when/if these stats are coming back?


David

David Lord  writes:

> Swifty wrote:
>> RevK wrote:
>>>   If any customers have concerns over this new feature - please let us
>>>   know.
>>
>> I have no concerns. Presumably I could use this if I suspected that
>> a large amount of traffic was arriving at my router but then being
>> discarded by the NAT routing? Or is there anything in place to
>> detect such activity already?
>>
>> I doubt it is happening, buy a malicious person could use a botnet
>> against my IP address and cause my traffic to skyrocket. Or it might
>> just be my missus doing some surreptitious shopping from her
>> laptop. :-)
>
>
> The per-ip stats were my usual first call for that as attacks
> on the router don't get to my firewall. Now it's mostly spotted
> first from cqm graph or mrtg running on one of servers but I
> then have to eliminate genuine traffic.
>
> RevK, any idea when/if these stats are coming back?

They were really useful, it is a shame they disappeared. I too would
love to see them come back.

-- 

John Devereux