[svlug] Figuring out who is spamming from my network???
Tim Utschig
tim at tetro.net
Wed May 23 13:19:34 PDT 2007
On Wed, May 23, 2007 at 01:05:01PM -0700, Mark wrote:
> I guess that's true. Although it will be a lot more painful.
> The hosting provider notified me days after the incidents, so I would
> have to keep/rotate logs for days/weeks...
Not too painful if you have the disk space...
# Run under GNU screen (tethereal or tshark will work)
mkdir /some/directory
cd /some/directory
tshark -pni eth0 -w smtp.pcap -b filesize:51200 tcp port 25
# Add to crontab
0 5 * * * find /some/directory -name '*.pcap' -mtime +7 -exec rm {} \;
That should give you a week's rotation worth (or more if your SMTP
traffic doesn't reach 50 MB in a week) of <= 50 MB capture files.
--
- Tim Utschig <tim at tetro.net>
More information about the svlug
mailing list