This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Is it possible to detect ddos attacks with wireshark for group of servers?

asked 19 Apr '11, 08:26

dkorzhevin's gravatar image

dkorzhevin
1223
accept rate: 0%


Yes, it may be possible if you're capturing traffic to this group of servers. DDoS attacks often are "simple" SYN floods coming from apparently all over the world. To determine where a packet is coming from you can enable the GeoIP localisation in the Name Resolution settings in the Wireshark preferences after you've placed the according files (available for free from www.maxmind.com) in a directory.

After you've successfully pointed Wireshark to the database files you can see the location of IPs in the IP decode (you might need to enable this in the protocol preferences first) and in the Endpoint statistics. If you see many packets flooding your servers from seemingly random sources you're probably being DDoSed.

permanent link

answered 19 Apr '11, 08:40

Jasper's gravatar image

Jasper ♦♦
23.8k551284
accept rate: 18%

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×22

question asked: 19 Apr '11, 08:26

question was seen: 19,064 times

last updated: 19 Apr '11, 08:40

p​o​w​e​r​e​d by O​S​Q​A