2

Hey, Some script kiddies are crashing my clients' game servers (that are based on Linux). In order to serve the best service, I'm looking for a way to find what packets does the crashers send, so I can block it later.

So, I need a simple program, that will log every packet that sent or get to/from the server software, from ALL clients. As I said, the game server software is based on Linux (Ubuntu 9.10), so the program should support Linux. The game server software, is not open source.

Thanks.

Alon Gubkin
  • 666
  • 3
  • 7
  • 12

2 Answers2

1

Wireshark comes to mind - or tshark for console version. Both should be available in Karmic Koala repositories.

Note that all traffic could mean tens, hundreds, or thousands of Mb/sec, so check your server's average traffic and prepare for that (the data needs to be stored somewhere, NOT on a network on the same interface (otherwise you'll be generating an infinite loop of data)).


Edit: As @William says, iff the game server itself is crashing, data may not be written to disk in time; but in that case, they may not even be sent out of another network interface in time. In my opinion, this is less likely than only the application crashing, but iff it's the case, I'd do this:

Put another computer with two NICs in front of your server, bridge them together and capture on that host in promiscuous mode (Those interfaces need not even have an IP address).

[game server[eth0]]------[[eth1]capturing computer[eth0]]-----[[eth1]your router, the Net etc]

What I'm doing here: the capturing computer pretends that there's a single network segment between your game server and your router (although physically there are now two). Therefore, the capturing computer will see all the traffic between game server and router, but the TCP and UDP traffic itself is not altered. Now, even if game server crashes, you'll still have all the preceding traffic.

The method described may slow down the line a little (as the capturing computer has to bridge the packets back and forth), but unless you're dealing with gigabit throughput, this shouldn't be too noticeable.

  • 2
    If only the server apps are crashing, this is a good solution. If the Linux sever itself is crashing then wireshark may not write the key packet to disk in time - if so it would need to be run on a different host and log from a mirrored switch port )or similar). It's likely that the killer packet(s) use the same protocol as legit game traffic so you'll need to make sure the game server app is logging crash time. This will make it easier to spot the bad packet(s). – William Feb 25 '10 at 13:26
0

You can use tcpdump to log the packets.

An option directed towards analysis of the traffic might be snort ( http://www.snort.org/).

Dominik
  • 2,198
  • 13
  • 9