Professional Documents
Culture Documents
Packet Shaper
Packet Shaper
If you suspect an infected host on the network: host info -sp -n 20 This will display the
top 20 hosts that have the most failed flows in the last 1-minute. sp:sort on failed
connections column n 20: limit the display to 20 hosts
8. traffic history find – Find what a particular user has been doing. ex. PacketShaper# tr hi
find 172.17.22.100
9. traffic flow <del>tupla – Another look at what a user has been doing. t:show TCP flows
u:show UDP flows p:show port numbers I:show non-idle flows a:show info for a specific
address. If you see large amounts of unclassified traffic such as when the default bucket
has a high 1 minute average or rapidly increasing class hits, then try this: traffic flow -
tupIxc t:show TCP flows u:show UDP flows p:show port numbers I:show non-idle flows
x:expand show full class names c:only show info for a specific class. This can also be used
to find what type of traffic is currently active. Another good variation:traffic flow -
to t:show TCP traffic o:overview – This gives you an overview of all TCP traffic. If you
suspect a syn attack: *traffic flow -tiI will be helpful. You will see a ton flows of unknown
service type and very few connections that are fully established. If you suspect IP
spoofing or a DDOS attack: traffic active will tell you how many flows current active, what
type they are, and how old they are. If you see a huge amount in a small amount of time
(relative to your normal traffic of course) your network may be under attack.
10. traffic history recent [class] – This lets you find out which users are using an application.
ex: Packetshaper# tr hi re inbound/http
11. net pna – Show network statistics. This is a useful overview to monitor for large-scale
errors or unusual network conditions.
12. sys limits – Make sure you aren’t maxing out your available traffic classes or matching
rules for your unit.